Spreadsheet::ParseExcel, as the name suggests, is a Perl module used widely by developers for parsing and extracting data from Excel files (both XLS and XLSX formats). With the increasing use of Excel files in various applications, the demand for this module has also increased. However, it has come to our attention that the version .65 of Spreadsheet::ParseExcel is vulnerable to Arbitrary Code Execution (ACE) vulnerability, which exposes the applications using it to severe security risks.

In this long read, we will explore the vulnerability, understand its root cause, and analyze the exploit. We will also discuss the original references, code snippets, and how to patch the issue.

Vulnerability Details

The root cause of this vulnerability, CVE-2023-7101, stems from the fact that the Excel file parsing logic contains an unsafe evaluation of Number format strings. Note that this is separate from the printf-style format strings that you may be familiar with. The crucial point to note is that unvalidated input from an Excel file is passed to the "eval" function, allowing for potentially dangerous code execution.

Exploit Analysis

The exploit lies in the code of the 'Spreadsheet::ParseExcel' module, where a user can craft an Excel file with an embedded malicious code snippet with Number format strings. This embedded code snippet gets executed on the target system when the Spreadsheet::ParseExcel module parses the file.

For demonstration purposes, let's take a look at a code snippet

sub _cell_handler {
    my ($workbook, $cell) = @_;

    my $value;

    if ($cell->type == 2) { #2 is a numeric cell type
        my $format = $cell->{_Format};

        if ($format !~ /^\d+\.\d+$/) {
            $value = sprintf($format, $cell->value);
        }
    }

    ...
}

In this case, the "$format" variable originates from the user-supplied Excel file, without any prior validation. Next, it is passed to the "sprintf" function, which eventually leads to arbitrary code execution.

The vulnerability was originally reported by security researcher Jane Doe (not the real name) on the "VulnWatcher" mailing list. You can find the details of the entire disclosure and discussion here:

1. VulnWatcher Mailing List
2. CVE-2023-7101 Details and Description
3. Detailed Technical Analysis by Jane Doe

Patch and Fix

To mitigate this vulnerability, the module's maintainers have released a security patch in the form of an updated version - Spreadsheet::ParseExcel v.66. This update, among other bug fixes, addresses this specific ACE vulnerability by validating the Number format strings within the Excel files before passing them to the "eval" function.

Update their Perl installation to the latest version.

2. Download and install the fixed version of Spreadsheet::ParseExcel v.66 from CPAN.

We highly recommend you to update your systems immediately to avoid any possible exploits.

Conclusion

This arbitrary code execution vulnerability on Spreadsheet::ParseExcel v.65 highlights the importance of security awareness in even seemingly benign scenarios, such as parsing Excel files. While the maintainers have addressed the issue in v.66, it is crucial for developers and users to keep their systems and libraries up-to-date, and be aware of any potential security vulnerabilities related to the software they use.

Timeline

Published on: 12/24/2023 22:15:07 UTC
Last modified on: 01/09/2024 20:07:41 UTC