关联漏洞
标题:
pycel 安全漏洞
(CVE-2024-53924)
描述:pycel是Dirk Gorissen个人开发者的一个用于将excel电子表格编译为python代码并将其可视化为图形的库。 pycel 1.0b30及之前版本存在安全漏洞,该漏洞源于处理不可信电子表格时可能执行任意代码。
描述
A PoC of CVE-2024-53924
介绍
# CVE-2024-53924
- Description: Pycel through 1.0b30, when operating on an untrusted spreadsheet, allows code execution via a crafted formula in a cell, such as one beginning with the =IF(A1=200, eval("__import__('os').system( substring.
- Author: Adham Elmosalamy (@aelmo)
- Date of Disclosure: November 23, 2024
- Link: https://nvd.nist.gov/vuln/detail/CVE-2024-53924
## Summary
Pycel, a Python library for working with Excel worksheets including symbolic safe evaluation of Excel formulas suffer from a code execution vulnerability where Python-native functions that are otherwise blocked could be executed using specially crafted Excel formulas. This allows an attacker to provide a malicious document that leads to code execution when evaluated by Pycel.
Using the same demo script in the [Pycel documentation](https://pypi.org/project/pycel/), analyzing an Excel document should evaluate Excel functions and return an error such as `"Function EVAL is not implemented. EVAL is not a known Excel function"` and refuse to run.
However, I was able to bypass this using a malicious Excel formula that unexpectedly leads to arbitrary code execution when run in Pycel.
## Advisory
Pycel is currently insecure and cannot be trusted for evaluating or working with worksheets from untrusted origins. Failure
to do so can lead to devastating results in the form of code execution.
## Steps to Reproduce
1. Create an Excel sheet, place one of the following malicious formulas in any evaluated cell:
```vb
=IF(A1=200, eval("__import__('os').system('calc.exe')"), @LINEST(C1:C18,B1:B18))
=A1*eval("__import__('os').system('calc.exe')")
```
2. Run the Python script below (`pip install -r requirements.txt` first)
3. During runtime, and within the conditions =IF, the Python eval function does not get validated leading to code execution.
This is still valid for latest Pycel version 1.0b30.
文件快照
[4.0K] /data/pocs/df57311540fd82a823ca67d7e156b3a266dda66e
├── [ 11K] 01_safe.xlsx
├── [9.0K] 02_benign.xlsx
├── [9.0K] 03_malicious.xlsx
├── [8.9K] 04_malicious.xlsx
├── [1.1K] poc.py
├── [1.9K] README.md
└── [ 486] requirements.txt
0 directories, 7 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。