La Sostenibilità per TIM

Il Report 2024 accoglie i principi della Corporate Sustainability Reporting Directive (CSRD) ed è incluso nella Relazione Finanziaria e di Sostenibilità. Approfondisci

Ultimi Comunicati Stampa

Redazione ufficio stampa

Leggi gli ultimi comunicati stampa e naviga nell'archivio dell'Ufficio Stampa del Gruppo TIM. Leggi i comunicati

CVE-2022-28864

CVE-2022-28864 – Nokia NetAct

Vulnerability Description: Improper Neutralization of Formula Elements in a CSV File (‘CSV Injection’) – CWE-1236

Software Version: v22.0.0.62

NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-28864

CVSv3: 8.8

Severity: High

Credits: Andrea Carlo Maria Dattola, Massimiliano Brolli

An issue was discovered in Nokia NetAct 22 through the Administration of Measurements website section. A malicious user can edit or add the templateName parameter in order to include malicious code, which is then downloaded as a .csv or .xlsx file and executed on a victim machine. Here, the /aom/html/EditTemplate.jsf and /aom/html/ViewAllTemplatesPage.jsf templateName parameter is used

Step-by-step instructions and PoC

A remote user, authenticated to the Nokia NetAct Web Page, through Administration of Measurements web site section, can submit the payload “=50+60+cmd|’ /C calc ‘!A0” as the templateName of the component domains objects.

 

Affected Endpoints

·       URL: https://hostname//aom/html/EditTemplate.jsf

·       URL: https://hostname//aom/html/ViewAllTemplatesPage.jsf


Parameter: templateName 

Figure 1

 

Click To Enlarge

The following payload shows the vulnerable templateName parameter into which the malicious content is injected from the /aom/html/EditTemplate.jsf POST Request:

Figure 2

 

Click To Enlarge

This image below shows the operation that the victim does when he chooses to export the malicious content in CSV format.

Figure 3

 

Click To Enlarge

The  following image shows how the export request does not sanitize the malicious content when downloading the CSV file format from the /aom/html/ViewAllTemplatesPage.jsf POST Request. 

Figure 4

 

Click To Enlarge

As shown in the next screenshot, the malicious payload is finally executed. In our specific case the administrator’s machine is opening Microsoft Calculator.

Figure 5

 

Click To Enlarge

Security Impact

By exploiting this issue an attacker is able to inject arbitrary formulas into CSV files.
This can potentially lead to remote code execution at client side (DDE) or to data leakage via maliciously injected hyperlinks.