Anviz AIM CrossChex Standard 4.3 Excel Macro Injection

Title: Anviz AIM CrossChex Standard 4.3 Excel Macro Injection
Advisory ID: ZSL-2018-5498
Type: Local/Remote
Impact: System Access
Risk: (3/5)
Release Date: 01.11.2018
Summary
Access Control and Time Attendance Management System. Complying with our self-developed fingerprint, facial, iris, etc. devices, CrossChex Standard integrates intelligent management of time attendance and relevant functions of access control. It has been widely used in many office buildings and factories across the world, continuously serving access control and management requests from many companies with stable performance, accurate calculation, safe management and high intelligence.
Description
CSV (XLS) Injection (Excel Macro Injection or Formula Injection) exists in the AIM CrossChex 4.3 when importing or exporting users using xls Excel file. This can be exploited to execute arbitrary commands on the affected system via SE attacks when an attacker inserts formula payload in the 'Name' field when adding a user or using the custom fields 'Gender', 'Position', 'Phone', 'Birthday', 'Employ Date' and 'Address'. Upon importing, the application will launch Excel program and execute the malicious macro formula.
Vendor
Anviz Biometric Technology Co., Ltd. - https://www.anviz.com
Affected Version
4.3.6.0
Tested On
Microsoft Windows 7 Professional SP1 (EN)
Vendor Status
N/A
PoC
anviz_macroi.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://packetstormsecurity.com/files/150129
[2] https://www.exploit-db.com/exploits/45765/
[3] https://cxsecurity.com/issue/WLB-2018110005
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/152419
Changelog
[01.11.2018] - Initial release
[02.11.2018] - Added reference [1], [2] and [3]
[05.11.2018] - Added reference [4]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk