CVE-2018-20752 – This CSV injection vulnerability in Recon-ng al... (How to Fix)

📋 TL;DR

This CSV injection vulnerability in Recon-ng allows attackers to embed malicious Excel macros in Twitter usernames that execute when the CSV export is opened in Excel. Users of Recon-ng who export data to CSV files and open them in spreadsheet software are affected. The vulnerability enables remote code execution on the victim's machine.

💻 Affected Systems

Products:

Recon-ng

Versions: All versions before 4.9.5

Operating Systems: All platforms running Recon-ng

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the CSV reporting module when exporting Twitter data containing malicious usernames.

📦 What is this software?

Recon Ng by Recon Ng Project

View all CVEs affecting Recon Ng →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full remote code execution on the victim's system when malicious CSV file is opened in Excel with macros enabled, potentially leading to complete system compromise.

🟠

Likely Case

Limited code execution in Excel environment when macros are enabled, potentially stealing data or installing malware.

🟢

If Mitigated

No impact if CSV files are opened in text editors or spreadsheet software with macros disabled.

🌐 Internet-Facing: MEDIUM - Recon-ng is typically used internally but CSV files could be shared externally.

🏢 Internal Only: HIGH - Internal users opening CSV exports from Recon-ng are directly vulnerable.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the attacker to control Twitter username data that gets exported to CSV, and the victim to open the CSV in Excel with macros enabled.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.9.5 and later

Vendor Advisory: https://bitbucket.org/LaNMaSteR53/recon-ng/commits/41e96fd58891439974fb0c920b349f8926c71d4c

Restart Required: No

Instructions:

1. Update Recon-ng to version 4.9.5 or later using: git pull origin master
2. Verify the update with: recon-ng --version
3. No restart required as it's a Python tool.

🔧 Temporary Workarounds

Disable Excel macros

windows

Configure Excel to disable macros by default when opening CSV files

Use text editors for CSV

all

Open CSV files in text editors instead of spreadsheet software

🧯 If You Can't Patch

Avoid exporting Twitter data to CSV format
Manually sanitize CSV exports by prefixing suspicious cells with apostrophe (')

🔍 How to Verify

Check if Vulnerable:

Check Recon-ng version with: recon-ng --version. If version is below 4.9.5, you are vulnerable.

Check Version:

recon-ng --version

Verify Fix Applied:

Verify version is 4.9.5 or higher and check that modules/reporting/csv.py contains proper input sanitization.

📡 Detection & Monitoring

Log Indicators:

Unusual Excel macro execution from CSV files
Excel security warnings about macros

Network Indicators:

CSV file downloads from Recon-ng instances

SIEM Query:

source="excel" AND event="macro_execution" AND file_extension="csv"

📊 Metadata

CVE ID: CVE-2018-20752

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1236

Published: February 4, 2019

Last Updated: November 21, 2024

🔗 References

https://bitbucket.org/LaNMaSteR53/recon-ng/commits/41e96fd58891439974fb0c920b349f8926c71d4c#chg-modules/reporting/csv.py Patch,Third Party Advisory
https://bitbucket.org/LaNMaSteR53/recon-ng/issues/285/csv-injection-vulnerability-identified-in Third Party Advisory
https://bitbucket.org/LaNMaSteR53/recon-ng/commits/41e96fd58891439974fb0c920b349f8926c71d4c#chg-modules/reporting/csv.py Patch,Third Party Advisory
https://bitbucket.org/LaNMaSteR53/recon-ng/issues/285/csv-injection-vulnerability-identified-in Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-20752, you might also want to check these: