CVE-2020-36941 Overview
Knockpy 4.1.1 contains a CSV injection vulnerability (CWE-1236) that allows attackers to inject malicious formulas into CSV reports through unfiltered server headers. Attackers can manipulate server response headers to include spreadsheet formulas that will execute when the CSV is opened in spreadsheet applications such as Microsoft Excel, LibreOffice Calc, or Google Sheets.
Critical Impact
Attackers can achieve code execution on victim systems when malicious CSV files are opened in spreadsheet applications, potentially leading to data theft, malware installation, or further network compromise.
Affected Products
- Knockpy version 4.1.1
Discovery Timeline
- 2026-01-27 - CVE-2020-36941 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2020-36941
Vulnerability Analysis
This vulnerability falls under CWE-1236: Improper Neutralization of Formula Elements in a CSV File. Knockpy is a Python-based subdomain enumeration tool that generates CSV reports containing discovered subdomains and associated metadata. The application fails to properly sanitize server response headers before including them in CSV output files.
When Knockpy retrieves information from target servers, it captures HTTP response headers and writes them directly to CSV reports without filtering dangerous characters. Spreadsheet applications interpret certain character sequences (such as those beginning with =, +, -, @, or |) as formulas and execute them automatically upon opening the file.
Root Cause
The root cause of this vulnerability is the lack of input validation and output encoding when writing server-provided data to CSV files. Knockpy version 4.1.1 does not sanitize or escape formula-triggering characters in HTTP response headers before including them in generated reports. This allows a malicious server controlled by an attacker to inject arbitrary formulas that execute in the context of the user's spreadsheet application.
Attack Vector
The attack requires network access and user interaction. An attacker controlling a server that Knockpy enumerates can craft malicious HTTP response headers containing spreadsheet formulas. When a security researcher or penetration tester runs Knockpy against the attacker's domain and subsequently opens the generated CSV report, the embedded formula executes automatically.
Common payload patterns include Dynamic Data Exchange (DDE) commands that can launch external applications, exfiltrate data from the spreadsheet, or download and execute malware. For example, a malicious Server header containing =cmd|'/C calc'!A0 would attempt to launch the Windows calculator when opened in vulnerable spreadsheet applications.
Technical details and proof-of-concept information are available at the Exploit-DB #49342 entry and the VulnCheck Advisory.
Detection Methods for CVE-2020-36941
Indicators of Compromise
- Presence of CSV files generated by Knockpy containing formula characters (=, +, -, @, |) at the beginning of cell values
- Unusual HTTP response headers from enumerated servers containing spreadsheet formula syntax
- Unexpected process execution originating from spreadsheet application processes (e.g., EXCEL.EXE, soffice.exe)
Detection Strategies
- Monitor for spreadsheet applications spawning child processes, which may indicate formula injection exploitation
- Implement file inspection rules to detect CSV files containing potential formula injection payloads
- Review network traffic logs for HTTP responses containing formula-like patterns in headers from untrusted sources
- Use endpoint detection rules to identify DDE or command execution attempts from document applications
Monitoring Recommendations
- Enable process creation logging to capture unexpected child processes from spreadsheet applications
- Configure email gateway and file transfer monitoring to flag CSV files with suspicious content patterns
- Implement user behavior analytics to detect unusual file operations following Knockpy report generation
- Monitor for outbound network connections initiated by spreadsheet applications
How to Mitigate CVE-2020-36941
Immediate Actions Required
- Upgrade Knockpy to a version newer than 4.1.1 that includes proper CSV sanitization
- Configure spreadsheet applications to disable automatic formula execution and DDE features
- Open CSV files generated by Knockpy in text editors first to inspect for malicious content before opening in spreadsheet applications
- Consider using CSV viewers or applications that do not interpret formula syntax
Patch Information
Users should check the Knockpy GitHub repository for updated versions that address this CSV injection vulnerability. Review the commit history and release notes for security fixes related to output sanitization.
Additional advisory information is available from VulnCheck.
Workarounds
- Manually prefix cell values with a single quote (') character when reviewing CSV output to prevent formula interpretation
- Use the --json output format if available instead of CSV to avoid spreadsheet formula injection risks
- Process Knockpy output through a sanitization script that escapes formula-triggering characters before opening in spreadsheet applications
- Configure Microsoft Excel to disable DDE by navigating to File → Options → Trust Center → Trust Center Settings → External Content
# Example: Sanitize CSV output to prevent formula injection
# Prefix potentially dangerous characters with a single quote
sed -i "s/^\([=+\-@|]\)/'\1/g; s/,\([=+\-@|]\)/,'\1/g" knockpy_output.csv
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
