Japanese characters bypass DDE regex detection

December 12, 2018

CSV Formula injections have been known for a while now, with many security solutions handling these kinds of attacks.

The most common way of dealing with this threat is by applying a regex rule to detect the specific pattern used by Excel in its formulas, the most famous tool (and open-source) is MSODDE of oletools.
As time passes, researchers and attackers are trying to bypass these regex.

We’ve found that Japanese customers are not fully protected by these regex as double-byte Japanese characters can still activate formulas in Japanese versions of excel. To be precise, it is suffice to have a Japanese language pack installed and enabled.

As of writing these lines, these files bypass oletools msodde module and others alike.

The characters are:

| ⇒「\uFF5C」

! ⇒「\uFF01」

= ⇒「\uFF1D」

+ ⇒「\uFF0B」

− ⇒「\uFF0D」

@ ⇒「\uFF20」

Here is a short demonstration:

MSRC does not consider this to be a security issue by itself so we strongly advise Japanese users of Office to assess their environments and security solutions – as there will not be any Microsoft issued security updates on this matter!

We encourage you to try our Disarmer or start a free trial.