JAPANESE CHARACTERS BYPASS DDE REGEX DETECTION
December 12, 2018
CSV Formula injections have been known for a while now, with many security solutions handling these kinds of attacks.
The most common way of dealing with this threat is by applying a regex rule to detect the specific pattern used by Excel in its formulas, the most famous tool (and open-source) is MSODDE of oletools.
As time passes, researchers and attackers are trying to bypass these regex.
We’ve found that Japanese customers are not fully protected by these regex as double-byte Japanese characters can still activate formulas in Japanese versions of excel. To be precise, it is suffice to have a Japanese language pack installed and enabled.
As of writing these lines, these files bypass oletools msodde module and others alike.
The characters are:
Here is a short demonstration:
MSRC does not consider this to be a security issue by itself so we strongly advise Japanese users of Office to assess their environments and security solutions – as there will not be any Microsoft issued security updates on this matter!