msodde: Japanese characters bypass DDE regex detection #379
Description
Affected tool:
msodde module
Describe the bug
Just passing along a possible bug identified in a blog post that looks to have not been reported. Please feel free to close this issue at your discretion.
Via: https://www.votiro.com/japanese-characters-bypass-dde-regex-detection/
CSV Formula injections have been known for a while now, with many security solutions handling these kinds of attacks.
The most common way of dealing with this threat is by applying a regex rule to detect the specific pattern used by Excel in its formulas, the most famous tool (and open-source) is MSODDE of oletools.
As time passes, researchers and attackers are trying to bypass these regex.
We’ve found that Japanese customers are not fully protected by these regex as double-byte Japanese characters can still activate formulas in Japanese versions of excel. To be precise, it is suffice to have a Japanese language pack installed and enabled.
As of writing these lines, these files bypass oletools msodde module and others alike.
The characters are:
| ⇒「\uFF5C」
! ⇒「\uFF01」
= ⇒「\uFF1D」
+ ⇒「\uFF0B」
− ⇒「\uFF0D」
@ ⇒「\uFF20」
How To Reproduce the bug
See demonstration on post referenced above.
Console output / Screenshots
See demonstration on post referenced above.