
Three New DDE Obfuscation Methods - danso
https://blog.reversinglabs.com/blog/cvs-dde-exploits-and-obfuscation
======
firethief
It sounds like spreadsheets are complex enough that sandboxing them by static
analysis is a losing battle.

------
AnnoyingSwede
Wow, works in excel 2016 but i assume our GP/microsofts common sense flags a
warning: "Remote data not accessible: To access this data Exel needs to start
another application. Some legitimate applications on your computer could be
used maliciously to spread viruses or damage your computer. Only click Yes if
you trust the source of this workbook and you want to let the workbook start
the application. Start application 'mspaint.exe'?"

At this point i am sure 50% of normal endusers would have stopped reading and
just clicked Yes anyway. I also assume the command executed could have been a
registry hack to disable this warning, allowing several more commands to be
ran without popping this warning. Crazy stuff, but fun morning exercise.

------
saagarjha
So if I’m getting this right, it’s possible to inject filler null characters
into the command to execute. This doesn’t seem really obfuscated, from the hex
dump–just ignore the null bytes?

