[NT] Microsoft Word Protection Bypass

From: SecuriTeam (support_at_securiteam.com)
Date: 01/04/04

  • Next message: SecuriTeam: "[UNIX] Invision Power Board SQL Injection Vulnerability (sources/calendar.php)" 
    To: list@securiteam.com
Date: 4 Jan 2004 16:31:44 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Microsoft Word Protection Bypass
    ------------------------------------------------------------------------

    SUMMARY

    Word provides an option to protect "forms" by password. This is used to
    ensure that unauthorized users cannot manipulate the contents of documents
    except within specially designed "form" areas. This feature is also often
    used to protect documents that do not even have form areas
    (quotations/offers etc.).

    Word users will find this option on the "Tools" menu, entry "Protection",
    select "Forms" there and provide a password.

    If a Word document is "protected" by this mechanism, users cannot select
    parts of the text or place the cursor within the text --- thus they cannot
    make any changes to the document.

    A simple mechanism is illustrated below showing how a user can bypass this
    protection without using any special tools.

    DETAILS

    Vulnerable systems:
     * Microsoft Word 2000, 2002 (XP), and 2003

    When saving protected Word-documents as html-files, Word adds a "checksum"
    of the password (enclosed in a proprietary tag) to the code. The checksum
    format looks somewhat like CRC32 but currently there are no further
    details available. The same checksum can be found within the original Word
    document (hexadecimal view). If this "checksum" is replaced by 0x00000000,
    the password equals an empty string.

    Example:
    1.) Open a protected document in MS Word
    2.) Save as "Web Page (*.htm; *.html)", close Word
    3.) Open html-document in any Text-Editor
    4.) Search "<w:UnprotectPassword>" tag, the line reads something like
    that: <w:UnprotectPassword>ABCDEF01</w:UnprotectPassword>
    5.) Keep the "password" in mind
    6.) Open original document (.doc) with any hex-editor
    7.) Search for hex-values of the password (reverse order!)
    8.) Overwrite all 4 double-bytes with 0x00, Save, Close
    9.) Open document with MS Word, Select "Tools / Unprotect Document"
    (password is blank)

    Variation:
    If the 8 checksum bytes are replaced with the checksum of a known password
    it should be fairly easy to unprotect the document, make any necessary
    changes, save, close and reset the password to the original (unknown!)
    password by simply restoring the original values. Document changed without
    even knowing the password.

    Vendor Communication:
    2003-11-27, 10:30 UTC Microsoft notified to: secure@microsoft.com

    2003-11-27 confirmed receipt from: secure@microsoft.com

    2003-12-03 Note from Microsoft, Form protection "is not intended as a
    full-proof protection for tampering or spoofing, this is merely a
    functionality to prevent accidental changes of a document", request
    additional time to update Microsoft Knowledge Base article. Target
    beginning of January 2004 for release of this advisory. from:
    <mailto:secure@microsoft.com> "Magnus"

    2003-12-08 Microsoft has already released the KB article (or added a
    warning to an existing article). Read the KB article at
    <http://support.microsoft.com/?id=822924>
    http://support.microsoft.com/?id=822924 from:
    <mailto:secure@microsoft.com> "Magnus"

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:tdk@guardeonic.com> Thorsten
    Delbrouck.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] Invision Power Board SQL Injection Vulnerability (sources/calendar.php)"

    Relevant Pages