[NT] Microsoft Word Protection Bypass
From: SecuriTeam (support_at_securiteam.com)
Date: 01/04/04
- Previous message: SecuriTeam: "[TOOL] NetBus UNIX Ported Client"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 4 Jan 2004 16:31:44 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Microsoft Word Protection Bypass
------------------------------------------------------------------------
SUMMARY
Word provides an option to protect "forms" by password. This is used to
ensure that unauthorized users cannot manipulate the contents of documents
except within specially designed "form" areas. This feature is also often
used to protect documents that do not even have form areas
(quotations/offers etc.).
Word users will find this option on the "Tools" menu, entry "Protection",
select "Forms" there and provide a password.
If a Word document is "protected" by this mechanism, users cannot select
parts of the text or place the cursor within the text --- thus they cannot
make any changes to the document.
A simple mechanism is illustrated below showing how a user can bypass this
protection without using any special tools.
DETAILS
Vulnerable systems:
* Microsoft Word 2000, 2002 (XP), and 2003
When saving protected Word-documents as html-files, Word adds a "checksum"
of the password (enclosed in a proprietary tag) to the code. The checksum
format looks somewhat like CRC32 but currently there are no further
details available. The same checksum can be found within the original Word
document (hexadecimal view). If this "checksum" is replaced by 0x00000000,
the password equals an empty string.
Example:
1.) Open a protected document in MS Word
2.) Save as "Web Page (*.htm; *.html)", close Word
3.) Open html-document in any Text-Editor
4.) Search "<w:UnprotectPassword>" tag, the line reads something like
that: <w:UnprotectPassword>ABCDEF01</w:UnprotectPassword>
5.) Keep the "password" in mind
6.) Open original document (.doc) with any hex-editor
7.) Search for hex-values of the password (reverse order!)
8.) Overwrite all 4 double-bytes with 0x00, Save, Close
9.) Open document with MS Word, Select "Tools / Unprotect Document"
(password is blank)
Variation:
If the 8 checksum bytes are replaced with the checksum of a known password
it should be fairly easy to unprotect the document, make any necessary
changes, save, close and reset the password to the original (unknown!)
password by simply restoring the original values. Document changed without
even knowing the password.
Vendor Communication:
2003-11-27, 10:30 UTC Microsoft notified to: secure@microsoft.com
2003-11-27 confirmed receipt from: secure@microsoft.com
2003-12-03 Note from Microsoft, Form protection "is not intended as a
full-proof protection for tampering or spoofing, this is merely a
functionality to prevent accidental changes of a document", request
additional time to update Microsoft Knowledge Base article. Target
beginning of January 2004 for release of this advisory. from:
<mailto:secure@microsoft.com> "Magnus"
2003-12-08 Microsoft has already released the KB article (or added a
warning to an existing article). Read the KB article at
<http://support.microsoft.com/?id=822924>
http://support.microsoft.com/?id=822924 from:
<mailto:secure@microsoft.com> "Magnus"
ADDITIONAL INFORMATION
The information has been provided by <mailto:tdk@guardeonic.com> Thorsten
Delbrouck.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[TOOL] NetBus UNIX Ported Client"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [NT] USB Lock Auto-Protect Locally Stored Password Recovery
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... The program also offers drag-and-drop
folder protection ... Due to the fact that the USB Lock uses a weak encryption algorithm
to ... 'USB Lock Auto-Protect v1.5 Local Password Encryption Weakness ... (Securiteam) - [NT] Comodo Bypassing Settings Protection Using Magic Pipe Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Comodo Bypassing Settings Protection
Using Magic Pipe Vulnerability ... Comodo Firewall Pro version 2.4.18.184 ... (Securiteam) - [NT] ISS BlackICE PC Protection Filelock Protection Bypass
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... ISS BlackICE PC Protection
Filelock Protection Bypass ... database of trusted applications or firewall configuration
are protected. ... (Securiteam) - [NT] Prevx Home Intrusion Prevention Features can be Disabled by Direct Service Table Restoration
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Prevx Home prevents malicious
code from modifying critical Windows ... registry keys by prompting the user for action
whenever such an attempt is ... Prevx Home's registry and buffer overflow protection feature
is ... (Securiteam) - [NT] Microsoft Office Works Converter Heap Overflow Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Office Works Converter
Heap Overflow Vulnerability ... Microsoft Works is "a word processor created by Microsoft
in the 1980s. ... Exploitation might require the installation of additional Microsoft Office
... (Securiteam)