[NT] Microsoft Word Protection Bypass

• Previous message: SecuriTeam: "[TOOL] NetBus UNIX Ported Client"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 4 Jan 2004 16:31:44 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Microsoft Word Protection Bypass
------------------------------------------------------------------------

SUMMARY

Word provides an option to protect "forms" by password. This is used to
ensure that unauthorized users cannot manipulate the contents of documents
except within specially designed "form" areas. This feature is also often
used to protect documents that do not even have form areas
(quotations/offers etc.).

Word users will find this option on the "Tools" menu, entry "Protection",
select "Forms" there and provide a password.

If a Word document is "protected" by this mechanism, users cannot select
parts of the text or place the cursor within the text --- thus they cannot
make any changes to the document.

A simple mechanism is illustrated below showing how a user can bypass this
protection without using any special tools.

DETAILS

Vulnerable systems:
 * Microsoft Word 2000, 2002 (XP), and 2003

When saving protected Word-documents as html-files, Word adds a "checksum"
of the password (enclosed in a proprietary tag) to the code. The checksum
format looks somewhat like CRC32 but currently there are no further
details available. The same checksum can be found within the original Word
document (hexadecimal view). If this "checksum" is replaced by 0x00000000,
the password equals an empty string.

Example:
1.) Open a protected document in MS Word
2.) Save as "Web Page (*.htm; *.html)", close Word
3.) Open html-document in any Text-Editor
4.) Search "<w:UnprotectPassword>" tag, the line reads something like
that: <w:UnprotectPassword>ABCDEF01</w:UnprotectPassword>
5.) Keep the "password" in mind
6.) Open original document (.doc) with any hex-editor
7.) Search for hex-values of the password (reverse order!)
8.) Overwrite all 4 double-bytes with 0x00, Save, Close
9.) Open document with MS Word, Select "Tools / Unprotect Document"
(password is blank)

Variation:
If the 8 checksum bytes are replaced with the checksum of a known password
it should be fairly easy to unprotect the document, make any necessary
changes, save, close and reset the password to the original (unknown!)
password by simply restoring the original values. Document changed without
even knowing the password.

Vendor Communication:
2003-11-27, 10:30 UTC Microsoft notified to: secure@microsoft.com

2003-11-27 confirmed receipt from: secure@microsoft.com

2003-12-03 Note from Microsoft, Form protection "is not intended as a
full-proof protection for tampering or spoofing, this is merely a
functionality to prevent accidental changes of a document", request
additional time to update Microsoft Knowledge Base article. Target
beginning of January 2004 for release of this advisory. from:
<mailto:secure@microsoft.com> "Magnus"

2003-12-08 Microsoft has already released the KB article (or added a
warning to an existing article). Read the KB article at
<http://support.microsoft.com/?id=822924>
http://support.microsoft.com/?id=822924 from:
<mailto:secure@microsoft.com> "Magnus"

ADDITIONAL INFORMATION

The information has been provided by <mailto:tdk@guardeonic.com> Thorsten
Delbrouck.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[TOOL] NetBus UNIX Ported Client"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]