SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Microsoft Office Vendors:   Microsoft
Microsoft Office Security Features Can Be Bypassed
SecurityTracker Alert ID:  1008586
SecurityTracker URL:  http://securitytracker.com/id/1008586
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 2 2004
Impact:   Disclosure of user information, Modification of user information
Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   Vulnerabilities were reported in Microsoft Office document security features. A user may be able to bypass protection mechanisms.

It is reported that Microsoft Office components offer features ostensibly intended to protect access to and modification of Office documents. Several of these security features can be bypassed by malicious users.

One flaw is reported in Microsoft Word in the "Protect Forms" password protection feature. A local user can invoke a hex editor and modify the document file to remove the password protection. According to the report, a checksum-like value can be replaced with '0x00000000' to set the password to an empty string. A specific exploit scenario is described in the Source Message.

Microsoft reports that the 'Password to Modify' feature of Microsoft Word, Excel, and PowerPoint can be bypassed and the 'Hidden Cells' and 'Locked Cells' features of Microsoft Excel can be bypassed.

The vendor was reportedly notified on November 27, 2003.

Impact:   A user may be able to access or modify ostensibly protected cells, fields, or documents without proper authentication.
Solution:   No solution was available at the time of this entry. Microsoft reports that the 'Security' tab of the Options dialog box in Office contains some secure features and some non-secure features:

"Not all features that are found on the Security tab are designed to help make your documents and files more secure."

A knowledge base article that describes the non-secure features was issued on December 3, 2003:

http://support.microsoft.com/?id=822924

Vendor URL:  support.microsoft.com/?id=822924 (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Microsoft Word Protection Bypass


--=_mixed 003B9AC4C1256E0F_=
Content-Type: text/plain; charset="US-ASCII"

Hi all,

Microsoft Word provides an option to protect "forms" by password. This is 
used to ensure that unauthorized users cannot manipulate the contents of 
documents except within specially designed "form" areas. This feature is 
also often used to protect documents which do not even have form areas 
(quotations/offers etc.).

This form protection can easily be removed without any additional tools 
(apart from a hex-editor).

Please find the full advisory attached.

best regards,
/tdk

-- 
 Thorsten Delbrouck
 Chief Information Officer

 Guardeonic Solutions AG
 Rosenheimer Str. 116
 D-81669 Munich
---------------------------------




Guardeonic Solutions AG
   Thorsten Delbrouck <tdk@guardeonic.com>
   http://www.guardeonic.com/

Security Advisory #01-2004

Advisory Name:          Microsoft Word Form Protection Bypass
Release Date:           2004-01-02
Affected Product:       Microsoft Word
Platform:               Microsoft Windows, probably Apple Mac OS
Version:                tested on 2000, 2002 (XP), 2003,
                        probably other versions vulnerable as well

Severity:               Document ("Form") protection can be easily removed

Author:                 Thorsten Delbrouck <tdk@guardeonic.com>

Vendor Communication:   2003-11-27, 10:30 UTC Microsoft notified
                        to: secure@microsoft.com
                        
                        2003-11-27 confirmed receipt
                        from: secure@microsoft.com
                        
                        2003-12-03 Note from Microsoft, Form 
                        protection "is not intended as a full-proof 
                        protection for tampering or spoofing, this is 
                        merely a functionality to prevent accidental 
                        changes of a document", request additional 
                        time to update Microsoft Knowledge Base 
                        article. Targetting beginning of January 2004 
                        for release of this advisory.
                        from: "Magnus" <secure@microsoft.com>
                        
                        2003-12-08 Microsoft has already released the 
                        KB article (or added a warning to an existing 
                        article). Read the KB article at
                        http://support.microsoft.com/?id=822924 
                        from: "Magnus" <secure@microsoft.com>

                        
Overview:
---------

Word provides an option to protect "forms" by password. This is used 
to ensure that unauthorized users can not manipulate the contents of 
documents except within specially designed "form" areas. This feature 
is also often used to protect documents which do not even have form 
areas (quotations/offers etc.).

(Word users will find this option on the "Tools" menu, entry 
"Protection", select "Forms" there and provide a password)

If a Word document is "protected" by this mechanism, users cannot 
select parts of the text or place the cursor within the text --- thus 
they cannot make any changes to the document.

Description:
------------

When saving protected Word-documents as html-files, Word adds a 
"checksum" of the password (enclosed in a proprietary tag) to the 
code. The checksum format looks somewhat like CRC32 but currently 
there are no further details available. The same checksum can be 
found within the original Word document (hexadecimal view). If this 
"checksum" is replaced by 0x00000000 the password equals an empty 
string.

Example:
--------

1.) Open a protected document in MS Word
2.) Save as "Web Page (*.htm; *.html)", close Word
3.) Open html-document in any Text-Editor
4.) Search "<w:UnprotectPassword>" tag, the line reads something like 
    that: <w:UnprotectPassword>ABCDEF01</w:UnprotectPassword>
5.) keep the "password" in mind
6.) Open original document (.doc) with any hex-editor
7.) search for hex-values of the password (reverse order!)
8.) Overwrite all 4 double-bytes with 0x00, Save, Close
9.) Open document with MS Word, Select "Tools / Unprotect Document" 
    (password is blank)

Variation:
----------

If the 8 checksum bytes are replaced with the checksum of a known 
password it should be fairly easy to unprotect the document, make any 
necessary changes, save, close and reset the password to the original 
(unknown!) password by simply restoring the original values. Document 
changed without even knowing the password. Nasty.

(Note: Take care to get file properties (author, organisation, 
date/time etc.) right.)

Solution:
---------

No solution is currently available. Do not rely on the "Protect 
Forms" mechanism to protect a Word document against changes.

Credits:
--------

Magnus from the Microsoft Security Response Center for his fast 
responses and for showing a decent sense of humour. :-)







--=_mixed 003B9AC4C1256E0F_=
Content-Type: text/plain; name="adv_microsoft_word_protection.txt"
Content-Disposition: attachment; filename="adv_microsoft_word_protection.txt"
Content-Transfer-Encoding: base64

R3VhcmRlb25pYyBTb2x1dGlvbnMgQUcNCiAgIFRob3JzdGVuIERlbGJyb3VjayA8dGRrQGd1YXJk
ZW9uaWMuY29tPg0KICAgaHR0cDovL3d3dy5ndWFyZGVvbmljLmNvbS8NCg0KU2VjdXJpdHkgQWR2
aXNvcnkgIzAxLTIwMDQNCg0KQWR2aXNvcnkgTmFtZTogICAgICAgICAgTWljcm9zb2Z0IFdvcmQg
Rm9ybSBQcm90ZWN0aW9uIEJ5cGFzcw0KUmVsZWFzZSBEYXRlOiAgICAgICAgICAgMjAwNC0wMS0w
Mg0KQWZmZWN0ZWQgUHJvZHVjdDogICAgICAgTWljcm9zb2Z0IFdvcmQNClBsYXRmb3JtOiAgICAg
ICAgICAgICAgIE1pY3Jvc29mdCBXaW5kb3dzLCBwcm9iYWJseSBBcHBsZSBNYWMgT1MNClZlcnNp
b246ICAgICAgICAgICAgICAgIHRlc3RlZCBvbiAyMDAwLCAyMDAyIChYUCksIDIwMDMsDQogICAg
ICAgICAgICAgICAgICAgICAgICBwcm9iYWJseSBvdGhlciB2ZXJzaW9ucyB2dWxuZXJhYmxlIGFz
IHdlbGwNCg0KU2V2ZXJpdHk6ICAgICAgICAgICAgICAgRG9jdW1lbnQgKCJGb3JtIikgcHJvdGVj
dGlvbiBjYW4gYmUgZWFzaWx5IHJlbW92ZWQNCg0KQXV0aG9yOiAgICAgICAgICAgICAgICAgVGhv
cnN0ZW4gRGVsYnJvdWNrIDx0ZGtAZ3VhcmRlb25pYy5jb20+DQoNClZlbmRvciBDb21tdW5pY2F0
aW9uOiAgIDIwMDMtMTEtMjcsIDEwOjMwIFVUQyBNaWNyb3NvZnQgbm90aWZpZWQNCiAgICAgICAg
ICAgICAgICAgICAgICAgIHRvOiBzZWN1cmVAbWljcm9zb2Z0LmNvbQ0KICAgICAgICAgICAgICAg
ICAgICAgICAgDQogICAgICAgICAgICAgICAgICAgICAgICAyMDAzLTExLTI3IGNvbmZpcm1lZCBy
ZWNlaXB0DQogICAgICAgICAgICAgICAgICAgICAgICBmcm9tOiBzZWN1cmVAbWljcm9zb2Z0LmNv
bQ0KICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgICAgICAgICAyMDAz
LTEyLTAzIE5vdGUgZnJvbSBNaWNyb3NvZnQsIEZvcm0gDQogICAgICAgICAgICAgICAgICAgICAg
ICBwcm90ZWN0aW9uICJpcyBub3QgaW50ZW5kZWQgYXMgYSBmdWxsLXByb29mIA0KICAgICAgICAg
ICAgICAgICAgICAgICAgcHJvdGVjdGlvbiBmb3IgdGFtcGVyaW5nIG9yIHNwb29maW5nLCB0aGlz
IGlzIA0KICAgICAgICAgICAgICAgICAgICAgICAgbWVyZWx5IGEgZnVuY3Rpb25hbGl0eSB0byBw
cmV2ZW50IGFjY2lkZW50YWwgDQogICAgICAgICAgICAgICAgICAgICAgICBjaGFuZ2VzIG9mIGEg
ZG9jdW1lbnQiLCByZXF1ZXN0IGFkZGl0aW9uYWwgDQogICAgICAgICAgICAgICAgICAgICAgICB0
aW1lIHRvIHVwZGF0ZSBNaWNyb3NvZnQgS25vd2xlZGdlIEJhc2UgDQogICAgICAgICAgICAgICAg
ICAgICAgICBhcnRpY2xlLiBUYXJnZXR0aW5nIGJlZ2lubmluZyBvZiBKYW51YXJ5IDIwMDQgDQog
ICAgICAgICAgICAgICAgICAgICAgICBmb3IgcmVsZWFzZSBvZiB0aGlzIGFkdmlzb3J5Lg0KICAg
ICAgICAgICAgICAgICAgICAgICAgZnJvbTogIk1hZ251cyIgPHNlY3VyZUBtaWNyb3NvZnQuY29t
Pg0KICAgICAgICAgICAgICAgICAgICAgICAgDQogICAgICAgICAgICAgICAgICAgICAgICAyMDAz
LTEyLTA4IE1pY3Jvc29mdCBoYXMgYWxyZWFkeSByZWxlYXNlZCB0aGUgDQogICAgICAgICAgICAg
ICAgICAgICAgICBLQiBhcnRpY2xlIChvciBhZGRlZCBhIHdhcm5pbmcgdG8gYW4gZXhpc3Rpbmcg
DQogICAgICAgICAgICAgICAgICAgICAgICBhcnRpY2xlKS4gUmVhZCB0aGUgS0IgYXJ0aWNsZSBh
dA0KICAgICAgICAgICAgICAgICAgICAgICAgaHR0cDovL3N1cHBvcnQubWljcm9zb2Z0LmNvbS8/
aWQ9ODIyOTI0IA0KICAgICAgICAgICAgICAgICAgICAgICAgZnJvbTogIk1hZ251cyIgPHNlY3Vy
ZUBtaWNyb3NvZnQuY29tPg0KDQogICAgICAgICAgICAgICAgICAgICAgICANCk92ZXJ2aWV3Og0K
LS0tLS0tLS0tDQoNCldvcmQgcHJvdmlkZXMgYW4gb3B0aW9uIHRvIHByb3RlY3QgImZvcm1zIiBi
eSBwYXNzd29yZC4gVGhpcyBpcyB1c2VkIA0KdG8gZW5zdXJlIHRoYXQgdW5hdXRob3JpemVkIHVz
ZXJzIGNhbiBub3QgbWFuaXB1bGF0ZSB0aGUgY29udGVudHMgb2YgDQpkb2N1bWVudHMgZXhjZXB0
IHdpdGhpbiBzcGVjaWFsbHkgZGVzaWduZWQgImZvcm0iIGFyZWFzLiBUaGlzIGZlYXR1cmUgDQpp
cyBhbHNvIG9mdGVuIHVzZWQgdG8gcHJvdGVjdCBkb2N1bWVudHMgd2hpY2ggZG8gbm90IGV2ZW4g
aGF2ZSBmb3JtIA0KYXJlYXMgKHF1b3RhdGlvbnMvb2ZmZXJzIGV0Yy4pLg0KDQooV29yZCB1c2Vy
cyB3aWxsIGZpbmQgdGhpcyBvcHRpb24gb24gdGhlICJUb29scyIgbWVudSwgZW50cnkgDQoiUHJv
dGVjdGlvbiIsIHNlbGVjdCAiRm9ybXMiIHRoZXJlIGFuZCBwcm92aWRlIGEgcGFzc3dvcmQpDQoN
CklmIGEgV29yZCBkb2N1bWVudCBpcyAicHJvdGVjdGVkIiBieSB0aGlzIG1lY2hhbmlzbSwgdXNl
cnMgY2Fubm90IA0Kc2VsZWN0IHBhcnRzIG9mIHRoZSB0ZXh0IG9yIHBsYWNlIHRoZSBjdXJzb3Ig
d2l0aGluIHRoZSB0ZXh0IC0tLSB0aHVzIA0KdGhleSBjYW5ub3QgbWFrZSBhbnkgY2hhbmdlcyB0
byB0aGUgZG9jdW1lbnQuDQoNCkRlc2NyaXB0aW9uOg0KLS0tLS0tLS0tLS0tDQoNCldoZW4gc2F2
aW5nIHByb3RlY3RlZCBXb3JkLWRvY3VtZW50cyBhcyBodG1sLWZpbGVzLCBXb3JkIGFkZHMgYSAN
CiJjaGVja3N1bSIgb2YgdGhlIHBhc3N3b3JkIChlbmNsb3NlZCBpbiBhIHByb3ByaWV0YXJ5IHRh
ZykgdG8gdGhlIA0KY29kZS4gVGhlIGNoZWNrc3VtIGZvcm1hdCBsb29rcyBzb21ld2hhdCBsaWtl
IENSQzMyIGJ1dCBjdXJyZW50bHkgDQp0aGVyZSBhcmUgbm8gZnVydGhlciBkZXRhaWxzIGF2YWls
YWJsZS4gVGhlIHNhbWUgY2hlY2tzdW0gY2FuIGJlIA0KZm91bmQgd2l0aGluIHRoZSBvcmlnaW5h
bCBXb3JkIGRvY3VtZW50IChoZXhhZGVjaW1hbCB2aWV3KS4gSWYgdGhpcyANCiJjaGVja3N1bSIg
aXMgcmVwbGFjZWQgYnkgMHgwMDAwMDAwMCB0aGUgcGFzc3dvcmQgZXF1YWxzIGFuIGVtcHR5IA0K
c3RyaW5nLg0KDQpFeGFtcGxlOg0KLS0tLS0tLS0NCg0KMS4pIE9wZW4gYSBwcm90ZWN0ZWQgZG9j
dW1lbnQgaW4gTVMgV29yZA0KMi4pIFNhdmUgYXMgIldlYiBQYWdlICgqLmh0bTsgKi5odG1sKSIs
IGNsb3NlIFdvcmQNCjMuKSBPcGVuIGh0bWwtZG9jdW1lbnQgaW4gYW55IFRleHQtRWRpdG9yDQo0
LikgU2VhcmNoICI8dzpVbnByb3RlY3RQYXNzd29yZD4iIHRhZywgdGhlIGxpbmUgcmVhZHMgc29t
ZXRoaW5nIGxpa2UgDQogICAgdGhhdDogPHc6VW5wcm90ZWN0UGFzc3dvcmQ+QUJDREVGMDE8L3c6
VW5wcm90ZWN0UGFzc3dvcmQ+DQo1Likga2VlcCB0aGUgInBhc3N3b3JkIiBpbiBtaW5kDQo2Likg
T3BlbiBvcmlnaW5hbCBkb2N1bWVudCAoLmRvYykgd2l0aCBhbnkgaGV4LWVkaXRvcg0KNy4pIHNl
YXJjaCBmb3IgaGV4LXZhbHVlcyBvZiB0aGUgcGFzc3dvcmQgKHJldmVyc2Ugb3JkZXIhKQ0KOC4p
IE92ZXJ3cml0ZSBhbGwgNCBkb3VibGUtYnl0ZXMgd2l0aCAweDAwLCBTYXZlLCBDbG9zZQ0KOS4p
IE9wZW4gZG9jdW1lbnQgd2l0aCBNUyBXb3JkLCBTZWxlY3QgIlRvb2xzIC8gVW5wcm90ZWN0IERv
Y3VtZW50IiANCiAgICAocGFzc3dvcmQgaXMgYmxhbmspDQoNClZhcmlhdGlvbjoNCi0tLS0tLS0t
LS0NCg0KSWYgdGhlIDggY2hlY2tzdW0gYnl0ZXMgYXJlIHJlcGxhY2VkIHdpdGggdGhlIGNoZWNr
c3VtIG9mIGEga25vd24gDQpwYXNzd29yZCBpdCBzaG91bGQgYmUgZmFpcmx5IGVhc3kgdG8gdW5w
cm90ZWN0IHRoZSBkb2N1bWVudCwgbWFrZSBhbnkgDQpuZWNlc3NhcnkgY2hhbmdlcywgc2F2ZSwg
Y2xvc2UgYW5kIHJlc2V0IHRoZSBwYXNzd29yZCB0byB0aGUgb3JpZ2luYWwgDQoodW5rbm93biEp
IHBhc3N3b3JkIGJ5IHNpbXBseSByZXN0b3JpbmcgdGhlIG9yaWdpbmFsIHZhbHVlcy4gRG9jdW1l
bnQgDQpjaGFuZ2VkIHdpdGhvdXQgZXZlbiBrbm93aW5nIHRoZSBwYXNzd29yZC4gTmFzdHkuDQoN
CihOb3RlOiBUYWtlIGNhcmUgdG8gZ2V0IGZpbGUgcHJvcGVydGllcyAoYXV0aG9yLCBvcmdhbmlz
YXRpb24sIA0KZGF0ZS90aW1lIGV0Yy4pIHJpZ2h0LikNCg0KU29sdXRpb246DQotLS0tLS0tLS0N
Cg0KTm8gc29sdXRpb24gaXMgY3VycmVudGx5IGF2YWlsYWJsZS4gRG8gbm90IHJlbHkgb24gdGhl
ICJQcm90ZWN0IA0KRm9ybXMiIG1lY2hhbmlzbSB0byBwcm90ZWN0IGEgV29yZCBkb2N1bWVudCBh
Z2FpbnN0IGNoYW5nZXMuDQoNCkNyZWRpdHM6DQotLS0tLS0tLQ0KDQpNYWdudXMgZnJvbSB0aGUg
TWljcm9zb2Z0IFNlY3VyaXR5IFJlc3BvbnNlIENlbnRlciBmb3IgaGlzIGZhc3QgDQpyZXNwb25z
ZXMgYW5kIGZvciBzaG93aW5nIGEgZGVjZW50IHNlbnNlIG9mIGh1bW91ci4gOi0pDQoNCg==
--=_mixed 003B9AC4C1256E0F_=--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC