<<< Date Index >>>     <<< Thread Index >>>

Microsoft Word Protection Bypass



Hi all,

Microsoft Word provides an option to protect "forms" by password. This is 
used to ensure that unauthorized users cannot manipulate the contents of 
documents except within specially designed "form" areas. This feature is 
also often used to protect documents which do not even have form areas 
(quotations/offers etc.).

This form protection can easily be removed without any additional tools 
(apart from a hex-editor).

Please find the full advisory attached.

best regards,
/tdk

-- 
 Thorsten Delbrouck
 Chief Information Officer

 Guardeonic Solutions AG
 Rosenheimer Str. 116
 D-81669 Munich
---------------------------------


Guardeonic Solutions AG
   Thorsten Delbrouck <tdk@xxxxxxxxxxxxxx>
   http://www.guardeonic.com/

Security Advisory #01-2004

Advisory Name:          Microsoft Word Form Protection Bypass
Release Date:           2004-01-02
Affected Product:       Microsoft Word
Platform:               Microsoft Windows, probably Apple Mac OS
Version:                tested on 2000, 2002 (XP), 2003,
                        probably other versions vulnerable as well

Severity:               Document ("Form") protection can be easily removed

Author:                 Thorsten Delbrouck <tdk@xxxxxxxxxxxxxx>

Vendor Communication:   2003-11-27, 10:30 UTC Microsoft notified
                        to: secure@xxxxxxxxxxxxx
                        
                        2003-11-27 confirmed receipt
                        from: secure@xxxxxxxxxxxxx
                        
                        2003-12-03 Note from Microsoft, Form 
                        protection "is not intended as a full-proof 
                        protection for tampering or spoofing, this is 
                        merely a functionality to prevent accidental 
                        changes of a document", request additional 
                        time to update Microsoft Knowledge Base 
                        article. Targetting beginning of January 2004 
                        for release of this advisory.
                        from: "Magnus" <secure@xxxxxxxxxxxxx>
                        
                        2003-12-08 Microsoft has already released the 
                        KB article (or added a warning to an existing 
                        article). Read the KB article at
                        http://support.microsoft.com/?id=822924 
                        from: "Magnus" <secure@xxxxxxxxxxxxx>

                        
Overview:
---------

Word provides an option to protect "forms" by password. This is used 
to ensure that unauthorized users can not manipulate the contents of 
documents except within specially designed "form" areas. This feature 
is also often used to protect documents which do not even have form 
areas (quotations/offers etc.).

(Word users will find this option on the "Tools" menu, entry 
"Protection", select "Forms" there and provide a password)

If a Word document is "protected" by this mechanism, users cannot 
select parts of the text or place the cursor within the text --- thus 
they cannot make any changes to the document.

Description:
------------

When saving protected Word-documents as html-files, Word adds a 
"checksum" of the password (enclosed in a proprietary tag) to the 
code. The checksum format looks somewhat like CRC32 but currently 
there are no further details available. The same checksum can be 
found within the original Word document (hexadecimal view). If this 
"checksum" is replaced by 0x00000000 the password equals an empty 
string.

Example:
--------

1.) Open a protected document in MS Word
2.) Save as "Web Page (*.htm; *.html)", close Word
3.) Open html-document in any Text-Editor
4.) Search "<w:UnprotectPassword>" tag, the line reads something like 
    that: <w:UnprotectPassword>ABCDEF01</w:UnprotectPassword>
5.) keep the "password" in mind
6.) Open original document (.doc) with any hex-editor
7.) search for hex-values of the password (reverse order!)
8.) Overwrite all 4 double-bytes with 0x00, Save, Close
9.) Open document with MS Word, Select "Tools / Unprotect Document" 
    (password is blank)

Variation:
----------

If the 8 checksum bytes are replaced with the checksum of a known 
password it should be fairly easy to unprotect the document, make any 
necessary changes, save, close and reset the password to the original 
(unknown!) password by simply restoring the original values. Document 
changed without even knowing the password. Nasty.

(Note: Take care to get file properties (author, organisation, 
date/time etc.) right.)

Solution:
---------

No solution is currently available. Do not rely on the "Protect 
Forms" mechanism to protect a Word document against changes.

Credits:
--------

Magnus from the Microsoft Security Response Center for his fast 
responses and for showing a decent sense of humour. :-)