Mathcad Area Lock Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Mathcad Area Lock Vulnerability
From: bugtraq@xxxxxxxxxxxxxxxx
Date: 8 Jun 2006 16:53:07 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Description of Vulnerability
============================
One of the features of Mathcad (www.mathsoft.com) is allowing the user to 
define ?Areas?. Mathsoft say that ?You can use areas to protect, lock, or hide 
information or equations in your worksheets? and that ?You can also protect the 
contents within the area, so no one else can edit them?. 

Whilst this is true, it is also very easy to unlock these Areas without needing 
the password. In the newer versions of Mathcad (12 onwards) the sheets are 
stored in XML format. This provides an easy means of altering the Mathcad 
sheet, as it is simply plain text. There are 4 vulnerabilities in the way the 
Area locks work:
1.      Password - This attribute is stored as a hashed text string. However 
the hashes produced for the same word on different sheets are always identical. 
For example "XfAPUVYgXPg=" represents the string "password", and could be used 
in any sheet. So it is possible to create another Mathcad sheet, lock an Area 
with a known password and then use a text editor to copy and paste the known 
password over the unknown one.
2.      Timestamp - Like the password string, this can also be changed to be 
any value. So the sheet could be unlocked, modified, relocked and then the date 
of the relocking could be changed to be the original lock date.
3.      Complete removal of lock - Inside the Area tag there are is an 
?is-locked? attribute. When a lock has been enabled this is set to true. 
However to remove the lock all that needs to be done is change this value to 
false. Out of completeness the ?timestamp? attribute should be changed to an 
empty string and then the ?password? attribute removed. Although these last two 
changes are not needed to unlock the Area.
4.      Protection can be bypassed completely - The data stored in the locked 
area can also be viewed in a text editor. So this could also be copied and 
pasted into another sheet, without the lock protection section.

Affected Versions
=================
12,
13,
13.1
(all prior ones are not vulnerable)

Exploit PoC
===========
None required, use a text editor.

Prev by Date: Uninformed Journal Release Announcement: Volume 4
Next by Date: NPDS <= 5.10 Local Inclusion, XSS, Full path disclosure
Previous by thread: Uninformed Journal Release Announcement: Volume 4
Next by thread: NPDS <= 5.10 Local Inclusion, XSS, Full path disclosure
Index(es):
- Date
- Thread