AW: MS Office 2007: Digital Signature does not protect Meta-Data

To: <poehls@xxxxxxxxxxxxxxxxxxxxxxxxx>
Subject: AW: MS Office 2007: Digital Signature does not protect Meta-Data
From: "Naujoks, Hans-Dietmar" <Hans-Dietmar.Naujoks@xxxxxxxxxxxx>
Date: Thu, 13 Dec 2007 17:42:03 +0100
Cc: <bugtraq@xxxxxxxxxxxxxxxxx>
In-reply-to: <20071212103521.32472.qmail@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20071212103521.32472.qmail@xxxxxxxxxxxxxxxxx>
Thread-index: Acg85UrmVdvg56SiTrSSsE0DGKLYngAvosRQ
Thread-topic: MS Office 2007: Digital Signature does not protect Meta-Data

Dear Mr. Poehls,

I think Microsoft does not consider metadata attached to a document as part of 
the document and so they decided not to include it in the content protected by 
the certificate. 

This fits the way we use attaching metadata during the process of 
categorization to enable retrieval of a document by means and taxonomies of the 
recipient, not of the author. If instead, as you seem to propose, metadata 
would be treated as part of the document, attaching the metadata needed for 
retrieval purposes would invalidate the signature of the document. 

Therefore this time I would go with Microsoft for their solution fits our needs 
and doesn't compromise the integrity protection of the document itself in any 
serious way. Just think of it as a sticker placed on the outside of a sealed 
envelope: You mustn't trust anything on the outside, just look inside the 
envelope to find the information you can rely on.

Yours
H.-D. Naujoks
TÜV SÜD Informatik und Consulting Services GmbH

-----Ursprüngliche Nachricht-----
Von: poehls@xxxxxxxxxxxxxxxxxxxxxxxxx [mailto:poehls@xxxxxxxxxxxxxxxxxxxxxxxxx] 
Gesendet: Mittwoch, 12. Dezember 2007 11:35
An: bugtraq@xxxxxxxxxxxxxxxxx
Betreff: MS Office 2007: Digital Signature does not protect Meta-Data


Affects: Microsoft Office 2007 (12.0.6015.5000) 

         MSO (12.0.6017.5000) 

         possibly older versions



I. Background


Microsoft Office is a suite containing several programs to

handle Office documents like text documents or spreadsheets. 

The latest version uses an XML based document format. 

Microsoft Office allows documents to be digitally signed by

authors using certified keys, allowing viewers to verify the 

integrity and the origin based on the author's public key. 

The author's public key certificate, which can come from a 

trusted third party, is embedded in the signed document. 

It is XML DSig based.



II. Problem Description


Microsoft Office documents carry meta data information 

according to the DublinCore metadata in the file 

docProps/core.xml . Among these meta data information 

are the fields "LastModifiedBy", "creator" together with 

several others that can be displayed/changed through the 

following menu "Office Button -> Prepare -> Properties".

These entries can be changed without invalidating the signature. 

At least under Windows Operating Systems these information are 

also shown in the Window's file systems properties.



III. Impact


The meta data of signed Microsoft Office documents can be 

changed. An attacker can change the values to spoof the origin 

of signed documents, hoping to induce trust or otherwise 

deceive the user.


III.1. Proof of Concept


Open the OOXML ZIP container of a signed document. 

Change the values in the docProps/core.xml file. 

For example set the value between "<dc:creator>*</dc:creator>" 

to "<dc:creator>FooBar</dc:creator>". 

The changes will be displayed in the document's properties 

dialog as described above. The signature will still be valid.



IV. Workaround


The meta data information of a signed OOXML document 

can be changed without invalidating the signature, thus 

information about the real author of a signed document can

only be retrieved from the certificate. 

The signed file's meta data can not be trusted as the 

meta data is not covered by the signature.

 


V. Solution


No possible solution.



VI. Correction details


A closer look into the references section of the XML signature 

used by Microsoft Office (stored in the File 

_xmlsignatures\sig1.xml) reveals that the file core.xml is 

not in the list of references. Thus it is not covered by the

signature. 


As a solution the scope of the signature needs to be extended 

to cover all the relevant information contained in the whole 

document, thus also the meta data in core.xml.


Include core.xml, and probably other files in the signature's 

list of references.


VII. Time line


2007-10-24: Vendor contacted

2007-10-25: Vendor acknowledged receipt

2007-11-14: 1st Deadline reached

2007-11-27: Reminder sent

2007-12-12: No response received until today





Yours,

Henrich C. Poehls, Dong Tran, Finn Petersen, Frederic Pscheid

SVS - Dept. of Informatics - University of Hamburg

Follow-Ups:
- Re: MS Office 2007: Digital Signature does not protect Meta-Data
  - From: Henrich C. Poehls

References:
- MS Office 2007: Digital Signature does not protect Meta-Data
  - From: poehls

Prev by Date: [USN-550-3] Cairo regression
Next by Date: SECURITY: 1.4.12 Package Compromise
Previous by thread: MS Office 2007: Digital Signature does not protect Meta-Data
Next by thread: Re: MS Office 2007: Digital Signature does not protect Meta-Data
Index(es):
- Date
- Thread