adv_microsoft_word_protection.txt

`Guardeonic Solutions AG  
Thorsten Delbrouck <[email protected]>  
http://www.guardeonic.com/  
  
Security Advisory #01-2004  
  
Advisory Name: Microsoft Word Form Protection Bypass  
Release Date: 2004-01-02  
Affected Product: Microsoft Word  
Platform: Microsoft Windows, probably Apple Mac OS  
Version: tested on 2000, 2002 (XP), 2003,  
probably other versions vulnerable as well  
  
Severity: Document ("Form") protection can be easily removed  
  
Author: Thorsten Delbrouck <[email protected]>  
  
Vendor Communication: 2003-11-27, 10:30 UTC Microsoft notified  
to: [email protected]  
  
2003-11-27 confirmed receipt  
from: [email protected]  
  
2003-12-03 Note from Microsoft, Form   
protection "is not intended as a full-proof   
protection for tampering or spoofing, this is   
merely a functionality to prevent accidental   
changes of a document", request additional   
time to update Microsoft Knowledge Base   
article. Targetting beginning of January 2004   
for release of this advisory.  
from: "Magnus" <[email protected]>  
  
2003-12-08 Microsoft has already released the   
KB article (or added a warning to an existing   
article). Read the KB article at  
http://support.microsoft.com/?id=822924   
from: "Magnus" <[email protected]>  
  
  
Overview:  
---------  
  
Word provides an option to protect "forms" by password. This is used   
to ensure that unauthorized users can not manipulate the contents of   
documents except within specially designed "form" areas. This feature   
is also often used to protect documents which do not even have form   
areas (quotations/offers etc.).  
  
(Word users will find this option on the "Tools" menu, entry   
"Protection", select "Forms" there and provide a password)  
  
If a Word document is "protected" by this mechanism, users cannot   
select parts of the text or place the cursor within the text --- thus   
they cannot make any changes to the document.  
  
Description:  
------------  
  
When saving protected Word-documents as html-files, Word adds a   
"checksum" of the password (enclosed in a proprietary tag) to the   
code. The checksum format looks somewhat like CRC32 but currently   
there are no further details available. The same checksum can be   
found within the original Word document (hexadecimal view). If this   
"checksum" is replaced by 0x00000000 the password equals an empty   
string.  
  
Example:  
--------  
  
1.) Open a protected document in MS Word  
2.) Save as "Web Page (*.htm; *.html)", close Word  
3.) Open html-document in any Text-Editor  
4.) Search "<w:UnprotectPassword>" tag, the line reads something like   
that: <w:UnprotectPassword>ABCDEF01</w:UnprotectPassword>  
5.) keep the "password" in mind  
6.) Open original document (.doc) with any hex-editor  
7.) search for hex-values of the password (reverse order!)  
8.) Overwrite all 4 double-bytes with 0x00, Save, Close  
9.) Open document with MS Word, Select "Tools / Unprotect Document"   
(password is blank)  
  
Variation:  
----------  
  
If the 8 checksum bytes are replaced with the checksum of a known   
password it should be fairly easy to unprotect the document, make any   
necessary changes, save, close and reset the password to the original   
(unknown!) password by simply restoring the original values. Document   
changed without even knowing the password. Nasty.  
  
(Note: Take care to get file properties (author, organisation,   
date/time etc.) right.)  
  
Solution:  
---------  
  
No solution is currently available. Do not rely on the "Protect   
Forms" mechanism to protect a Word document against changes.  
  
Credits:  
--------  
  
Magnus from the Microsoft Security Response Center for his fast   
responses and for showing a decent sense of humour. :-)  
  
`