Microsoft Word Form Protection Bypass!
Results 1 to 9 of 9

Thread: Microsoft Word Form Protection Bypass!

  1. #1
    AO's MMA Fanatic! Computernerd22's Avatar
    Join Date
    Mar 2003
    Location
    Miami, FL
    Posts
    795

    Thumbs up Microsoft Word Form Protection Bypass!

    Hello fellow Security Consultants @ antionline I found this article @ http://www.neworder.box.sk/explread.php?newsid=10218 excellent thread on Microsoft Word Form Protection Bypass.

    The full article can be found at http://www.neworder.box.sk/explread.php?newsid=10218

    Description:
    ------------

    When saving protected Word-documents as html-files, Word adds a
    "checksum" of the password (enclosed in a proprietary tag) to the
    code. The checksum format looks somewhat like CRC32 but currently
    there are no further details available. The same checksum can be
    found within the original Word document (hexadecimal view). If this
    "checksum" is replaced by 0x00000000 the password equals an empty
    string.

    Example:
    --------

    1.) Open a protected document in MS Word
    2.) Save as "Web Page (*.htm; *.html)", close Word
    3.) Open html-document in any Text-Editor
    4.) Search "" tag, the line reads something like
    that: ABCDEF01
    5.) keep the "password" in mind
    6.) Open original document (.doc) with any hex-editor
    7.) search for hex-values of the password (reverse order!)
    8.) Overwrite all 4 double-bytes with 0x00, Save, Close
    9.) Open document with MS Word, Select "Tools / Unprotect Document"
    (password is blank)

    Variation:
    ----------

    If the 8 checksum bytes are replaced with the checksum of a known
    password it should be fairly easy to unprotect the document, make any
    necessary changes, save, close and reset the password to the original
    (unknown!) password by simply restoring the original values. Document
    changed without even knowing the password. Nasty.

    (Note: Take care to get file properties (author, organisation,
    date/time etc.) right.)

    Solution:
    ---------

    No solution is currently available. Do not rely on the "Protect
    Forms" mechanism to protect a Word document against changes.
    This is a pretty cool little exploit seems fairly simple. I havent peronsally tried it yet, but I will.

  2. #2
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130
    ummm... step one tells me to first open the protected document.

    Am I missing something here?
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  3. #3
    AO's MMA Fanatic! Computernerd22's Avatar
    Join Date
    Mar 2003
    Location
    Miami, FL
    Posts
    795
    Am I missing something here?
    I was asking myself the same exact thing I dont think so.

  4. #4
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hi Guys,

    There are two document "protections" in MS Word. One is to password protect a whole document, and the other is to protect a "form", in other words a data entry document.

    You can open a "form protected" document (or you wouldn't be able to fill it out?) , but are restricted to entering data into the designated boxes. Other boxes may be protected from you..............I am inclined to give M$ the benefit of the doubt, as I have always looked on form protection as a way of preventing people screwing up the form, rather than a true "security" measure.

    The way I have generally used them is the user fills out their bits and returns it to Admin or whoever who then fill in the rest.............they already have the password, so there is no real security issue.

    Cheers

  5. #5
    Junior Member
    Join Date
    Jul 2003
    Posts
    4
    Hmm...well I suppose it's not really used as a security measure for the most part. But on the other hand I have this scholarship form that is HUGE. Unfortunately I can't spell check any of this stuff. So I tried looking through the code for that hex but couldn't find anything as to what they were describing (4 double bytes). They were kind of vague as to where this tag is supposed to be. I'm using office XP with SP2, I wonder if this is unaffected. Does anyone have a better idea as to where this tag is supposed to be in the code?
    This is where my sig would go, if I had one...so yeah.

  6. #6
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Unfortunately I can't spell check any of this stuff
    Have you tried turning on the "check as you go feature"? That should let you spell check the bits where you can enter information?

    Otherwise just copy and paste the various sections into Word, and spell check it there?

    Cheers

  7. #7
    Junior Member
    Join Date
    Jul 2003
    Posts
    4
    Originally posted here by nihil
    Otherwise just copy and paste the various sections into Word, and spell check it there?
    Well yeah, that would work just fine except for the fact it's 6 pages long and has lots of different boxes. It would be too time consuming and better to just do it the old fashioned way (which you have to do anyways). I just thought it would be neat to see how the flaw worked is all. Oh well...not a terribly interesting flaw anyways.
    This is where my sig would go, if I had one...so yeah.

  8. #8
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    Packetstorm has this listed on their last 20 exploits list by the same author although not quit as detailed.

    2003-12-08 Microsoft has already released the
    KB article (or added a warning to an existing
    article). Read the KB article at
    http://support.microsoft.com/?id=822924

    Solution:
    ---------

    No solution is currently available. Do not rely on the "Protect
    Forms" mechanism to protect a Word document against changes.

    duh!
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  9. #9
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hi Tedob1,

    I have always felt that the "form protection" in Word was purely to stop people screwing up filling the form out?

    The form should be a "template", which is password protected. This is the "protection"?....yes I do know how to crack it, and NO, I am not going to say how ..... if you do not know, you do not need to know? EDIT: not you personally Tedob1...people in general...this is an open forum

    Suffice it to say that MS Word is not designed to be a secure system for international banking transactions...or anything like that. I would say the same of all of the MS Office suite, of anybody's office suite for that matter.

    I think that the real issue is that people do not understand what they are using?...like a schoolyard full of kids with AK-47s?

    The warnings, as I read them, are: "don't use this feature and think that your documents are secure"

    I think that the message from Microsoft is that "we are not going to do anything about it, because you are not using our product properly if you use it that way"?

    /Me wanders off to find similar "features" in Corel and Lotus Smartsuite

    Cheers

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •