Microsoft Word Form Protection Bypass!

[Computernerd22]

Hello fellow Security Consultants @ antionline I found this article @ http://www.neworder.box.sk/explread.php?newsid=10218 excellent thread on Microsoft Word Form Protection Bypass.

The full article can be found at http://www.neworder.box.sk/explread.php?newsid=10218

Description:
------------

When saving protected Word-documents as html-files, Word adds a
"checksum" of the password (enclosed in a proprietary tag) to the
code. The checksum format looks somewhat like CRC32 but currently
there are no further details available. The same checksum can be
found within the original Word document (hexadecimal view). If this
"checksum" is replaced by 0x00000000 the password equals an empty
string.

Example:
--------

1.) Open a protected document in MS Word
2.) Save as "Web Page (*.htm; *.html)", close Word
3.) Open html-document in any Text-Editor
4.) Search "" tag, the line reads something like
that: ABCDEF01
5.) keep the "password" in mind
6.) Open original document (.doc) with any hex-editor
7.) search for hex-values of the password (reverse order!)
8.) Overwrite all 4 double-bytes with 0x00, Save, Close
9.) Open document with MS Word, Select "Tools / Unprotect Document"
(password is blank)

Variation:
----------

If the 8 checksum bytes are replaced with the checksum of a known
password it should be fairly easy to unprotect the document, make any
necessary changes, save, close and reset the password to the original
(unknown!) password by simply restoring the original values. Document
changed without even knowing the password. Nasty.

(Note: Take care to get file properties (author, organisation,
date/time etc.) right.)

Solution:
---------

No solution is currently available. Do not rely on the "Protect
Forms" mechanism to protect a Word document against changes.

This is a pretty cool little exploit seems fairly simple. I havent peronsally tried it yet, but I will.

[Striek]

ummm... step one tells me to first open the protected document.

Am I missing something here?

[Computernerd22]

Am I missing something here?

I was asking myself the same exact thing I dont think so.

[nihil]

Hi Guys,

There are two document "protections" in MS Word. One is to password protect a whole document, and the other is to protect a "form", in other words a data entry document.

You can open a "form protected" document (or you wouldn't be able to fill it out?) , but are restricted to entering data into the designated boxes. Other boxes may be protected from you..............I am inclined to give M$ the benefit of the doubt, as I have always looked on form protection as a way of preventing people screwing up the form, rather than a true "security" measure.

The way I have generally used them is the user fills out their bits and returns it to Admin or whoever who then fill in the rest.............they already have the password, so there is no real security issue.

Cheers

[geekguy]

Hmm...well I suppose it's not really used as a security measure for the most part. But on the other hand I have this scholarship form that is HUGE. Unfortunately I can't spell check any of this stuff. So I tried looking through the code for that hex but couldn't find anything as to what they were describing (4 double bytes). They were kind of vague as to where this tag is supposed to be. I'm using office XP with SP2, I wonder if this is unaffected. Does anyone have a better idea as to where this tag is supposed to be in the code?

[nihil]

Unfortunately I can't spell check any of this stuff

Have you tried turning on the "check as you go feature"? That should let you spell check the bits where you can enter information?

Otherwise just copy and paste the various sections into Word, and spell check it there?

Cheers

[geekguy]

Originally posted here by nihil
Otherwise just copy and paste the various sections into Word, and spell check it there?

Well yeah, that would work just fine except for the fact it's 6 pages long and has lots of different boxes. It would be too time consuming and better to just do it the old fashioned way (which you have to do anyways). I just thought it would be neat to see how the flaw worked is all. Oh well...not a terribly interesting flaw anyways.

[Tedob1]

Packetstorm has this listed on their last 20 exploits list by the same author although not quit as detailed.

2003-12-08 Microsoft has already released the
KB article (or added a warning to an existing
article). Read the KB article at
http://support.microsoft.com/?id=822924

Solution:
---------

No solution is currently available. Do not rely on the "Protect
Forms" mechanism to protect a Word document against changes.

duh!

[nihil]

Hi Tedob1,

I have always felt that the "form protection" in Word was purely to stop people screwing up filling the form out?

The form should be a "template", which is password protected. This is the "protection"?....yes I do know how to crack it, and NO, I am not going to say how ..... if you do not know, you do not need to know? EDIT: not you personally Tedob1...people in general...this is an open forum

Suffice it to say that MS Word is not designed to be a secure system for international banking transactions...or anything like that. I would say the same of all of the MS Office suite, of anybody's office suite for that matter.

I think that the real issue is that people do not understand what they are using?...like a schoolyard full of kids with AK-47s?

The warnings, as I read them, are: "don't use this feature and think that your documents are secure"

I think that the message from Microsoft is that "we are not going to do anything about it, because you are not using our product properly if you use it that way"?

/Me wanders off to find similar "features" in Corel and Lotus Smartsuite

Cheers