Microsoft Word Forms Passwords Hacked

← Back to Stories (view on slashdot.org)

Microsoft Word Forms Passwords Hacked

Posted by Cliff on Wednesday January 7, 2004 @07:50AM from the back-to-the-drawing-board dept.

An anonymous reader notes: "SecurityFocus has published a hack that can be used to unlock Microsoft Word documents that have been password protected. The 'secure' file can easily be edited and the original password re-inserted, removing any trace of the modification. A ZDNet UK article says Dell uses password protected Word files to send quotes, which could make for a messy legal battle." This feature, known as 'Password to Modify', is not the password protection on the document itself, just the protection that restricts unauthorized editing of the file. This hack allows someone to download such a file, edit it, and restore the password...effectively allowing changes to the file to go potentially unnoticed.

14 of 438 comments (clear)

Min score:

Reason:

Sort:

Nothing New by digitalvengeance · 2004-01-07 07:51 · Score: 5, Informative

There have been utilities to obtain Word passwords for quite a while. I've tested mine on Office 2000 and XP protected documents and had great success.

What's odd: The password returned by my tool of choice is not the same as the one actually stored - but when I enter this new password OR the original password into Word, the document is successfully unprotected. Some sort of odd math that makes more than one password work?
Example - I protected both a Word 2000 and Word 2002 document with the password "test" then ran them through my cracker. The cracker returned the password "QFQDOBCTGLHGEE" virtually instantly for both documents. Oddly enough, this new unusual password successfully unlocked both Word documents using Tools > Unprotect Document. Subsequent testing reveals that the original password will also unprotect the document.

So, if such passwords can easily be bypassed anyway - what does this really change?

I should note that I'm using a Passware product called Office Key.

This crack just takes what has been commercially available for quite some time and moves it into the public arena.

Josh

--
How many roads must a man walk down? 42.
1. Re:Nothing New by Stavr0 · 2004-01-07 07:58 · Score: 5, Informative
  
  The word doc doesn't store the password, but a one-way checksum.
  The passware product merely computes a password that matches the checksum found in the word doc.
2. Re:Nothing New by Violet+Null · 2004-01-07 07:58 · Score: 4, Informative
  
  Word probably uses a hash function to test the password (just like Linux doesn't store passwords, but hashes, in /etc/password). There's some function, you put the "password" in, it spits a hash out, and that is compared to the stored hash.
  
  Hashes are more secure than storing the password, because they tend to be pretty one way -- it's trivial to get a hash from a password, but much less trivial to get a password from the hash.
  
  However, hashes can collide; the smaller the hash returned, compared to the possible keyspace, the more likely this is. For instance, if I have a hash function that returns a one byte hash that I use to hash my password, then there is a 1/256 chance that _any_ gibberish I send in will return the same hash, and thus match.
  
  Microsoft is probably using a very small hash, and your "tool of choice" probably just brute forces the thing until it finds a match.
  
  If your tool of choice continued through the keyspace, it would inevitably come up with test, too.
3. Re:Nothing New by GoofyBoy · 2004-01-07 08:02 · Score: 4, Informative
  
  >Some sort of odd math that makes more than one password work?
  
  Really really simple dumbed down of an explination of what could be happening.
  
  I set the password to "011". Word takes the sum of the digits (0 + 1 + 1 = 2) and stored the result.
  
  When I want to unlock it Word takes the password I enter and sums the digits and sees if they match with the stored result from step 1. So "011" would work and so would "020" and "110".
  
  Of course it would be more complex math. Hope this gives you a bit understanding how it could happen.
  
  --
  The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
4. Re:Nothing New by pegr · 2004-01-07 08:17 · Score: 4, Informative
  
  Word document password protection has always been a joke. It's total cake to bypass it.
  
  1. Open a new blank Word document.
  
  2. Insert the protected document into the new document using the Insert command. You will NOT be asked for the password.
  
  3. You now have the protected document, complete with formatting, content, etc., but with no password protection as your new document.
  
  Nope, not since Office 98. Since Office 98, password protected docs are truly encrypted. It does indeed ask you for the password when you insert it.
  
  And I just noticed that, in Office 2003 anyway, you can hit the "Advanced" tab and choose what kind of encryption you want (RSA, etc.), as well as bit length. Pretty cool!
5. Re:Nothing New by pegr · 2004-01-07 08:33 · Score: 4, Informative
  
  OK, replying to your own post is lame, but here are the encryption types available under Word 2003:
  
  Weak Encryption (XOR)
  Office 97/2000 Compatible
  RC4, Microsost Base Cryptographic Provider
  RC4, Microsoft Base DSS and Diffie-Hellman Cryptographic Provider
  RC4, Microsoft DH SChannel Cryptographic Provider
  RC4, Microsoft Enhanced Cryptographic Provider v1.0
  RC4, Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider
  RC4, Microsoft RSA SChannel Cryptographic Provider
  RC4, Microsoft Strong Cryptographic Provider
  
  I especially love the XOR encryption! (At least they call it weak...) For the other types, you can spec a bit length between 40 and 128 bits. Now I'm not sure what MS does to "enhance" these encryption types, but there it is, for what it's worth... (I wonder if Whitfield knows his name is contained within MS Word? ;)
6. Re:Nothing New by saforrest · 2004-01-07 09:56 · Score: 4, Informative
  
  If they had used a real one-way function, such as MD5, it would not be possible to come up with another value that hashed to the same result.
  
  Uh, you're confusing two things.
  
  A one-way function is simply some function which is not one-to-one. For example, consider the length function L which maps words to integers, e.g. L("bob")=3, L("A")=1.
  
  It's not possible, given an integer n, to find the specific word that mapped to n, simply because there isn't an unique one. This is what makes it one-way.
  
  The fact that there are multiple possible passwords for this Word document is proof that it is a one-way function.
  
  What you're talking about is the ease of finding some element of the preimage of a given hash, which is a separate concept. MD5 is good because for some given value, it's really hard to find anything which hashes to that value, not because it's somehow 'more one-way'.
  
  In fact, the most one-way function of all is a constant function, which is obviously totally useless for authentication.
RTFA... It's hilarious by h4rm0ny · 2004-01-07 07:52 · Score: 5, Informative

According to Microsoft, the password protection feature on Word is not intended to be secure, but should be regarded as a means to protect documents against accidental modification. I use Word and don't ever recall being advised of this, but then I suppose the EULA does warn users never to actually rely on the software for anything important.

I never expected the protection in Word to be anything special, but sometimes (as shown here by Dell) it's better to have no security than false security because that way you take greater care.

But for those of you who never RTA, here is what was the highlight for me:

1.) Open a protected document in MS Word
2.) Save as "Web Page (*.htm; *.html)", close Word
3.) Open html-document in any Text-Editor
4.) Search "" tag, the line reads something like that: ABCDEF01

--

Aide-toi, le Ciel t'aidera - Jeanne D'Arc.
One Way function by nuggz · 2004-01-07 07:55 · Score: 4, Informative

Passwords can use a one way function.
Take the source string, do a bunch of 'stuff' to it, stuff that isn't easy to undo.
You can throw out some data too.

You end up with a new string, but since you threw out some information, you end up unable to reverse it.

Even if you know the end result, and the formula, you can't guess the password. You'd have to brute force it.
With slow computers, this was a very good obstacle. Now we use fancier algorithms, and it is still okay.

I'm not a math guy, go read crypto books if you want the 'real' explanation
Re:No messy Dell battle by vasqzr · 2004-01-07 07:58 · Score: 5, Informative

Come to think of it, I can't think of a real position where this could be a problem. What would someone do, host protected .doc's on a public server, and hope no one hacks into the server putting back the password-modified .doc? Anyone have a real world example?

You've obviously never been in the real world.

To someone like your or I, Word is simply a word processing program. But, to office workers across the country....

Here's a list of things I've seen people use MS Word for:

Spreadsheet. Hit tab, enter a value, add them up by hand. Excel is 'too confusing'

Creating GIANT tables and using them for inventory, rather than an Access database

Creating a 3,000 page document and keeping time/attendance records for ~ 250 employees. And wonder why it takes 10 minutes to load, and 10 minutes to save, doesn't scroll right....
The article is troll-ish by _RiZ_ · 2004-01-07 07:59 · Score: 5, Informative

I work with Dell for our workstation and laptop purchases and not once in the last 3 years have they sent me a quote in a Word document.

They have a system that links the quote with your customer ID and gets generated as an HTML file which gets emailed to you. All automagically.

To whom ever that thought they could change a word document quote and expect to get that price, I got some beach front property to sell you in Kansas. Silly fool.
Re:Oh, this bodes well. by zdislaw · 2004-01-07 08:00 · Score: 5, Informative

I wondered exactly the same thing. For about three seconds. The I RTFA.
2003-11-27, 10:30 UTC Microsoft notified to: secure microsoft com
2003-11-27 confirmed receipt from: secure microsoft com
2003-12-03 Note from Microsoft, Form protection "is not intended as a full-proof protection for tampering or spoofing, this is merely a functionality to prevent accidental changes of a document", request additional time to update Microsoft Knowledge Base article.
Targetting beginning of January 2004 for release of this advisory.
from: "Magnus"
2003-12-08 Microsoft has already released the KB article (or added a warning to an existing article). Read the KB article at http://support.microsoft.com/?id=822924
from: "Magnus"

--
bad sig...no donut.
Come on now... by Kevin+Stevens · 2004-01-07 08:00 · Score: 4, Informative

Was this ever really meant to be really truly secure? "security" features like that have always been lame at best and equivalent to luggage locks. These passwords have always been susceptible to brute force attacks. Anyone really serious about keeping documents safe puts them into a source control program. There are many ways to pick at MS's security, this is not one of them. But if you are trusting these measures for really secure documents, I highly suggest you get your valuables out of the pink plastic safe you won at the county fair last year.
Re: Just how far should they go? by Kjella · 2004-01-07 09:16 · Score: 4, Informative

So long as we ride the Moore Curve, overkill degrades to underkill at a rate of about one bit per 18 months. So if you want your document to be secure in perpetuity, you'd better use a lot of bits.

Take something like 256 bits, which is quite commonly available, and you'll see that brute forcing it requires you to turn each atom on earth into a computer, and compute with each of the atoms of the earth (2^171 atoms) at 1 THz (2^40) for 1 million years (2^45) in order to brute force *one* key.

Now, if that is too unsecure for you, I recommend you seek professional help. Fast.

Kjella

--
Live today, because you never know what tomorrow brings