Guardeonic Solutions AG Thorsten Delbrouck http://www.guardeonic.com/ Security Advisory #01-2004 Advisory Name: Microsoft Word Form Protection Bypass Release Date: 2004-01-02 Affected Product: Microsoft Word Platform: Microsoft Windows, probably Apple Mac OS Version: tested on 2000, 2002 (XP), 2003, probably other versions vulnerable as well Severity: Document ("Form") protection can be easily removed Author: Thorsten Delbrouck Vendor Communication: 2003-11-27, 10:30 UTC Microsoft notified to: secure@microsoft.com 2003-11-27 confirmed receipt from: secure@microsoft.com 2003-12-03 Note from Microsoft, Form protection "is not intended as a full-proof protection for tampering or spoofing, this is merely a functionality to prevent accidental changes of a document", request additional time to update Microsoft Knowledge Base article. Targetting beginning of January 2004 for release of this advisory. from: "Magnus" 2003-12-08 Microsoft has already released the KB article (or added a warning to an existing article). Read the KB article at http://support.microsoft.com/?id=822924 from: "Magnus" Overview: --------- Word provides an option to protect "forms" by password. This is used to ensure that unauthorized users can not manipulate the contents of documents except within specially designed "form" areas. This feature is also often used to protect documents which do not even have form areas (quotations/offers etc.). (Word users will find this option on the "Tools" menu, entry "Protection", select "Forms" there and provide a password) If a Word document is "protected" by this mechanism, users cannot select parts of the text or place the cursor within the text --- thus they cannot make any changes to the document. Description: ------------ When saving protected Word-documents as html-files, Word adds a "checksum" of the password (enclosed in a proprietary tag) to the code. The checksum format looks somewhat like CRC32 but currently there are no further details available. The same checksum can be found within the original Word document (hexadecimal view). If this "checksum" is replaced by 0x00000000 the password equals an empty string. Example: -------- 1.) Open a protected document in MS Word 2.) Save as "Web Page (*.htm; *.html)", close Word 3.) Open html-document in any Text-Editor 4.) Search "" tag, the line reads something like that: ABCDEF01 5.) keep the "password" in mind 6.) Open original document (.doc) with any hex-editor 7.) search for hex-values of the password (reverse order!) 8.) Overwrite all 4 double-bytes with 0x00, Save, Close 9.) Open document with MS Word, Select "Tools / Unprotect Document" (password is blank) Variation: ---------- If the 8 checksum bytes are replaced with the checksum of a known password it should be fairly easy to unprotect the document, make any necessary changes, save, close and reset the password to the original (unknown!) password by simply restoring the original values. Document changed without even knowing the password. Nasty. (Note: Take care to get file properties (author, organisation, date/time etc.) right.) Solution: --------- No solution is currently available. Do not rely on the "Protect Forms" mechanism to protect a Word document against changes. Credits: -------- Magnus from the Microsoft Security Response Center for his fast responses and for showing a decent sense of humour. :-)