lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 13 Dec 2007 15:07:09 -0000
From: poehls@...ormatik.uni-hamburg.de
To: bugtraq@...urityfocus.com
Subject: MS Office 2007: Target of Hyperlinks not covered by Digital
 Signatures

Affects: Microsoft Office 2007 (12.0.6015.5000) 
         MSO (12.0.6017.5000) 
         possibly older versions


I. Background

Microsoft Office is a suite containing several programs to
handle Office documents like text documents or spreadsheets. 
The latest version uses an XML based document format. 
Microsoft Office allows documents to be digitally signed by
authors using certified keys, allowing viewers to verify the 
integrity and the origin based on the author's public key. 
The author's public key certificate, which can come from a 
trusted third party, is embedded in the signed document. 
It is XML DSig based.


II. Problem Description

Microsoft Office documents can carry URLs as clickable 
references. The target of URLs given in the document
are stored in word/_rels/document.xml.rels inside
the OOXML ZIP container. Inside you will see the
hyperlink, referenced by an internal ID and the target.
The target can be changed without invalidating the signature. 
At least in the GUI a hyperlink's target is shown to the user.
Neverthe less the signature does not revel that it has been
changed without the signer's knowledge.


III. Impact

An attacker can change the target of hyperlinks contained in
signed documents, hoping to induce trust to the linked sites,
or otherwise deceive the user.

III.1. Proof of Concept

Open the OOXML ZIP container of a signed document that contains
a hyperlink. Lokk for the original target values in the 
word/_rels/document.xml.rels file. 
For example set the target value between the colons to
to http://example.org. 
The changes will result in the new target being displayed 
when the document is opened in Office. Pressing Ctrl and clicking
the link will instruct the browser to open the changed URL set 
as target. The signature remains valid.


IV. Workaround

The target of hyperlinks inside signed OOXML document 
can be changed without invalidating the signature, thus 
can not be trusted. Do not use the URL provided through the 
hyperlink to open the webpage the signed document wants you 
to open, instead try to deduce the URL from the signed document 
content.
 

V. Solution

No possible solution.


VI. Correction details

A closer look into the references section of the XML signature 
used by Microsoft Office (stored in the File 
_xmlsignatures\sig1.xml) reveals that the file 
word/_rels/document.xml.rels is in the list of references. 
Nevertheless, changes are not covered by the signature. 
If no implementation error is the case for this
behaviour, this can only be due to the applied transformation.

As a solution the scope of the signature needs to be extended 
to cover all the relevant information contained in the whole 
document, thus also the references in 
word/_rels/document.xml.rels.

Include word/_rels/document.xml.rels, and probably other files 
in the signature's list of references. And use transformations
that do not limit the signature's protection.

VII. Time line

2007-10-24: Vendor contacted
2007-10-25: Vendor acknowledged reception
2007-11-14: 1st Deadline due
2007-11-27: Reminder sent
2007-12-12: No response received until today



Yours,
Henrich C. Poehls, Dong Tran, Finn Petersen, Frederic Pscheid
SVS - Dept. of Informatics - University of Hamburg

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ