Bugtraq mailing list archives

Re: Microsoft Word Protection Bypass

From: Vladimir Katalov <vkatalov () elcomsoft com>
Date: 8 Jan 2004 10:56:05 -0000

In-Reply-To: <OF60A8C9AA.4F52F3E5-ON00256E0F.003B08BA-C1256E0F.003B9AEC@localhost>

To: bugtraq () securityfocus com
Cc: "Microsoft Security Response Center" <secure () microsoft com>
Subject: Microsoft Word Protection Bypass
From: Thorsten Delbrouck-Konetzko <Thorsten.Delbrouck () guardeonic com>
Date: Fri, 2 Jan 2004 10:51:03 +0000
Content-Type: multipart/mixed; boundary="=_mixed 003B9AC4C1256E0F_="

Microsoft Word provides an option to protect "forms" by password. This is 
used to ensure that unauthorized users cannot manipulate the contents of 
documents except within specially designed "form" areas. This feature is 
also often used to protect documents which do not even have form areas 
(quotations/offers etc.).

This form protection can easily be removed without any additional tools 
(apart from a hex-editor).

Please find the full advisory attached.


Actually, we have reported about this problem almost three years ago at "Black Hat Windows Security 2001" conference 
(Las Vegas, Feb'2001), see:

http://www.blackhat.com/html/bh-multi-media-archives.html#Windows%20Security%202001

Here is the presentation ("Analysis of Microsoft Office Password Protection System, and Survey of Encryption Holes In 
Other MS Windows Applications") in PowerPoint format:

http://www.blackhat.com/presentations/win-usa-01/Malyshev/bh-win-01-malyshev.ppt

And streaming video:
rtsp://media-1.datamerica.com/blackhat/bh-usa-win-01/video/bh-usa-win-01-andrey-malyshev-video.rm

Microsoft, of course, was aware. There is an article published in Microsoft TechNet:

Ask Us About... Security, March 2001
http://www.microsoft.com/technet/columns/security/askus/auas0301.asp

Quote from there:

"Recovering Office passwords
Q: I'm creating a document using Microsoft Word that may potentially contain sensitive information. I note that Word 
has a password protection feature (under Tools/Protect Document). How strong is the security surrounding this feature? 
A: I get a lot of mail asking about the strength of passwords for Office documents. As was demonstrated in an analysis 
of the Microsoft Office password protection system presented by ElcomSoft at Black Hat (see above), the 
password-protection features of these programs were not designed to be invincible. [...]"

You may also want to have a look at our software that can recover or remove this password, among many other ones:

Advanced Office XP Password Recovery
http://www.elcomsoft.com/aoxppr.html

-- 
Sincerely yours,
  Vladimir

Vladimir Katalov
Managing Director
ElcomSoft Co.Ltd.
Member of Association of Shareware Professionals (ASP)
Member of Russian Cryptology Association
mailto:vkatalov () elcomsoft com
http://www.elcomsoft.com

Current thread:

Microsoft Word Protection Bypass Thorsten Delbrouck-Konetzko (Jan 02)
- RE: Microsoft Word Protection Bypass Jerry Shenk (Jan 06)
- <Possible follow-ups>
- Re: Microsoft Word Protection Bypass Thorsten Delbrouck-Konetzko (Jan 07)
  - RE: Microsoft Word Protection Bypass Eric Lawrence (Jan 07)
- Re: Microsoft Word Protection Bypass Vladimir Katalov (Jan 08)