Protection Bypass Vulnerability in Microsoft Word

Reported January 4, 2004 by Thorsten Delbrouck.

 

 

VERSIONS AFFECTED

 

• Microsoft Word 2003 and 2002 (XP)

 

DESCRIPTION

 

Microsoft Word contains a protection-bypass vulnerability. By performing a simple process (outlined in the demonstration below), a malicious user can unprotect a protected document without the use of a password cracker or other special tools.

DEMONSTRATION

The discoverer posted the following demonstration as proof of concept:

 

1.)    Open a protected document in Word.

2.)    Choose the Save As Web Page (*.htm; *.html) option and close Word.

3.)    Open the HTML document in any text editor.

4.)    Search the <w:UnprotectPassword> tag for a line that looks like: <w:UnprotectPassword>ABCDEF01</w:UnprotectPassword>. Gather the password.

5.)    Open the original .doc document with any hex editor.

6.)    Search for hex values of the password (reverse order).

7.)    Overwrite all four double-bytes with 0x00. Save, and close.

8.)    Open the document in Word. Select Tools, Unprotect Document. Password is blank.

 

VENDOR RESPONSE

 

Microsoft has been notified.

 

CREDIT

Discovered by Thorsten Delbrouck.