Protection Bypass Vulnerability in Microsoft Word

Reported January 4, 2004 by Thorsten Delbrouck.

 

 

VERSIONS AFFECTED

 

  • Microsoft Word 2003 and 2002 (XP)

 

DESCRIPTION

 

Microsoft Word contains a protection-bypass vulnerability. By performing a simple process (outlined in the demonstration below), a malicious user can unprotect a protected document without the use of a password cracker or other special tools.

 
DEMONSTRATION
 
The discoverer posted the following demonstration as proof of concept:

 

1.)    Open a protected document in Word.

2.)    Choose the Save As Web Page (*.htm; *.html) option and close Word.

3.)    Open the HTML document in any text editor.

4.)    Search the <w:UnprotectPassword> tag for a line that looks like: <w:UnprotectPassword>ABCDEF01</w:UnprotectPassword>. Gather the password.

5.)    Open the original .doc document with any hex editor.

6.)    Search for hex values of the password (reverse order).

7.)    Overwrite all four double-bytes with 0x00. Save, and close.

8.)    Open the document in Word. Select Tools, Unprotect Document. Password is blank.

 

VENDOR RESPONSE

 

Microsoft has been notified.

 

CREDIT

Discovered by Thorsten Delbrouck.

TAGS: Security
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish