Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] MS Office 2007 Digital Signature does not Protect Meta-Data

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] MS Office 2007 Digital Signature does not Protect Meta-Data
Date: 12 Dec 2007 18:27:53 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  MS Office 2007 Digital Signature does not Protect Meta-Data
------------------------------------------------------------------------


SUMMARY

MS Office 2007 does not protect/sign the content of the data found in the 
core.xml file which is part of the data saved whenever MS Office 2007 is 
asked to save data in OOXML format, this allows attakers to spoof the data 
found in it - creator name, last modified date, etc - without invalidating 
the signature of the file.

DETAILS

Background:
Microsoft Office is a suite containing several programs to handle Office 
documents like text documents or spreadsheets. The latest version uses an 
XML based document format. Microsoft Office allows documents to be 
digitally signed by authors using certified keys, allowing viewers to 
verify the integrity and the origin based on the author's public key. The 
author's public key certificate, which can come from a trusted third 
party, is embedded in the signed document. It is XML DSig based.

Details:
Microsoft Office documents carry meta data information according to the 
DublinCore metadata in the file docProps/core.xml . Among these meta data 
information are the fields "LastModifiedBy", "creator" together with 
several others that can be displayed/changed through the following menu 
"Office Button -> Prepare -> Properties". These entries can be changed 
without invalidating the signature. At least under Windows Operating 
Systems these information are also shown in the Window's file systems 
properties.

Impact:
The meta data of signed Microsoft Office documents can be changed. An 
attacker can change the values to spoof the origin of signed documents, 
hoping to induce trust or otherwise deceive the user.

Proof of Concept
Open the OOXML ZIP container of a signed document. Change the values in 
the docProps/core.xml file.  For example set the value between 
"<dc:creator>*</dc:creator>" to "<dc:creator>FooBar</dc:creator>". The 
changes will be displayed in the document's properties dialog as described 
above. The signature will still be valid.

Workaround:
The meta data information of a signed OOXML document can be changed 
without invalidating the signature, thus information about the real author 
of a signed document can only be retrieved from the certificate. The 
signed file's meta data can not be trusted as the meta data is not covered 
by the signature.

Correction details:
A closer look into the references section of the XML signature used by 
Microsoft Office (stored in the File _xmlsignatures\sig1.xml) reveals that 
the file core.xml is not in the list of references. Thus it is not covered 
by the signature.

As a solution the scope of the signature needs to be extended to cover all 
the relevant information contained in the whole document, thus also the 
meta data in core.xml.

Include core.xml, and probably other files in the signature's list of 
references.

Disclosure Timeline:
2007-10-24: Vendor contacted
2007-10-25: Vendor acknowledged receipt
2007-11-14: 1st Deadline reached
2007-11-27: Reminder sent
2007-12-12: No response received until today


ADDITIONAL INFORMATION

The information has been provided by  
<mailto:poehls@informatik.uni-hamburg.de> Henrich C. Poehls.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] MS Office 2007 Digital Signature does not Protect Meta-Data, SecuriTeam <=
Previous by Date:  [NT] Microsoft Windows Message Queuing Service Stack Overflow Vulnerability, SecuriTeam
Next by Date:  [REVS] Securing and Hardening Linux Paper, SecuriTeam
Previous by Thread:  [NT] Microsoft Windows Message Queuing Service Stack Overflow Vulnerability, SecuriTeam
Next by Thread:  [REVS] Securing and Hardening Linux Paper, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]