Reported January 4, 2004 by Thorsten Delbrouck.

 

 

VERSIONS AFFECTED

 

  • Microsoft Word 2003 and 2002 (XP)

 

DESCRIPTION

 

Microsoft Word contains a protection-bypass vulnerability. By performing a simple process (outlined in the demonstration below), a malicious user can unprotect a protected document without the use of a password cracker or other special tools.

<span style="font-family:Verdana"> </h3>
<b><span style="font-family:Verdana;
color:purple">DEMONSTRATION</h3></b>
<b><span style="font-family:Verdana;
color:purple"> </h3></b>
<span style="font-family:
Verdana">The discoverer posted the following demonstration as proof of concept:</h3>

 

1.)    Open a protected document in Word.

2.)    Choose the Save As Web Page (*.htm; *.html) option and close Word.

3.)    Open the HTML document in any text editor.

4.)    Search the <w:UnprotectPassword> tag for a line that looks like: <w:UnprotectPassword>ABCDEF01</w:UnprotectPassword>. Gather the password.

5.)    Open the original .doc document with any hex editor.

6.)    Search for hex values of the password (reverse order).

7.)    Overwrite all four double-bytes with 0x00. Save, and close.

8.)    Open the document in Word. Select Tools, Unprotect Document. Password is blank.

 

VENDOR RESPONSE

 

<span style="font-family:Verdana"><a href="http://www.microsoft.com/" style="color: blue; text-decoration: underline; text-underline: single">Microsoft</a> has been notified.</h3>

 

CREDIT

Discovered by Thorsten Delbrouck.