what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

msoffice-hyper.txt

msoffice-hyper.txt
Posted Dec 13, 2007
Authored by Henrich C. Poehls, Dong Tran, Finn Petersen, Frederic Pscheid

Microsoft Office 2007 fails to protect hyperlinks with the use of digital signatures on a document.

tags | advisory
SHA-256 | bca868f38217254076e297323a9729c6d95e47c979e1765c6880bc24451f68fc

msoffice-hyper.txt

Change Mirror Download
Affects: Microsoft Office 2007 (12.0.6015.5000) 
MSO (12.0.6017.5000)
possibly older versions


I. Background

Microsoft Office is a suite containing several programs to
handle Office documents like text documents or spreadsheets.
The latest version uses an XML based document format.
Microsoft Office allows documents to be digitally signed by
authors using certified keys, allowing viewers to verify the
integrity and the origin based on the author's public key.
The author's public key certificate, which can come from a
trusted third party, is embedded in the signed document.
It is XML DSig based.


II. Problem Description

Microsoft Office documents can carry URLs as clickable
references. The target of URLs given in the document
are stored in word/_rels/document.xml.rels inside
the OOXML ZIP container. Inside you will see the
hyperlink, referenced by an internal ID and the target.
The target can be changed without invalidating the signature.
At least in the GUI a hyperlink's target is shown to the user.
Neverthe less the signature does not revel that it has been
changed without the signer's knowledge.


III. Impact

An attacker can change the target of hyperlinks contained in
signed documents, hoping to induce trust to the linked sites,
or otherwise deceive the user.

III.1. Proof of Concept

Open the OOXML ZIP container of a signed document that contains
a hyperlink. Lokk for the original target values in the
word/_rels/document.xml.rels file.
For example set the target value between the colons to
to http://example.org.
The changes will result in the new target being displayed
when the document is opened in Office. Pressing Ctrl and clicking
the link will instruct the browser to open the changed URL set
as target. The signature remains valid.


IV. Workaround

The target of hyperlinks inside signed OOXML document
can be changed without invalidating the signature, thus
can not be trusted. Do not use the URL provided through the
hyperlink to open the webpage the signed document wants you
to open, instead try to deduce the URL from the signed document
content.


V. Solution

No possible solution.


VI. Correction details

A closer look into the references section of the XML signature
used by Microsoft Office (stored in the File
_xmlsignatures\sig1.xml) reveals that the file
word/_rels/document.xml.rels is in the list of references.
Nevertheless, changes are not covered by the signature.
If no implementation error is the case for this
behaviour, this can only be due to the applied transformation.

As a solution the scope of the signature needs to be extended
to cover all the relevant information contained in the whole
document, thus also the references in
word/_rels/document.xml.rels.

Include word/_rels/document.xml.rels, and probably other files
in the signature's list of references. And use transformations
that do not limit the signature's protection.

VII. Time line

2007-10-24: Vendor contacted
2007-10-25: Vendor acknowledged reception
2007-11-14: 1st Deadline due
2007-11-27: Reminder sent
2007-12-12: No response received until today



Yours,
Henrich C. Poehls, Dong Tran, Finn Petersen, Frederic Pscheid
SVS - Dept. of Informatics - University of Hamburg
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close