[guru] [poehls@informatik.uni-hamburg.de: MS Office 2007: Digital Signature does not protect Meta-Data]
DATE: Tue, 08 Jan 2008 10:24:57 +0100
A Microsoft Office legutóbbi verziója XML-alapú dokumentumformátumot
használ. A dokumentumk digitálisan aláírhatók hitelesített kulccsal, a
dokumentum szerzőjének nyilvános kulcs tanúsítványa az aláírt dokumentumba
van ágyazva. A Microsoft e célra XML DSig alapú eljárást használ.
A Microsoft Office dokumentumok által tárolt metaadatok a docProps/core.xml
file-ban találhatók az XML konténeren belül, azonban ezt a digitális
aláírás nem fedi le. Így például a dokumentum szerzőjére, keletkezési és
utolsó módosítási időpontjára vonatkozó mezők anélkül megváltoztathatók,
hogy az aláírás invaliddá válna.
Hasonló a helyzet a dokumentumokba ágyazott URL-ekkel is: az URL-ek által
hivatkozott tartalmak változása is rejtve marad.
--- Begin Message ---
Affects: Microsoft Office 2007 (12.0.6015.5000)
MSO (12.0.6017.5000)
possibly older versions
I. Background
Microsoft Office is a suite containing several programs to
handle Office documents like text documents or spreadsheets.
The latest version uses an XML based document format.
Microsoft Office allows documents to be digitally signed by
authors using certified keys, allowing viewers to verify the
integrity and the origin based on the author's public key.
The author's public key certificate, which can come from a
trusted third party, is embedded in the signed document.
It is XML DSig based.
II. Problem Description
Microsoft Office documents carry meta data information
according to the DublinCore metadata in the file
docProps/core.xml . Among these meta data information
are the fields "LastModifiedBy", "creator" together with
several others that can be displayed/changed through the
following menu "Office Button -> Prepare -> Properties".
These entries can be changed without invalidating the signature.
At least under Windows Operating Systems these information are
also shown in the Window's file systems properties.
III. Impact
The meta data of signed Microsoft Office documents can be
changed. An attacker can change the values to spoof the origin
of signed documents, hoping to induce trust or otherwise
deceive the user.
III.1. Proof of Concept
Open the OOXML ZIP container of a signed document.
Change the values in the docProps/core.xml file.
For example set the value between "<dc:creator>*</dc:creator>"
to "<dc:creator>FooBar</dc:creator>".
The changes will be displayed in the document's properties
dialog as described above. The signature will still be valid.
IV. Workaround
The meta data information of a signed OOXML document
can be changed without invalidating the signature, thus
information about the real author of a signed document can
only be retrieved from the certificate.
The signed file's meta data can not be trusted as the
meta data is not covered by the signature.
V. Solution
No possible solution.
VI. Correction details
A closer look into the references section of the XML signature
used by Microsoft Office (stored in the File
_xmlsignatures\sig1.xml) reveals that the file core.xml is
not in the list of references. Thus it is not covered by the
signature.
As a solution the scope of the signature needs to be extended
to cover all the relevant information contained in the whole
document, thus also the meta data in core.xml.
Include core.xml, and probably other files in the signature's
list of references.
VII. Time line
2007-10-24: Vendor contacted
2007-10-25: Vendor acknowledged receipt
2007-11-14: 1st Deadline reached
2007-11-27: Reminder sent
2007-12-12: No response received until today
Yours,
Henrich C. Poehls, Dong Tran, Finn Petersen, Frederic Pscheid
SVS - Dept. of Informatics - University of Hamburg
--- End Message ---
--- Begin Message ---
Dear Mr. Poehls,
I think Microsoft does not consider metadata attached to a document as part of the document and so they decided not to include it in the content protected by the certificate.
This fits the way we use attaching metadata during the process of categorization to enable retrieval of a document by means and taxonomies of the recipient, not of the author. If instead, as you seem to propose, metadata would be treated as part of the document, attaching the metadata needed for retrieval purposes would invalidate the signature of the document.
Therefore this time I would go with Microsoft for their solution fits our needs and doesn't compromise the integrity protection of the document itself in any serious way. Just think of it as a sticker placed on the outside of a sealed envelope: You mustn't trust anything on the outside, just look inside the envelope to find the information you can rely on.
Yours
H.-D. Naujoks
TÜV SÜD Informatik und Consulting Services GmbH
-----Ursprüngliche Nachricht-----
Von: poehls@informatik.uni-hamburg.de [mailto:poehls@informatik.uni-hamburg.de]
Gesendet: Mittwoch, 12. Dezember 2007 11:35
An: bugtraq@securityfocus.com
Betreff: MS Office 2007: Digital Signature does not protect Meta-Data
Affects: Microsoft Office 2007 (12.0.6015.5000)
MSO (12.0.6017.5000)
possibly older versions
I. Background
Microsoft Office is a suite containing several programs to
handle Office documents like text documents or spreadsheets.
The latest version uses an XML based document format.
Microsoft Office allows documents to be digitally signed by
authors using certified keys, allowing viewers to verify the
integrity and the origin based on the author's public key.
The author's public key certificate, which can come from a
trusted third party, is embedded in the signed document.
It is XML DSig based.
II. Problem Description
Microsoft Office documents carry meta data information
according to the DublinCore metadata in the file
docProps/core.xml . Among these meta data information
are the fields "LastModifiedBy", "creator" together with
several others that can be displayed/changed through the
following menu "Office Button -> Prepare -> Properties".
These entries can be changed without invalidating the signature.
At least under Windows Operating Systems these information are
also shown in the Window's file systems properties.
III. Impact
The meta data of signed Microsoft Office documents can be
changed. An attacker can change the values to spoof the origin
of signed documents, hoping to induce trust or otherwise
deceive the user.
III.1. Proof of Concept
Open the OOXML ZIP container of a signed document.
Change the values in the docProps/core.xml file.
For example set the value between "<dc:creator>*</dc:creator>"
to "<dc:creator>FooBar</dc:creator>".
The changes will be displayed in the document's properties
dialog as described above. The signature will still be valid.
IV. Workaround
The meta data information of a signed OOXML document
can be changed without invalidating the signature, thus
information about the real author of a signed document can
only be retrieved from the certificate.
The signed file's meta data can not be trusted as the
meta data is not covered by the signature.
V. Solution
No possible solution.
VI. Correction details
A closer look into the references section of the XML signature
used by Microsoft Office (stored in the File
_xmlsignatures\sig1.xml) reveals that the file core.xml is
not in the list of references. Thus it is not covered by the
signature.
As a solution the scope of the signature needs to be extended
to cover all the relevant information contained in the whole
document, thus also the meta data in core.xml.
Include core.xml, and probably other files in the signature's
list of references.
VII. Time line
2007-10-24: Vendor contacted
2007-10-25: Vendor acknowledged receipt
2007-11-14: 1st Deadline reached
2007-11-27: Reminder sent
2007-12-12: No response received until today
Yours,
Henrich C. Poehls, Dong Tran, Finn Petersen, Frederic Pscheid
SVS - Dept. of Informatics - University of Hamburg
--- End Message ---
--- Begin Message ---
Affects: Microsoft Office 2007 (12.0.6015.5000)
MSO (12.0.6017.5000)
possibly older versions
I. Background
Microsoft Office is a suite containing several programs to
handle Office documents like text documents or spreadsheets.
The latest version uses an XML based document format.
Microsoft Office allows documents to be digitally signed by
authors using certified keys, allowing viewers to verify the
integrity and the origin based on the author's public key.
The author's public key certificate, which can come from a
trusted third party, is embedded in the signed document.
It is XML DSig based.
II. Problem Description
Microsoft Office documents can carry URLs as clickable
references. The target of URLs given in the document
are stored in word/_rels/document.xml.rels inside
the OOXML ZIP container. Inside you will see the
hyperlink, referenced by an internal ID and the target.
The target can be changed without invalidating the signature.
At least in the GUI a hyperlink's target is shown to the user.
Neverthe less the signature does not revel that it has been
changed without the signer's knowledge.
III. Impact
An attacker can change the target of hyperlinks contained in
signed documents, hoping to induce trust to the linked sites,
or otherwise deceive the user.
III.1. Proof of Concept
Open the OOXML ZIP container of a signed document that contains
a hyperlink. Lokk for the original target values in the
word/_rels/document.xml.rels file.
For example set the target value between the colons to
to http://example.org.
The changes will result in the new target being displayed
when the document is opened in Office. Pressing Ctrl and clicking
the link will instruct the browser to open the changed URL set
as target. The signature remains valid.
IV. Workaround
The target of hyperlinks inside signed OOXML document
can be changed without invalidating the signature, thus
can not be trusted. Do not use the URL provided through the
hyperlink to open the webpage the signed document wants you
to open, instead try to deduce the URL from the signed document
content.
V. Solution
No possible solution.
VI. Correction details
A closer look into the references section of the XML signature
used by Microsoft Office (stored in the File
_xmlsignatures\sig1.xml) reveals that the file
word/_rels/document.xml.rels is in the list of references.
Nevertheless, changes are not covered by the signature.
If no implementation error is the case for this
behaviour, this can only be due to the applied transformation.
As a solution the scope of the signature needs to be extended
to cover all the relevant information contained in the whole
document, thus also the references in
word/_rels/document.xml.rels.
Include word/_rels/document.xml.rels, and probably other files
in the signature's list of references. And use transformations
that do not limit the signature's protection.
VII. Time line
2007-10-24: Vendor contacted
2007-10-25: Vendor acknowledged reception
2007-11-14: 1st Deadline due
2007-11-27: Reminder sent
2007-12-12: No response received until today
Yours,
Henrich C. Poehls, Dong Tran, Finn Petersen, Frederic Pscheid
SVS - Dept. of Informatics - University of Hamburg
--- End Message ---