|
|
|
|
| |
| MS Office 2007 does not protect/sign the content of the data found in the core.xml file which is part of the data saved whenever MS Office 2007 is asked to save data in OOXML format, this allows attakers to spoof the data found in it - creator name, last modified date, etc - without invalidating the signature of the file. |
| |
Credit:
The information has been provided by Henrich C. Poehls.
|
| |
Background:
Microsoft Office is a suite containing several programs to handle Office documents like text documents or spreadsheets. The latest version uses an XML based document format. Microsoft Office allows documents to be digitally signed by authors using certified keys, allowing viewers to verify the integrity and the origin based on the author's public key. The author's public key certificate, which can come from a trusted third party, is embedded in the signed document. It is XML DSig based.
Details:
Microsoft Office documents carry meta data information according to the DublinCore metadata in the file docProps/core.xml . Among these meta data information are the fields "LastModifiedBy", "creator" together with several others that can be displayed/changed through the following menu "Office Button -> Prepare -> Properties". These entries can be changed without invalidating the signature. At least under Windows Operating Systems these information are also shown in the Window's file systems properties.
Impact:
The meta data of signed Microsoft Office documents can be changed. An attacker can change the values to spoof the origin of signed documents, hoping to induce trust or otherwise deceive the user.
Proof of Concept
Open the OOXML ZIP container of a signed document. Change the values in the docProps/core.xml file. For example set the value between "<dc:creator>*</dc:creator>" to "<dc:creator>FooBar</dc:creator>". The changes will be displayed in the document's properties dialog as described above. The signature will still be valid.
Workaround:
The meta data information of a signed OOXML document can be changed without invalidating the signature, thus information about the real author of a signed document can only be retrieved from the certificate. The signed file's meta data can not be trusted as the meta data is not covered by the signature.
Correction details:
A closer look into the references section of the XML signature used by Microsoft Office (stored in the File _xmlsignatures\sig1.xml) reveals that the file core.xml is not in the list of references. Thus it is not covered by the signature.
As a solution the scope of the signature needs to be extended to cover all the relevant information contained in the whole document, thus also the meta data in core.xml.
Include core.xml, and probably other files in the signature's list of references.
Disclosure Timeline:
2007-10-24: Vendor contacted
2007-10-25: Vendor acknowledged receipt
2007-11-14: 1st Deadline reached
2007-11-27: Reminder sent
2007-12-12: No response received until today
|
|
|
|
|
