Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:13051
HistoryJun 09, 2006 - 12:00 a.m.

Mathcad Area Lock Vulnerability

2006-06-0900:00:00
vulners.com
1160

Description of Vulnerability

One of the features of Mathcad (www.mathsoft.com) is allowing the user to define ‘Areas’. Mathsoft say
that ‘You can use areas to protect, lock, or hide information or equations in your worksheets’ and that
‘You can also protect the contents within the area, so no one else can edit them’.

Whilst this is true, it is also very easy to unlock these Areas without needing the password. In the
newer versions of Mathcad (12 onwards) the sheets are stored in XML format. This provides an easy means
of altering the Mathcad sheet, as it is simply plain text. There are 4 vulnerabilities in the way the
Area locks work:

  1.  Password - This attribute is stored as a hashed text string. However the hashes produced for
    

the same word on different sheets are always identical. For example "XfAPUVYgXPg=" represents the
string "password", and could be used in any sheet. So it is possible to create another Mathcad sheet,
lock an Area with a known password and then use a text editor to copy and paste the known password over
the unknown one.
2. Timestamp - Like the password string, this can also be changed to be any value. So the sheet
could be unlocked, modified, relocked and then the date of the relocking could be changed to be the
original lock date.
3. Complete removal of lock - Inside the Area tag there are is an ‘is-locked’ attribute. When a
lock has been enabled this is set to true. However to remove the lock all that needs to be done is
change this value to false. Out of completeness the ‘timestamp’ attribute should be changed to an empty
string and then the ‘password’ attribute removed. Although these last two changes are not needed to
unlock the Area.
4. Protection can be bypassed completely - The data stored in the locked area can also be viewed
in a text editor. So this could also be copied and pasted into another sheet, without the lock
protection section.

Affected Versions

12,
13,
13.1
(all prior ones are not vulnerable)

Exploit PoC

None required, use a text editor.