Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:18656
HistoryDec 16, 2007 - 12:00 a.m.

MS Office 2007: Target of Hyperlinks not covered by Digital Signatures

2007-12-1600:00:00
vulners.com
166

Affects: Microsoft Office 2007 (12.0.6015.5000)
MSO (12.0.6017.5000)
possibly older versions

I. Background

Microsoft Office is a suite containing several programs to
handle Office documents like text documents or spreadsheets.
The latest version uses an XML based document format.
Microsoft Office allows documents to be digitally signed by
authors using certified keys, allowing viewers to verify the
integrity and the origin based on the author's public key.
The author's public key certificate, which can come from a
trusted third party, is embedded in the signed document.
It is XML DSig based.

II. Problem Description

Microsoft Office documents can carry URLs as clickable
references. The target of URLs given in the document
are stored in word/_rels/document.xml.rels inside
the OOXML ZIP container. Inside you will see the
hyperlink, referenced by an internal ID and the target.
The target can be changed without invalidating the signature.
At least in the GUI a hyperlink's target is shown to the user.
Neverthe less the signature does not revel that it has been
changed without the signer's knowledge.

III. Impact

An attacker can change the target of hyperlinks contained in
signed documents, hoping to induce trust to the linked sites,
or otherwise deceive the user.

III.1. Proof of Concept

Open the OOXML ZIP container of a signed document that contains
a hyperlink. Lokk for the original target values in the
word/_rels/document.xml.rels file.
For example set the target value between the colons to
to http://example.org.
The changes will result in the new target being displayed
when the document is opened in Office. Pressing Ctrl and clicking
the link will instruct the browser to open the changed URL set
as target. The signature remains valid.

IV. Workaround

The target of hyperlinks inside signed OOXML document
can be changed without invalidating the signature, thus
can not be trusted. Do not use the URL provided through the
hyperlink to open the webpage the signed document wants you
to open, instead try to deduce the URL from the signed document
content.

V. Solution

No possible solution.

VI. Correction details

A closer look into the references section of the XML signature
used by Microsoft Office (stored in the File
_xmlsignatures\sig1.xml) reveals that the file
word/_rels/document.xml.rels is in the list of references.
Nevertheless, changes are not covered by the signature.
If no implementation error is the case for this
behaviour, this can only be due to the applied transformation.

As a solution the scope of the signature needs to be extended
to cover all the relevant information contained in the whole
document, thus also the references in
word/_rels/document.xml.rels.

Include word/_rels/document.xml.rels, and probably other files
in the signature's list of references. And use transformations
that do not limit the signature's protection.

VII. Time line

2007-10-24: Vendor contacted
2007-10-25: Vendor acknowledged reception
2007-11-14: 1st Deadline due
2007-11-27: Reminder sent
2007-12-12: No response received until today

Yours,
Henrich C. Poehls, Dong Tran, Finn Petersen, Frederic Pscheid
SVS - Dept. of Informatics - University of Hamburg