Affects: Microsoft Office 2007 (12.0.6015.5000)
MSO (12.0.6017.5000)
possibly older versions
I. Background
Microsoft Office is a suite containing several programs to
handle Office documents like text documents or spreadsheets.
The latest version uses an XML based document format.
Microsoft Office allows documents to be digitally signed by
authors using certified keys, allowing viewers to verify the
integrity and the origin based on the author's public key.
The author's public key certificate, which can come from a
trusted third party, is embedded in the signed document.
It is XML DSig based.
II. Problem Description
Microsoft Office documents can carry URLs as clickable
references. The target of URLs given in the document
are stored in word/_rels/document.xml.rels inside
the OOXML ZIP container. Inside you will see the
hyperlink, referenced by an internal ID and the target.
The target can be changed without invalidating the signature.
At least in the GUI a hyperlink's target is shown to the user.
Neverthe less the signature does not revel that it has been
changed without the signer's knowledge.
III. Impact
An attacker can change the target of hyperlinks contained in
signed documents, hoping to induce trust to the linked sites,
or otherwise deceive the user.
III.1. Proof of Concept
Open the OOXML ZIP container of a signed document that contains
a hyperlink. Lokk for the original target values in the
word/_rels/document.xml.rels file.
For example set the target value between the colons to
to http://example.org.
The changes will result in the new target being displayed
when the document is opened in Office. Pressing Ctrl and clicking
the link will instruct the browser to open the changed URL set
as target. The signature remains valid.
IV. Workaround
The target of hyperlinks inside signed OOXML document
can be changed without invalidating the signature, thus
can not be trusted. Do not use the URL provided through the
hyperlink to open the webpage the signed document wants you
to open, instead try to deduce the URL from the signed document
content.
V. Solution
No possible solution.
VI. Correction details
A closer look into the references section of the XML signature
used by Microsoft Office (stored in the File
_xmlsignatures\sig1.xml) reveals that the file
word/_rels/document.xml.rels is in the list of references.
Nevertheless, changes are not covered by the signature.
If no implementation error is the case for this
behaviour, this can only be due to the applied transformation.
As a solution the scope of the signature needs to be extended
to cover all the relevant information contained in the whole
document, thus also the references in
word/_rels/document.xml.rels.
Include word/_rels/document.xml.rels, and probably other files
in the signature's list of references. And use transformations
that do not limit the signature's protection.
VII. Time line
2007-10-24: Vendor contacted
2007-10-25: Vendor acknowledged reception
2007-11-14: 1st Deadline due
2007-11-27: Reminder sent
2007-12-12: No response received until today
Yours,
Henrich C. Poehls, Dong Tran, Finn Petersen, Frederic Pscheid
SVS - Dept. of Informatics - University of Hamburg
