±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36768
New Yesterday: 0 Visitors: 113

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Steganography with ooXML (zip) - abusing zip structures

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3 
  

paulandrewsfca
Member
 

Re: Steganography with ooXML (zip) - abusing zip structures

Post Posted: Dec 07, 11 20:19

Hi Joakim

Downloaded the file, ran through your steps and everything worked as it should! Nice little experiment! Very Happy

As the 'encryption' of a .docx/xlsx/pptx file basically turns the file into the old .doc/xls/ppt format, would be interesting to know if this same trick works on old 'encrypted' Office files too?

Regards
Paul  
 
  

ForensicRob
Member
 

Re: Steganography with ooXML (zip) - abusing zip structures

Post Posted: Dec 07, 11 21:20

In January I gave a presentation (http://www.slideshare.net/rzirnste/dark-data-hiding-in-your-records-opportunity-or-danger) that talked about places that data can be hidden. On slide 12, I talked about adding files to an MS Word 2007 document without causing errors. Here are the slide notes:

Step 1: Rename the file to be smuggled to ‘document.xml’ (I used a simple text file)
Step 2: Rename Word.docx to Word.zip
Step 3: Open Word.zip with WinZip
Step 4: Add the new smuggled ‘document.xml’ to Word.zip (in the root)
Step 5: Rename Word.zip to Word.docx

The key was to pick a filename that normally appears in a .docx file, but put it in a different folder so that it isn't read by MS Word. MS Word appears to watch for invalid filenames but not for invalid file locations. The point of this exercise was to show how simple it is, for even novice users, to hide data in an MS Office document.

We've found that 50+ file types are using the Zip format to store their data. You can find a list of these file types at www.forensicinnovation...ts-fe.html They are the entries that use our 'archive' library.

There are many file types that can use these methods for steganography.
_________________
Rob Zirnstein
President
Forensic Innovations, Inc.
www.ForensicInnovations.com
Rob.Zirnstein @ ForensicInnovations.com 


Last edited by ForensicRob on Dec 08, 11 02:34; edited 1 time in total
 
  

jaclaz
Senior Member
 

Re: Steganography with ooXML (zip) - abusing zip structures

Post Posted: Dec 08, 11 02:27

@ForensicRob
The board software parsed the final full stop as part of the url, so the link is NOT clickable, here it is corrected:
www.forensicinnovation...ts-fe.html

@joakims
Congratulations Smile , you made me do something I would have never been possible Shocked : actually regret (temporarily and ONLY for this particular instance) that I don't use the 2007 or 2010 version of MS Office, and I cannot test your nice approach.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

joakims
Senior Member
 

Re: Steganography with ooXML (zip) - abusing zip structures

Post Posted: Dec 08, 11 15:21

@paulandrewsfca
The encryption header is created differently on previous versions, and I have not managed to reproduce it on 2003 or earlier.

@ForensicRob
That is one of those things Initially excluded from the thread as it's already "widely" discussed. But it now catches my interest again when bringing digital signatures into the case. Ideally, I would say, the signatures purpose would be for the verification of the integrity of the whole document (or at least as much as possible). The way the signing of documents in Office 2007/2010 have been implemented, is flawed by design. The 2 main issues as I see it;

1. The signature does not protect all files in the ooXML document (and most importantly [Content_Types].xml).
2. The signatures is applied before the final packaging (and not after).

Because of these 2 points, there exist too many ways to hide data in signed documents. However, the actual heart of the document (document.xml for docx), is of course still protected and can't be modified. Unless, you manage to implement 2 sets of .rels files, something I've already tried without success. The unprotected [Content_Types].xml is a potential big issue here.

Comparing against Authenticode signed executables (which also can contain hidden data), the signing of documents certainly has a few shortcomings.
_________________
Joakim Schicht

github.com/jschicht 
 
  

joakims
Senior Member
 

Re: Steganography with ooXML (zip) - abusing zip structures

Post Posted: Dec 13, 11 04:36

I wrote 2 applications to prove the point I made about the signature in sig1.xml. Try it out and see. Strange that the signature is still valid right..

A good explanation is in the included readme. Download; www.mediafire.com/?yo61dckenb1dxeo

The only way to identify it is by carefully evaluating the XML tags. Strange that these tags don't trigger any alert message;



Internal zip timestamps will not tell much;



The data is compressed and encoded, and the extracter will autodetect content (since the custom tags are hardcoded).
_________________
Joakim Schicht

github.com/jschicht 


Last edited by joakims on Dec 14, 11 20:15; edited 1 time in total
 
  

joakims
Senior Member
 

Re: Steganography with ooXML (zip) - abusing zip structures

Post Posted: Dec 14, 11 03:52

I also whipped together more code to perform the "invisible docx trick"; www.mediafire.com/?6e6y4vxb4tou5fo

From the readme;


These tools implements a tiny nice trick that fools Word when opening encrypted documents. Specifically there appears to be a flaw in Word 2007/2010 that fails to identify certain erronous crypt headers. This flaw will decrypt the docx and open what appears to be an empty document, when the actual document is kept "invisible". And of course no error message is presented with any indication that anything might be wrong. The flaw affects Word 2007 and 2010, and I have tried both norwegian and english versions. The document must be first encrypted in 2007 for the trick to work. In 2010 the crypt header changed and the trick no longer works. That means;

- A docx encrypted in 2007 will have the trick work in both 2007 and 2010.
- A docx encrypted in 2007 and later saved/modified in 2010, will have the trick work in both 2007 and 2010.
- A docx encrypted in 2010 will not have the trick in either 2007 or 2010.

Excel and Powerpoint seems not affected by the flaw.

So what is the trick?
It is simply a matter of injecting 00's right before the crypted data. Testing reveals that a minimum of 8 bytes must be injected (ie 7 bytes will trigger an error message).

For what use?
Hide your original docx. If asked for password, give it and an empty document is all that shows up.. Anyways, a funny trick.

Note:
If you open and save the "empty" document, the original document will be lost. If the encrypted docx is also digitally signed, the trick will not work.

Usage:
The hider is console compiled and can take 2 parameters. First is a valid docx file path, and the second is the number of bytes to inject. If not used from command line, just double click and a fileopen dialog will be presented (a default of 16 bytes is injected if params are not used. Example:

CryptedDocxHider.exe "%CD%\mytest.docx" 32
CryptedDocxHider.exe D:\tmp\mytest.docx 8

The unhider is similarly compiled, but does not take a second parameter. Ie 1 param is needed and must the full path to your docx. Or just double click the exe and a fileopen dialog will be opened. Example:

CryptedDocxUnHider.exe D:\tmp\mytest.docx

Just note that any error messages will not be seen if the exe's are not run from command line.

_________________
Joakim Schicht

github.com/jschicht 
 

Page 3 of 3
Page Previous  1, 2, 3