±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36768
New Yesterday: 0 Visitors: 105

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Steganography with ooXML (zip) - abusing zip structures

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3  Next 
  

jaclaz
Senior Member
 

Re: Steganography with ooXML (zip) - abusing zip structures

Post Posted: Dec 05, 11 19:16

- joakims
And to add even more to it: If the (Office 2007/2010) document is both encrypted and signed by the built-in functionality, data can still be hidden without invalidating the signature or even make Office complain about the file's integrity. Simply add the data to EOF! Seems like many places in such encrypted documents are not properly evaluated, inlcuding the header too!! Shocked

If I get it right, this means that if one does:

Code:
COPY /B myofficedoc.xlsx + myhidden.txt 

will produce a still valid myofficedoc.xlsx but with the contents of myhidden.txt added to it?

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

joakims
Senior Member
 

Re: Steganography with ooXML (zip) - abusing zip structures

Post Posted: Dec 05, 11 20:34

- jaclaz
If I get it right, this means that if one does:

Code:
COPY /B myofficedoc.xlsx + myhidden.txt 

will produce a still valid myofficedoc.xlsx but with the contents of myhidden.txt added to it?


That's true if myofficedoc.xlsx is encrypted.
_________________
Joakim Schicht

github.com/jschicht 
 
  

jaclaz
Senior Member
 

Re: Steganography with ooXML (zip) - abusing zip structures

Post Posted: Dec 06, 11 00:46

- joakims


That's true if myofficedoc.xlsx is encrypted.


Yep, of course.
I was thinking of something "hooking" the encrypting command and silently adding the whole doc unencrypted at the end, just for the fun of it Twisted Evil (and to show how security is something too important to let it in the hands of theotherwise good MS guys Wink ).

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

joakims
Senior Member
 

Re: Steganography with ooXML (zip) - abusing zip structures

Post Posted: Dec 06, 11 04:16

Here is an interesting excercise for the people on this forum;

Requirements: Office 2007 (maybe 2010 works too)
Document download; www.mediafire.com/?4xsp2fw24alhxp7

Open the linked document named joakim.docx and open it. It is encrypted by Office's built-in functionality and the password is "joakim". If everything goes well, you will successfully decrypt and open the docx, just to find an empty document. Ohh, what a crappy excersise!

Hehe. Now comes the interesting part:

Open the file in a hex editor and locate offset 0x1010, which is the beginning of the actual encrypted part. Now remove 16 bytes of 00's prior to that so that the start of the encrypted data is at 0x1000, and save the file. Reopen the document...

Ooops! Shocked
_________________
Joakim Schicht

github.com/jschicht 
 
  

joakims
Senior Member
 

Re: Steganography with ooXML (zip) - abusing zip structures

Post Posted: Dec 06, 11 14:41

If everything goes well, you should see 2 different documents within the same docx! Point is, there is no empty document, but Word interprets it as empty when the header is modified! So if you remove the 16 bytes at 0x1000, Word should see the actual and non-empty document. On my side it works on Office 2007 SP2 norwegian.

Would be nice if those that try it, could report what happened.
_________________
Joakim Schicht

github.com/jschicht 
 
  

joakims
Senior Member
 

Re: Steganography with ooXML (zip) - abusing zip structures

Post Posted: Dec 07, 11 04:07

I feel very convinced that it is a flawed implementation in Word 2007 and 2010, when handling encrypted documents. Evil or Very Mad I have tried with norwegian Office/Word 2007 SP2 and english Office/Word 2010 and it behaves similarly. Instead of trowing an error for corrupted header or corrupted data, it will decrypt the document (if pass is correct though), but will show an empty document without any indication of any possible issue/error! Shocked That's a pretty nice trick to hide your secret docx. The issue seems not affect Excel or Powerpoint. A little note though: The docx must first be created/encrypted by Word 2007. The encryption scheme changed in 2010 and the trick will most likely not work. But one can create an encrypted docx in 2007 and then continue working in 2010 with it, and the method will still work (with a tiny extra modification needed in header). Rolling Eyes

As mentioned a few posts ago, stuff can be added at EOF on encrypted docx, xlsx and pptx. In Office 2010 with the new encryption scheme, this really turned into a nightmare from a CF examiners point of view. In 2007, 00's where used to fill up data to a 0x200 page alignment. In 2010, the data behind the encrypted data, is still not evaluated, but now random data is written instead of 00's. So in 2010, one can't really distinguish between default generated data and hidden data. Confused At least you could so in 2007. Btw, the page alignment in not evaluated anyway. I guess the good MS guys has a few things to improve here..

And I guess it's time for another PoC.. Wink
_________________
Joakim Schicht

github.com/jschicht 
 
  

joakims
Senior Member
 

Re: Steganography with ooXML (zip) - abusing zip structures

Post Posted: Dec 07, 11 17:57

Here is another one to think about:

A signed docx (with a digital signature) can be further tweaked/modified by abusing the package signature implementation (or its specification), because the signature only protects a fraction of the xml files.

That means you can add files to the docx as you would with a regular zip file. You can even modify all the metadata (for instance the author and timestamps) without invalidating the signature!

With all these bugs, there is enough content for a book now.
_________________
Joakim Schicht

github.com/jschicht 
 

Page 2 of 3
Page Previous  1, 2, 3  Next