Title: Open Document and Open XML Security ( OpenOffice.org and MS Office 2007)
- summary,
OpenDocument
andOpen XML
are bothOffice
a new format for opening files.OpenDocument
IsISO
a standard popularized byOpenOffice.org
andSun StarOffice
.Open XML
IsMicrosoft Office 2007
a new format for documentation,ECMA
a standard. Both formats share the same basic principle: filesZIP
in an archive , with an open schema, in contrastXML
to the older proprietary formats (MS Word
,Excel
, , ...).PowerPoint
However, they all suffer from a number of security issues, similar to the previous format: malicious actors can still embed and hide malware (Trojans and viruses)Office
thanks to macros, scripts, objects and similar functions. This article covers security issues in technical detail, including antivirus and obfuscation techniquesOLE
that can be used to bypass antivirus , and describes how to design filters to safely remove unwanted parts.XML
ZIP
1 Introduction
Office
File formats have always had security issues, mainly because they are rich in "active" features such as macros orOLE
objects[SSTIC03]
, or because documents hide information leakage[OSSIR03]
. Recently, security researchers have paid more attention to these formats and related applications to discover many implementation vulnerabilities[CVEMSO,CVEOOo]
.- A typical scenario is as follows: A user receives a malicious document as an attachment to an email or through other means. Opening this file triggers some malicious code in a macro, object, or vulnerability, with or without user interaction, and the result can be damage to your computer. Many users currently feel
OpenOffice
orMS Office 2007
are more secure than previous office suites for various reasons. - However, this may be an illusion, as announced in
Eric Filiol
.SSTIC06 [ESAT1,ESAT2,ESAT3]
For example, in2006
March6
, the firstStardust
"proof-of-concept" virus, named , showed that the threatOpenOffice
was real for . Additionally,OpenOffice 2.0.2
three vulnerabilities were discovered in that allow malicious code to bypass default security policies (bypassing macros andJava
sandboxed warning popups). Open XML
is a new format based on open standards, the specification of which was just released byECMA
andMicrosoft
in2006
, and a truly complete security analysis has not yet been released. This article highlights some of the security issues posed by these new formats and their associated office suites, and then proposes some solutions to protect our systems from the threats. It also shows thatZIP
andXML
introduce additional obfuscation potential for malicious code and highlights warnings about bypassing antivirus and content filters.- Original publication
www.springerlink.com
available at: www.springerlink.com : http://dx.doi.org/10.1007/s11416-007-0060-2
1.1 Notes
These are the products and versions used for this analysis:
-
OpenDocument
normv1.0 [ODSPEC10]
. New version1.1 [ODSPEC11]
has not been analyzed yet. -
OpenOffice v2.2.0
-
Open
XML ECMA-376
specification, final version released in2006
: .12
[OXSPEC]
-
Microsoft Office 2007
version12.0.4518.1014
. -
All tests are
Windows XP SP2
performed on . -
This is not a complete security analysis, and some features such as encryption and digital signatures have not been thoroughly tested. This analysis focuses on security issues associated with the file format and the functionality of the application. The goal is not to find vulnerabilities such as buffer overflows. The research work for this article began in France
DGA / CELAR
. An early version of this work was presented at the Security Conference in March2006
and then in French at the Security Conference in March . In this document, may be referred to as or , and or simply .11
PEPEC
[PACSEC06]
2007
6
SSTIC
[SSTIC07]
OpenOffice.org
"OpenOffice"
"OOo"
Microsoft Office "MS Office"
"Office"
2 Two new “open” formats
OpenDocument v1
YesOpenOffice v2
uses an open format. It is also used by other office applications such asSun StarOffice
,Koffice
orAbiword
. Has become the standard2006
since January5
. It is a new version of that was first released in month of year . There are many changes in the product, such as user interface and file formats. Yes The new default format for the main application: , and . It has been the standard since the end of the year and is gradually becoming the standard.OpenDocument
ISO
Office 2007
2006
12
Microsoft Office
Open XML
MS Office
Word
Excel
PowerPoint
2006
ECMA
ISO
OpenDocument and Open XML share similar features:
- They are both based on open file formats and are widely used: documents mainly consist of files
ZIP
in compressed archivesXML
. - Their specifications are open and freely available on the Internet:
[ODSPEC10,ODSPEC11,OXSPEC]
. - They are all accepted as standards by international
OpenDocument
bodies :ISO
,Open XM
L.ECMA
- They all handle common office document formats: text, spreadsheets, presentations, vector drawings.
By studying the published specifications more closely, some differences can be highlighted:
Open XML
The structure isOpenDocument
more complex and the functions are richer than . Microsoft aims to handleOffice
all existing features of its suite;OpenDocument
rather it is more of a documentation model.OpenDocument
The specification is only700
pages long, andOpen XML
it reaches6045
pages!Open XML
There are many interesting features in the specification that are not yet covered by security, such asVBA
macros,OLE
objects or encryption. According to page[ECMA]
115
,Microsoft
theseECMA
features are consideredOpen XML
proprietary technologies beyond the scope of the standard. Therefore,MS Office
the resultingOpen XML
file format is not fully disclosed and the standard should be considered only a subset of the file format. In practice, antivirus and content analysis filters must handle the entire format, including these unspecified proprietary features.OpenDocument
The specification is not yet complete as this is still a work in progress and is not intended to protect the technology from leaks. More information about the security features can be found in other documentation, andOpenOffice.org
the full source code is available.- Compared to proprietary file formats, security analysis of
OpenDocument
and is easier due to its open status.Open XML
However, the complexity of their specifications and the lack of some details does not make them oversimplified.
3 A few words about vulnerability exploitation
- Today,
Office
the most common threats to documents do not involve macros orOLE
objects, but are based on[CVEMSO,CVEOOo]
vulnerabilities in office suites. SinceOpenDocument
and consists ofOpen XML
structured and well-definedXML
rather than binary data, it can be assumed that vulnerabilities associated with format decoding are much less likely. Additionally, if office applications use strictXML
schema to validate data, malformed documents should not be able to trigger potential vulnerabilities. However,OpenDocument
andOpen XML
not only includeXML
: the binary parts (such as bitmap pictures andOLE
objects) are still present,Office
the suite also relies on external libraries to handle certain types of data, and these libraries may be vulnerable to attacks. Another problem is that due to its open specification, many third-party applications will be created to handle these formats. Since the format is not that simple , one can guess that vulnerabilities will also be found in these applications.
4 OpenDocument and OpenOffice.org
4.1 OpenDocument format
- The current
OpenDocument
specification[ODSPEC11]
covers onlyOpenOffice v2
a subset of the various file formats handled by the suite. Only text documents, spreadsheets, presentations and vector drawings are described. Although other document types such as databases,HTML
templates, and mathematical formulas share a very similar structure. The following table shows the extensions associated with most native formats used byOpenOffice v1
and . The format described in the specification is highlighted in bold.v2
OpenDocument
4.2 Internal structure
- Each document is stored in
ZIP
a compressed archive. It basically consists of severalXML
files, which are located in the root directory or subdirectories of the archive. The following are the main files in common documentationXML
:
- content.xml:文档正文
- styles.xml:样式数据
- meta.xml:元数据(作者,标题,...)
- settings.xml:文档的 OOo 设置
- META-INF / manifest.xml:文件描述
- Note that other non-
XML
files may also be stored in the archive:
- 图片和缩略图:JPEG,PNG,SVG等
- 嵌入式图表/图纸/文档,OLE 对象
4.3 Macros
- The most important security issue involves macros.
OpenOffice v2
Provides4
three different languages for writing macros:Basic
,JavaScript
,Java
(Beanshell
) andPython
. More languages may be added in the future. RegularOpenOffice
installations include these interpreters or rely on external interpreters such asJVM
( virtual machines).Java
- Each macro language has access to a
UNO
very powerful object called (Universal Network Object)API
, which can run on the operating system. Therefore, effective malware can be written. Additionally, macros can be assigned to events and can be started automatically when a document is opened or read. - Since
2006
, antivirus vendors have reported at least3
threeOpenDocument
attempts to write viruses using macros:Stardust
,Starbugs
andBadBunny
. However, none of them have the ability to run without user confirmation. - To protect users from malicious macros, security levels
OpenOffice
are provided , very similar to :4
MS Office 2000/XP/2003
- 低(要避免):完全没有保护。
- 中(默认):用户可以在访问文档之前启用宏(简单弹出警告)。
- 高:仅允许签名的宏或受信任的目录。 如果已接受签名授权或来自受信任位置,则不会发出警告。
- 非常高:只有受信任的位置,没有签名,没有警告
- The default level is Medium, so if there are macros in the document, a popup will ask the user if they want to enable or disable macros before allowing the file contents to be viewed.
- Note that this
MS Office 97
is the same as the default level in . Since2000
version ,MS Office
the default level has been changed to High, and only signed macros have permission to run. - However, in the next release scheduled for month and year
2007
, the default security level should be changed to High.9
OpenOffice v2.3
- In
2006
mid-year,OpenOffice 2.0.2
a vulnerability was discovered in (and has since been patched) that could allow an attacker to bypass macro security warnings - Macro Storage: Macro files are located in different subdirectories
OpenDocument
within the file :2
- 基本宏存储在存档的 “基本” 目录中的 XML 文件中。
- Java(Beanshell),JavaScript 和 Python 宏存储在脚本文件的 “Scripts” 目录中。
- example:
- Basic / Standard / Module1.xml
- Scripts / beanshell / Library1 / MyMacro.bsh
- Scripts / javascript / Library1 / MyMacro.js
- Scripts / python / MyMacro.py
OpenOffice v2
Macros can be created and edited from applications inBasic
,Java
and using .Javascript
Currently,Python
macros still require manual work (see[OSFP]
): including the file in the archive, and editing itmanifest.xml
.- Macro signing:
ESAT
One of the main issues discovered by researchers is that macros are not signed with the rest of the document. The macros in the signed document can then be modified and fool the user into thinking he is opening a real document[ESAT1,ESAT2,ESAT3]
. VBA
Macros:2
Starting from version ,OpenOffice
it is already possible to read the macro source codeMS Office
in the documentVBA
. Currently, it is not possibleOpenOffice
to actually runVBA
macros from .- When
MS Office
a document is converted toOpenDocument
format,VBA
macros are stored in clear textOOo Basic
in the macro's comments. Therefore, even if there is no active code, the document will trigger the same warning as a normal macro. However, if you convert the document back to format, macrosMS Office
will be reactivated .VBA
- Work is ongoing to provide native macro support using
UNO
wrappers from . Some alternative versions have provided limited support for macros.OpenOffice
VBA
2007
Excel
4.4 OLE objects
- After macros, the second major security issue involves embedded
OLE
objects. You canOpenDocument
store many types ofOLE
objects in files andWindows
open them at least on . OLE
Objects are typically stored in binary filesMicrosoft OLE2
named in the archive root directory in the format (also known as structured storage) .“Object xxx”
Therefore, even ifOpenDocument
it is an open format, it can also save parts of a closed format.- The most dangerous
OLE
object type isOLE
a package: it may contain any file, including executable files or any command line. If the user double-clicks the object, the system will launch the file or command after a warning pops up. OLE
The warning before opening a package object only comes fromWindows
(packager.exe
), not fromOpenOffice
. Therefore, this can beWindows
a significant security issue on older systems. For example,Windows 2000 SP4
on , there are no warnings at all.- Additionally, a vulnerability was discovered in and that could trick users into launching a command
2006
lineWindows XP
.2003 [MS06-065]
Just add a slash and the file name to the end of the command line andOLE
the package object will appear as a harmless text file. Here is an example:
cmd.exe /c [...malicious commands...] /joke.txt
4.5 Script
- Scripts can be embedded in documents using
Javascript
the or language . These are not run directly by . However, if the documents are saved , they may be launched by the browser and the exploit can be triggered. Scripts are stored in tags in , for example:VBscript
HTML
OpenOffice
HTML
content.xml
<text:script>
<text:script script:language=”JavaScript”>
alert("test script");
</text:script>
- The script's source code can be included directly in the markup or placed in an external script file,
“xlink:href”
referenced by the attribute.
4.6 Java applets
Java
You can also store applets in documents . ThisJava
is different from macros written in the language. These compiles runapplet
in anOpenOffice
internalJava
sandbox. Because of the sandbox, malicious actorsapplet
cannot do harmful things. However, if a vulnerability exists, it is sometimes possible to avoid the sandbox, as isOpenOffice 2.0.2
the case in .
4.7 URL links
- Documents can contain
URL
links. When the user clicks on them, if externalURL
,OpenOffice
the browser will be opened using the provided address. Hope it seems impossible to startjavascript
or in this wayvbscript URL
, since those starting with“javascript:...”
and are filtered out.“vbscript:...”
URL
- However, if the browser has
Web
authenticated within a sensitive application, it is still possible to direct the user to a malicious website, or launchXSRF
an attack (cross-site request forgery,[XSRF]
). - Additionally, a recently
OpenOffice v2.1
discovered vulnerability in makes it possible to execute local commands onLinux
and by inserting an escape character for in .Solaris
URL [OOoURL]
shell
4.8 Hidden data - information leakage
- Just
MS Office
like in ,OpenDocument
files may hide sensitive data from users: metadata, hidden text, comments, revision marks, etc…Internet
This can become a problem when documents are published on or sent outside the corporate network. - To solve this problem,
OpenOffice
some interesting functions are provided toPDF
warn about hidden information when signing, exporting as or saving. However, this is not sufficient in all cases, as this does not includeOLE
data that may be hidden within the object.
4.9 Conclusion on OpenDocument / OpenOffice security
- There are many ways to include active content into
OpenDocument
files and potentially launch malicious code. Even though there are some protections available to avoid this, none of them are completely safe. Additionally, vulnerabilities are nowOpenOffice [CVEOOo]
frequently discovered in , which requires vigilance and frequent software updates. - Even if
OpenDocument
it is an open format, a file may sometimes contain parts of a closed format, such asMicrosoft OLE
objects. In summary, it can be saidOpenOffice
that is noMicrosoft Office
more secure or less secure than We have seen that we can find similar security issues in malware or hidden data. There are of course some differences, and certain features are more secure in one product than another. - However, analyzing and filtering
OpenDocument
active content or hidden data in the format is much simpler than with typical proprietary office formats.
5 Open XML and Microsoft Office 2007
Open XML
IsMS Office 2007
the new default file format for major applications:Word
,Excel
andPowerPoint
.Open XML
The file has new extensions:
– Word: .docx, .docm, .dotx, .dotm
– Excel: .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xlam
– PowerPoint: .pptx, .pptm, .ppsx, .ppsm
– Access: .accdb (new binary format, not Open XML)
- Due to "compatibility mode", old binary formats from previous
Office
versions ( ) can still be read and written.OLE2
Converter packages are also available for free fromMS Office 2000
,XP
and2003
read and writeOpen XML
documentation. If the converter package is installed, most of the issues described below are related to these versions.
5.1 Open XML structure
- Basically,
Open XML
a document is aZIP
compressed archive whoseXML
files are justOpenDocument
like . However, the structure is slightly more complex. It follows newMicrosoft Open Packaging Conventions
, orOPC
(see[OXSPEC]
section2
), shared by other formats, such asXPS [XPS]
(XPS
is aPDF
newMicrosoft
format similar to ). - In
OPC
an archive, each data file is called a part. The type of each section is described in the file in the root directory of the archive“[Content_Types] .xml”
. There are also“.rels”
files that store indirect relationships between parts. UnlikeOpenDocument
, there is no direct relationship. - In
Open XML
Documents, data is stored in multipleXML
files, which are different for each application. Here isWord
an example of a document:
- word/document.xml:文档正文
- word/styles.xml:样式数据
- word/settings.xml:文档的设置
- docProps/app.xml 和 core.xml:元数据(作者,标题,...)
- There may also be optional binaries:
- 图片和其他媒体:JPEG,PNG,GIF,TIFF,WMF,......
- OLE对象,VBA宏,打印机设置,......
5.2 VBA macro
- As for
OpenDocument
, the main security concern is thatOpen XML
documents may contain macros that provide enough functionality to write effective malicious code. These areVBA
macros, just like the previousMS Office
format. - One big change is
MS Office 2007
the distinction between "normal" and "macro-enabled" documents. Ordinary documents end with an "X" (for exampleDOCX
,XLSX
,PPTX
) and cannot contain macros. To store macros in a document, it must be saved in a "macro-enabled" format, which ends with an "M" (for exampleDOCM
,XLSM
,PPTM
). - If
DOCM
the file is renamedDOCX
,Office 2007
the file will be rejected as "corrupted". - Security levels:
Office 2007
Macro security has also changed a lot. - In previous
Office
versions, users could only launch signed or trusted macros by default because High Security mode was enabled by default. - In
Office 2007
, there are no more medium or high security levels. The new default level is called "Disable all macros with notifications." New additional levels are also available in the new Trust Center, which is a central location for setting all security parameters.
- Whenever a user opens a document that contains macros, the content is displayed, the macros are disabled, and a warning message is displayed under the Ribbon.
- By clicking on this message, the user gets a window that allows him to enable the signed macro.
3
The new default security level then allows users to launch unsigned macros with a few clicks without carefully reading all warning messages . Additionally, the documentation can be read before deciding to enable macros, which provides some social engineering possibilities.- Macro storage:
VBA
Macros are stored invbaProject.bin
a file called , the path in the archive depends on the application:
– Word: word/vbaProject.bin
– Excel: xl/vbaProject.bin
– PowerPoint: ppt/vbaProject.bin
- This is a binary file using a format (structured storage) that is not described
Microsoft OLE2
in the currentOpen XML
specification .[OXSPEC]
- If the macro has a specific name, such as
Word
,“Document_Open”
it may be triggered automatically when the document is opened.
5.3 OLE objects
- As in
OpenDocument
previous versions, objects can be stored in documentsOffice
with the same security concerns .Open XML
OLE
- These objects are usually stored in various locations in the archive in their original format depending on the application:
Word
e.g. Store package objects“word/embeddings”
in binary format .OLE2
OLE
Open XML
As with macros, object storage is not described in the current specificationOLE
.- Some situations can lead to strange results. For example, a workbook with macros (
.xlsm
) can be stored as an object in a normal document without macros ( ). There are no warnings when opening the document. However, as soon as the user activates the object, a pop-up window appears asking if macros should be enabled. This is always the case even if the security level is "Disable all macros without notifications"...Excel
.docx
Word
Word
Excel
5.4 Excel 2007 Binary Workbook
Excel 2007
Workbooks can be saved in a mixedOpen XML
format, called a "binary workbook" with the extension“.xlsb”
. This format is very closeOpen XML
, except that some data is stored in binary files instead ofXML
. This undocumented format looks like what previousExcel
versions usedBIFF8
. Binary workbooks may contain macros.
5.5 Hidden data - information leakage
Office 2007
A new tool called Document Inspector is available for detecting and removing many types of hidden data in documents. It isRHDTool
an improved version of and canOffice 2003
be installed with .- This is certainly a very interesting feature. Just
OpenOffice
like with ,OLE
objects are not detected as potentially hidden data, so the results are not always completely accurate.
5.6 Conclusion on the security of Open XML and MS Office 2007
- According to this analysis, the new format has the same malicious code and hidden data security concerns
Open XML
as the previous binary format.Office
For some aspects, such as macros, the default security settings may even be more permissive than before. - Even
Open XML
if based on an open specification,Microsoft Office 2007
the generated documentation may contain some proprietary non-document formats (e.g.MS OLE2
orBIFF
), and these parts are often important for security issues. Furthermore, some major features (such as macros) are notOpen XML
part of the specification, so the actual format cannot be considered100%
open from a security perspective. - As
OpenDocument
with ,Open XML
it is easier to parse and filter than the closed format; however, its internal structure is more complex and requires more sophisticated processing.
6 How to Prevent These Security Issues
- There are two main complementary technology solutions for protecting systems from malicious content and information leakage caused by office documents:
- 加强办公套件的安全设置
- 过滤网关或可移动设备上的文档
- We did not mention organizational solutions such as documentation to better inform users of malicious content and information leaks.
6.1 Security settings for OpenOffice and MS Office 2007
- Here are some general principles for improving the security settings of both office suites as needed
- 当然,如果可能的话,首先应用安全更新。
- 根据用户的实际需要,将宏和 ActiveX 安全级别加强到最高位置。
- 如果需要宏,请使用带有公司 PKI 的数字签名。 如果不可能,请仔细设置使用受信任的目录。(避免使用自签名证书,个人使用除外)
- 如果未使用,则禁用所有受信任的目录。 至少禁用用户具有写访问权限的那些。
- 防止很少使用的OLE包对象:禁止使用文件权限执行 “C:\Windows\System32\Packager.exe”。
Specific settings for MS Office 2007:
- 禁用通知消息,以避免使用未签名的宏。
- 或者,通过设置此注册表项,甚至可以禁用 VBA 引擎,但功能有所损失:HKLM\SOFTWARE\Microsoft\Office\12.0\Common\VBAOff = 1
- 在网络上部署安全设置以改进管理任务,例如使用 GPO。在 Microsoft 网站上查找 “2007 Office System 管理模板” 以获取模板。
- 如果无法做到这一点,例如在独立工作站上,请使用 HKLM 注册表项或文件/注册表权限保护安全设置,以便用户无法修改它们。可以在上述模板中找到 Office 2007 的 HKLM 和 HKCU 注册表项。与以前的 Office 版本不同,似乎并非所有安全设置都可以使用 HKLM 密钥进行保护。例如,用户可以在 HKCU 中修改宏安全级别,除非设置注册表权限以避免它。
- 有关详细信息,Microsoft 提供了一些文档,其中包含以下建议:http://go.microsoft.com/fwlink/ LinkID=85671
OpenOffice
Specific settings for: ForOpenOffice
, security settings such as macro security level are located inXML
File (.xcu
) and Other Settings.Program Files
Global settings are first read from a file in the application directory ( )XCU
, and then user-Documents and Settings
specific settings are read from the user profile ( ). You can also store some settings inLDAP
a directory so that they can be easily deployed on the network.- By default, users can override any setting in their profile. However, you can protect selected settings from user error by adding the and attributes to the tag
XCU
in the file .XML
“finalized”
“mandatory”
- For example, macro support for all users can be disabled by adding the following line to the file
Common.xcu
( in ).Program Files\OpenOffice.org 2.2\share\registry\data\org\openoffice\Office\
This will also hide the macro security settings in the application.
<node oor:name="Security">
<node oor:name="Scripting">
<prop oor:name="MacroSecurityLevel" oor:type="xs:int" oor:finalized="true" oor:mandatory="true">
<value>3</value>
</prop>
<prop oor:name="DisableMacrosExecution" oor:type="xs:boolean"oor:finalized="true" oor:mandatory="true"
<value>true</value>
</prop>
</node>
</node>
- Note that this does not mean obtaining a fully trusted
OpenOffice
configuration on highly sensitive systems, as advanced users are often able to run applications from alternate directories or override settings by editing certain files. However, this protection is always better than the default setting. - Currently, there are no known tools and no comprehensive documentation to help administrators set up security settings. The best way to discover the available settings is to look at the files located
Program Files\OpenOffice.org 2.2\share\registry\schema\org\openoffice\
inXCS
, specificallyCommon.xcs
. Label<group oor:name =“Security”>
Contains most security settings along with comments about their effects. The following isOpenOffice
an example of a decision tree for selecting security settings for a macro:
6.2 Filtering files - content analysis and anti-virus
- Documents can be filtered on the gateway (for email,
Web
, file transfer...) or on removable devices. It can include the usual antivirus analysis or a more complex filtering process.OLE
An example of such a process is the removal of all active content from a document (macros, scripts, objects,…) or hidden data. - Since both
OpenDocument
and andOpen XML
use standard techniques such as and , it can be assumed that these formats can be easily parsed and filtered using common tools and librariesZIP
.XML
In fact, all active elements such as macros and objects can be easily found. OpenDocument
Example filter for: To remove all active content:
- 宏:删除 Basic 和 Scripts 目录中的任何文件。
- OLE 对象:删除名称以 “Object” 开头的任何文件。
- 在 content.xml 中:
•删除 OLE 对象:<draw:object-ole>
•删除脚本:<text:script>
•删除小程序:<draw:applet>
•更新链接到宏的任何标记,例如:<office:event-listeners>
- Example filter for Open XML: To remove all active content:
- 宏:删除任何文件 “vbaProject.bin” 和 “vbaData.xml”
- OLE 对象:删除任何文件 “* .bin”
- Very simple filter for
OpenDocument
and : This is a very simple filter in and it only removes potentially active files in the document.Open XML
Python
6.3 Bypassing antivirus and filters
- As we have seen, it is very tempting to use simple techniques to analyze or filter these open formats using common
ZIP
tools and libraries or text-based searches in files.XML
- However, attackers may obfuscate malicious content in a variety of ways to bypass filtering gateways or antivirus software. To do this, just use the office suite,
XML
andZIP
the native functions of the format. Here are some potential confusion techniques: - Renaming Open XML documents using macros:
Open XML
First, it is unreliable to filter out documents with macros using just the file extension . Even though a file can never contain macros, the document can always be renamed“.docx”
if blocked on the gateway .“.docm”
“.docm”
“.doc”
- Rename OpenDocument macros:
OpenDocument
Files containing macros can be renamed in the archive, replacing.xml
,.bsh
,.js
or.py
with any other extension. To do this, simply editmanifest.xml
andcontent.xml
to change the link to the macro file. In summary, file extensions are notOpenDocument
a good criterion for detecting macros in . Hopefully the directories“Basic”
and“Scripts”
have fixed names in the current implementation and they only contain macro-related files, so this is a safe way to detect or remove macros. - Renaming VBA macros in Open XML: Due to
Open XML(OPC
the modular structure of ), files containing macros of any name can be renamed“vbaProject.bin”
. For example, inWord
the documentation:
- 将 “vbaProject.bin” 重命名为 “no_macros_here.txt”
- 更新 “word/_rels/document.xml.rels” 中的关系
- 在 n “[Content_Types].xml” 中,将 “bin” 替换为 “txt”
- This simple operation allows bypassing
Python
the filter shown above, keeping the macro active. Therefore, it is not possible to rely on filenames to detectOpen XML
macros in . A safer solution is to use a realXML
parser that detects the and parts in[Content_Types]
.xml
(orOLE
object's ) objects . Another solution is to analyze the contents of each file looking for binary headers with potential false positives .“oleObject”
“vbaProject”
“vbaData”
OLE2
- Open XML - US-ASCII encoding and "obfuscated bits": As with
Internet Explorer
(see[IEASCII]
),Office 2007
the handling of“USASCII”
encoding is rather strange: all characters withASCII
code greater than have only their bit content removed before being parsed. Therefore, this behavior allows very simple obfuscation of the filter/antivirus without checking it. Here are examples of tags being obfuscated:127
XML
8
<HIDDENTAG>
<?xml version="1.0" encoding="us-ascii" standalone="yes"?>
1/4HIDDENTAG3/4 malware[...] 1/4/HIDDENTAG3/4
- Note: In this example,
“1/4”
and“3/4”
represent the characters ofASCII
code188
and respectively190
. Open XML - UTF-7
Encoding: Following the same principles,UTF-7
encoding and alternative character representations can be used to hideXML
tags. Encoding is now prohibitedUTF
, butOffice 2007
is allowed (justInternet Explorer
like ). Here is an example:
<?xml version="1.0" encoding="UTF-7" standalone="yes"?>
+ADw-HIDDENTAG+AD4- malware[...] +ADw-/HIDDENTAG+AD4-
- However,
Open XML
the specification[OXSPEC]
clearly states that only andXML
are allowed in the file . It can be noted that the parser does not allow these obfuscations.UTF-8
UTF-16
OpenOffice XML
- Malformed ZIP archive - Duplicate filenames: In standard
ZIP
archives, filenames2
are repeated in positions, a central directory at the end of the archive and a header before each file content. The same goes for file size and other information. By modifying just one of the file names, a malformedZIP
archive can be created. Many applications do not check these names for consistency, and some only rely on one location or the other. The following is an example of such a malformedZIP
archive:
OpenOffice
Rely on central directory only. This technique can be used to trick a filter or antivirus software if it only reads the file header.MS Office 2007
Check for2
consistency between filenames. However, if it detects any issues, it will ask the user if the file should be repaired. Strangely, the file is always fixed so that the macro remains executable regardless of whether the header or center directory has changed! This technique can then be used to bypass any filter/antivirus software that relies on just one of the filenames.- Zip64 Compression:
ZIP
The format has been improved over the past few years to increase the maximum size and compression ratio of archives.Open XML
The specification explicitly allows the newZip64
format; therefore, some filters/antivirus software can be bypassed if they do not handle this format correctly. - Recommendations for powerful filters or antivirus software:
OpenDocument
andOpen XML
analysis cannot be considered a simple task, even if these are based on the open formats ofZIP
andXML
. Here are some important facts to check for security analysis:
- 使用强大的 ZIP 库,能够检测格式错误的档案。
- 在 ZIP 存档中,拒绝中央目录和文件头之间的任何不一致。
- 使用不区分大小写的函数来处理 ZIP 存档中的文件名和路径。
- 拒绝库不支持其格式的任何 ZIP 存档,或者规范不允许的任何 ZIP 存档:Zip64,新压缩算法,加密,......
- 始终使用完整而强大的 XML 解析器。 切勿对 XML 文件使用简单的文本搜索或正则表达式。
•Open XML 解析尤其复杂,因为它需要遵循 OPC 原则(Open Packaging Conventions,参见 [OXSPEC]第 2 部分)对 XML 数据进行更深入的分析。
- 检查 XML 文件编码:拒绝规范不允许的任何编码,并使用严格解码模式拒绝任何异常字符。
- 如果可能,请利用具有开放规范的供应商提供的 XML 模式。
- 拒绝文档的内部结构和文件名之间的任何不一致。(例如,Open XML 文档永远不应该命名为 “.doc”)
7 Conclusion
- The new office formats
OpenDocument
andOpen XML
are very promising, and their open specifications are very useful from a security perspective. Active content and hidden data filtering is much easier than before. - However, they still suffer from the same security issues as previous proprietary formats, and there's no real reason to feel any more secure. Some new features of these formats or office suites may even increase security concerns, such as
XML
andZIP
obfuscation techniques - As you can guess, it will take some time before all antivirus and content analysis software can safely handle
OpenDocument
and .Open XML
This article presents some ideas for improving the analysis of these formats.
reference
[ESAT1] An in-depth analysis of virus threats using OpenOffice.org documents, DeDrézigué, Fizaine, Hansma (ESAT), Journal of Computer Virology, 2006http://www.springerlink.com/content/17729904/?k=openoffice
[ESAT2] Le risque virus sous OpenOffice 2.0.x,Filiol,Fizaine (ESAT), MISC magazine n˚27,09/ 2006。
[FSECURE] OpenOffice Security, S. Rautiainen (F-Secure), VB2003 Conference,http//www.fsecure.com/weblog/archives/openoffice_security.pdf
[PACSEC06] OpenOffice/OpenDocument and MS Open XML Security, P. Lagadec, PacSec 2006 Conference,http://pacsec.jp/psj06archive.html
[SSTIC07] Security of OpenDocument and Open XML documents, P。Lagadec,http ://actes.sstic.org/SSTIC07/Securite_OpenDocument_OpenXML/
[ECMA] Ecma International, National Agency Comments on 30 Day Comments on Fast Track Ballot for ISO/IEC DIS 29500 (ECMA-376) “Office Open XML File Format”, Ecma/TC45/2007/006,http://www.ecmainternational.org/news/TC45_current_work/Ecma%20responses.pdf
[SSTIC03] File formats and malicious code,P。Lagadec,SSTIC03,http://actes.sstic.org/SSTIC03/Formats_de_fichiers/
[CVEMSO] Common vulnerabilities and exposures, keyword "Microsoft Office",http://cve.mitre.org/cgibin/cvekey.cgi keyword=microsoft+office
[CVEOOo] Common vulnerabilities and disclosures, keyword "OpenOffice",http://cve.mitre.org/cgi-bin/cvekey.cgi keyword=openoffice
[ESAT3] Analysis of risque virus sous OpenOffice.org 2.0.x, E. Filiol (ESAT), hip conference SSTIC06,http ://actes.sstic.org/SSTIC06/Rump_sessions/SSTIC06-rump-Filiol Risque_viral_sous_OpenOffice.pdf
[OOoURL] OpenOffice.org URL handling security vulnerability (Linux/Solaris),http://www.openoffice.org/security/CVE-2007-0239.html
[XSRF] Cross-site request forgery, Wikipedia,http://en.wikipedia.org/wiki/XSRF
[OSSIR03] Leaking information in proprietary documents,P。Chambet(EdelWeb),Eric Filiol(ESAT),E。Detoisien,OSSIR 6/10/2003,http ://www.ossir.org/windows/supports/2003/2003-10-06/OSSIR Fuite%20infos.pdf
[ODSPEC10] Open Document Format for Office Applications (OpenDocument) v1.0, OASIS Standard, May 1, 2005http://docs.oasisopen.org/office/v1.0/OpenDocument-v1.0-os.pdf
[ODSPEC11] Open Document Format (OpenDocument) v1.1 for Office Applications, OASIS Standard, February 1, 2007http://docs.oasisopen.org/office/v1.1/OpenDocument-v1.1.pdf
[OXSPEC] Office Open XML file format - Standard ECMA-376,http://www.ecma international.org/publications/standards/Ecma376.htm
[OSFP] OOo scripting framework and Python,http://udk.openoffice.org/python/scriptingframework/index.html
[OOoPy] OOoPy, a Python module for editing OpenDocument,http://ooopy.sourceforge.net
[MS06-065] Secunia MS06-065 Consulting,http://secunia.com/advisories/20717
[XPS] Microsoft XML Paper Specification - XPS,http://www.microsoft.com/whdc/xps/default.mspx
[IEASCII] http://www.securityfocus.com/archive/1/437948