Theater security

by Volker Weber

Thorsten Delbrouck describes in this SecurityTracker post how to bypass Microsoft Office security features:

1.) Open a protected document in MS Word
2.) Save as "Web Page (*.htm; *.html)", close Word
3.) Open html-document in any Text-Editor
4.) Search "" tag, the line reads something like that: <w:UnprotectPassword>ABCDEF01</w:UnprotectPassword>
5.) keep the "password" in mind
6.) Open original document (.doc) with any hex-editor
7.) search for hex-values of the password (reverse order!)
8.) Overwrite all 4 double-bytes with 0x00, Save, Close
9.) Open document with MS Word, Select "Tools / Unprotect Document" (password is blank)

This is about the same level of security as the Notes client provides when locally enforcing the ACL. This can also be removed:

1. Open database in any hex-editor.
2. Find the range of bits between offset 0x16c and 0x1a7.This is the ACL.
3. Set any that aren't 00 to be 00.
4. Save the database.

Notes however does provide real security: Encryption.

Comments

Here's another way to get to the contents of a local database where the ACL is locally enforced:

Rename the nsf to ntf, copy it to your local data directory and use this as a template to create a new database. This will have all design elements and documents of the original db and you have manager access to it.

Indeed this doesn't enable you to edit documents in the original file but at least to see the contents of it.

Oliver Regelmann, 2004-01-04

I tried this Word thing, but didn't quite succeed...
I have a Word form from a client, which is supposed to become a project proposal. Since the form is designed for internal project proposals while I am doing an external one, I need to change some details. I already retrieved an unprotected version, but out of curiosity I wanted to check this out.
Saving the document as a web page, Word alerts me, that besides a text formating loss the form protection will be lost and I can continue or cancel. Continuing I cannot locate the mentioned tag in the resulting HTML file.
Any ideas on this?

Ragnar Schierholz, 2004-01-04

Simpler local ACL enforcement defeat strategy: change IDs. If you don't have another ID, make one. If the database has been carefully crafted to have default of no access, create an ID that matches a name or group that is in the ACL.

Alternatively, add the following line to your Notes.INI...
Disable_Local_Access_Control=1

Nathan T. Freeman, 2004-01-05

I thought the INI mod only worked in release 4.x? It's certainly never worked for me in 5, and it definitely doesn't in 6

Ben Poole, 2004-01-05

Recent comments

Armin Roth on Eve verbessert Aqua at 00:10
Armin Roth on And the winner is ... HomePod at 23:50
Erik Brooks on From my inbox at 20:09
Pierre Lalonde on This is where Microsoft takes their business this fiscal year at 19:36
Volker Weber on Lenovo Thinkbook :: Review eines Nutzers at 18:44
Lucius Bobikiewicz on Lenovo Thinkbook :: Review eines Nutzers at 18:43
Volker Weber on Lenovo Thinkbook :: Review eines Nutzers at 13:12
Jan Piotrowski on Lenovo Thinkbook :: Review eines Nutzers at 13:08
Armin Auth on Lenovo Thinkbook :: Review eines Nutzers at 12:04
Jan Piotrowski on Lenovo Thinkbook :: Review eines Nutzers at 11:08
Volker Weber on And the winner is ... HomePod at 09:22
Armin Roth on And the winner is ... HomePod at 09:21
Stefan Funke on ThinkPad X1 Yoga in der vierten Generation at 08:55
Jens Becker on From my inbox at 06:46
Stefan Heinz on From my inbox at 04:00
Volker Weber on Lenovo Yoga C930 :: Dieser PC wird zurückgesetzt at 16:48
Reinhard Fellner on Lenovo Yoga C930 :: Dieser PC wird zurückgesetzt at 16:39
Craig Wiseman on Gadget Reviewers vs Regular People at 14:56
Volker Weber on Neato Botvac D7 Connected :: Houston, wir haben ein Problem at 09:31
Patrick Bohr on Neato Botvac D7 Connected :: Houston, wir haben ein Problem at 09:06
Oliver Heinz on Amazon Prime Days :: Angebote nur für Prime-Kunden at 03:09
Kai Schmalenbach on Zwei Reaktionen at 15:23
Kristian Raue on Microsoft Surface Pen Stiftspitzen-Kit :: Ausprobiert at 23:10
Thomas Langel on Apple streicht alte MacBooks und senkt die Einstiegspreise :: Meine Alternative at 21:41
Dexter Ian on Android oder iPhone kaufen? Eine Antwort in 2500 Zeichen. at 16:57

Ceci n'est pas un blog

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Contact
Publications
Stuff that works
Amazon Wish List
Frequently Asked Questions

rss feed  twitter  amazon

Local time is 02:47

visitors.gif

buy me coffee

Paypal vowe