Office Document Security and Privacy

Total Page:16

File Type:pdf, Size:1020Kb

Office Document Security and Privacy Office Document Security and Privacy Jens Müller, Fabian Ising, Christian Mainka, Vladislav Mladenov, Sebastian Schinzel, Jörg Schwenk Overview 1. OOXML/ODF Basics 2. Denial of Service 3. Invasion of Privacy 4. Information Disclosure 5. Data Manipulation 6. Code Execution 7. Evaluation 2 History: Office Wars • 1990: MS Office 1.0 • 2002: Star Office → OpenOffice.org • 2006: OOXML + ODF standardization • 2010: OpenOffice.org → LibreOffice 3 Two competing standards OOXML (ISO/IEC 29500) ODF (ISO/IEC 26300) Office Open XML Open Document Format 6500 pages 800 pages (some) MS proprietary formats re-use of SVG, MathML, XForms, … .docx, .xlsx, .pptx, … .odt, .ods, .odp, … XML-based, Zip container XML-based, Zip container 4 OOXML Directory Structure 5 OOXML Example 6 ODF Directory Structure 7 ODF Example 8 Attacker Model • Victim opens malicious office document • “Bad things” happen (attack-dependent) 9 Overview 1. OOXML/ODF Basics 2. Denial of Service Deflate Bomb 3. Invasion of Privacy 4. Information Disclosure 5. Data Manipulation 6. Code Execution 7. Evaluation 10 Deflate Bomb max. compression ratio: 1:1023 11 Overview 1. OOXML/ODF Basics 2. Denial of Service 3. Invasion of Privacy URL Invocation, Evitable Metadata 4. Information Disclosure 5. Data Manipulation 6. Code Execution 7. Evaluation 12 URL Invocation • Goal: “phone home” to attacker’s server once document is opened 13 URL Invocation CVE-2020-12802 14 URL Invocation 15 Evitable Metadata Source: news.bbc.co.uk 16 Evitable Metadata 17 Overview 1. OOXML/ODF Basics 2. Denial of Service 3. Invasion of Privacy 4. Information Disclosure Data Exfiltration, File Disclosure, Credential Theft 5. Data Manipulation 6. Code Execution 7. Evaluation 18 Data Exfiltration • Idea: victim obtains spreadsheet; user input values sent to attacker’s server 19 File Disclosure • Idea: include local files on disk 20 File Disclosure 21 File Disclosure 22 File Disclosure 23 Credential Theft • Goal: obtain user’s NTLM hash 24 Credential Theft • Offline cracking – NTLMv2: modern GPU requires 2,5h for eight chars – NTLMv1, LM: considered broken [Marlinspike2012] • Pass-the-hash or relay attacks – Compare [Ochoa2008, Hummel2009] – Depending on Windows security policy 25 Overview 1. OOXML/ODF Basics 2. Denial of Service 3. Invasion of Privacy 4. Information Disclosure 5. Data Manipulation File Write Access, Content Masking 6. Code Execution 7. Evaluation 20 File Write Access • Idea: XForms allow local file as target 27 File Write Access CVE-2020-12803 28 Content Masking: OOXML 29 Content Masking: ODF Parsed by MS Office Parsed by LibreOffice 30 Overview 1. OOXML/ODF Basics 2. Denial of Service 3. Invasion of Privacy 4. Information Disclosure 5. Data Manipulation 6. Code Execution Macros 7. Evaluation 24 Macros 32 Addition Findings CVE-2018-8161 (memory corruption) 33 One-Click RCE in LibreOffice • We can write XML to arbitrary files • LibreOffice config file itself is XML 34 One-Click RCE in LibreOffice CVE-2020-12803 35 Overview 1. OOXML/ODF Basics 2. Denial of Service 3. Invasion of Privacy 4. Information Disclosure 5. Data Manipulation 6. Code Execution 7. Evaluation 28 Evaluation 37 Countermeasures • Removing insecure features • User privacy by default • Limitation of resources • Elimination of ambiguities 38 Conclusion • OOXML and ODF are complex formats • Thorough analysis of dangerous features • One-click pure logic chain RCE in 2020 ;) Artifacts: https://github.com/RUB-NDS/Office-Security 39.
Recommended publications
  • Bibliography of Erik Wilde
    dretbiblio dretbiblio Erik Wilde's Bibliography References [1] AFIPS Fall Joint Computer Conference, San Francisco, California, December 1968. [2] Seventeenth IEEE Conference on Computer Communication Networks, Washington, D.C., 1978. [3] ACM SIGACT-SIGMOD Symposium on Principles of Database Systems, Los Angeles, Cal- ifornia, March 1982. ACM Press. [4] First Conference on Computer-Supported Cooperative Work, 1986. [5] 1987 ACM Conference on Hypertext, Chapel Hill, North Carolina, November 1987. ACM Press. [6] 18th IEEE International Symposium on Fault-Tolerant Computing, Tokyo, Japan, 1988. IEEE Computer Society Press. [7] Conference on Computer-Supported Cooperative Work, Portland, Oregon, 1988. ACM Press. [8] Conference on Office Information Systems, Palo Alto, California, March 1988. [9] 1989 ACM Conference on Hypertext, Pittsburgh, Pennsylvania, November 1989. ACM Press. [10] UNIX | The Legend Evolves. Summer 1990 UKUUG Conference, Buntingford, UK, 1990. UKUUG. [11] Fourth ACM Symposium on User Interface Software and Technology, Hilton Head, South Carolina, November 1991. [12] GLOBECOM'91 Conference, Phoenix, Arizona, 1991. IEEE Computer Society Press. [13] IEEE INFOCOM '91 Conference on Computer Communications, Bal Harbour, Florida, 1991. IEEE Computer Society Press. [14] IEEE International Conference on Communications, Denver, Colorado, June 1991. [15] International Workshop on CSCW, Berlin, Germany, April 1991. [16] Third ACM Conference on Hypertext, San Antonio, Texas, December 1991. ACM Press. [17] 11th Symposium on Reliable Distributed Systems, Houston, Texas, 1992. IEEE Computer Society Press. [18] 3rd Joint European Networking Conference, Innsbruck, Austria, May 1992. [19] Fourth ACM Conference on Hypertext, Milano, Italy, November 1992. ACM Press. [20] GLOBECOM'92 Conference, Orlando, Florida, December 1992. IEEE Computer Society Press. http://github.com/dret/biblio (August 29, 2018) 1 dretbiblio [21] IEEE INFOCOM '92 Conference on Computer Communications, Florence, Italy, 1992.
    [Show full text]
  • Putting DDI in the Driver's Seat
    Putting DDI in the driver’s seat Using Metadata to control data capture Samuel Spencer Australian Bureau of Statistics 2010: XForms and DDI January: XForms transform demonstrated within ABS June: XForms live-demo at IASSIST 2010 July: XForms research put on hold October: Commercial Census web-form tool investigated ABS DDI Data Collection Projects Internet Activity Survey Agricultural Census Questionnaire Design Tool (QDT) Internet Activity Survey Then: Survey used in DDI/XForms research eForms solution using ABS developed technology Custom tool creates XForms, rendered using Orbeon Internet Activity Survey Then: Survey used in DDI/XForms research eForms solution using ABS developed technology Custom tool creates XForms, rendered using Orbeon Now: Candidate for migration to custom IBM web-form solution Agricultural Census Now: Currently running on IBM web-form solution Forms displayed using AJAX which interprets proprietary hand-crafted XML Agricultural Census Now: Currently running on IBM web-form solution Forms displayed using AJAX which interprets proprietary hand-crafted XML Future: Research into DDI to XML transforms Questionnaire Design Tool Then: Online app for questionnaire metadata management Manages creation of Blaise and paper forms Uses ABS-built proprietary XML (QDT-ML) Now: Investigations into replacing QDT-ML with DDI Research into using QDT to create web-forms How can it made simpler? The XForms standard describes a structured format for capturing form questions, control structures and complex data structures needed for accurate information capture. However, to be useful it needs to be transformed, as its not able to be displayed natively in current generation browsers. The DDI 3.0 standard describes a structured format for capturing form questions, control structures and complex data structures needed for accurate information capture.
    [Show full text]
  • Jørn Klungsøyr & Remi Andre Valvik (University of Bergen)
    DESIGN www.openXdata.org COLLECT www.openxdata.org MANAGE DESIGN Video tutorials available at: doc.openXdata.org www.openXdata.org [email protected] Usable data for informed decision making Jørn Klungsøyr ([email protected]) Remi Andre Valvik ([email protected]) Usable data for informed decision making Security Ease of Use Costs Scalability Integration Topics of this presentation • Functionalities • Ease of use • Change management • Security • Integration • Costs • Scalability • Open source community • Demonstrations Functionalities Design – Collect - Manage Design • Design complex forms in graphical interface • Supported question types include e.g.: Text, Numbers, Date, Time, Single / Multi-select, Multimedia, Geo tagging • Define skip logic & answer validation criteria Collect – Mobile phones <30$ Structured SMS – manually coded forms – for any phone eCollect – Android/iPhone/Pads/Laptops eCollect is a mini version openXdata web interface. • Stores data locally for offline functionality. • Users use regular browsers. • Android packag for native features like camera. Collect – Android with ODK-collect / JR Users can use ODK-collect due to a OpenROSA / JavaROSA standards API plugin. Collect - Web • Web-based forms can be accessed through desktop computer, laptop, netbook, pads/tabs and smartphones with access to the internet and JavaScript support Manage • Own your data - host on your own servers • Define roles for different types of users (e.g. administrator, study manager, mobile data collector) • Export data to CSV or direct to a relational database • Manage data and forms using a standard web-browser Ease of use Case reports from MoTeCH implementations MoTeCH – summary from interviews • Initial assumption to use structured SMS by health workers to create and update medical records using their own phones using "free" SMS.
    [Show full text]
  • Interactive Topographic Web Mapping Using Scalable Vector Graphics
    University of Nebraska at Omaha DigitalCommons@UNO Student Work 12-1-2003 Interactive topographic web mapping using scalable vector graphics Peter Pavlicko University of Nebraska at Omaha Follow this and additional works at: https://digitalcommons.unomaha.edu/studentwork Recommended Citation Pavlicko, Peter, "Interactive topographic web mapping using scalable vector graphics" (2003). Student Work. 589. https://digitalcommons.unomaha.edu/studentwork/589 This Thesis is brought to you for free and open access by DigitalCommons@UNO. It has been accepted for inclusion in Student Work by an authorized administrator of DigitalCommons@UNO. For more information, please contact [email protected]. INTERACTIVE TOPOGRAPHIC WEB MAPPING USING SCALABLE VECTOR GRAPHICS A Thesis Presented to the Department of Geography-Geology and the Faculty of the Graduate College University of Nebraska in Partial Fulfillment of the Requirements for the Degree Master of Arts University of Nebraska at Omaha by Peter Pavlicko December, 2003 UMI Number: EP73227 All rights reserved INFORMATION TO ALL USERS The quality of this reproduction is dependent upon the quality of the copy submitted. In the unlikely event that the author did not send a complete manuscript and there are missing pages, these will be noted. Also, if material had to be removed, a note will indicate the deletion. Dissertation WWisMng UMI EP73227 Published by ProQuest LLC (2015). Copyright in the Dissertation held by the Author. Microform Edition © ProQuest LLC. All rights reserved. This work is protected against unauthorized copying under Title 17, United States Code ProQuest LLC. 789 East Eisenhower Parkway P.O. Box 1346 Ann Arbor, Ml 48106-1346 THESIS ACCEPTANCE Acceptance for the faculty of the Graduate College, University of Nebraska, in Partial fulfillment of the requirements for the degree Master of Arts University of Nebraska Omaha Committee ----------- Uf.A [JL___ Chairperson.
    [Show full text]
  • Microsoft, Adobe & W3C to Shake up Electronic Forms Market
    Vol. 11, No, 8 October 2003 www.gilbane.com Published by: Bluebill Advisors, Inc. 763 Massachusetts Ave. Cambridge, MA 02139 USA (617) 497.9443 Fax (617) 497.5256 www.bluebilladvisors.com Editor: Frank Gilbane [email protected] (617) 497.9443 Content Technology Works! Editors Emeriti: Tim Bray [email protected] (604) 708.9592 MICROSOFT, ADOBE & XFORMS TO David Weinberger [email protected] (617) 738.8323 SHAKE UP ELECTRONIC FORMS MARKET Senior Editors: Sebastian Holst [email protected] Our title this month reads like a news headline on purpose. There are a number Bill Trippe [email protected] of new, and upcoming, developments in electronic forms (eForms) technology (617) 497.9443 that should be grabbing your attention. Some of these are of major importance Recent Contributors: on their own, but taken together, they signal the start of a major improvement Kathleen Reidy in businesses’ ability to easily collect, integrate, and process information. [email protected] Bob Doyle [email protected] “Electronic forms” have been around for years, but the term refers to a wide variety of technologies – from scanned image applications to HTML forms – Production Assistant: Sarah G. Dionne that are not at all similar and far from equal in their ability to accelerate and [email protected] smooth business processes. What eForm technology has shared is: a level of (617) 497.9443 difficulty that kept it out of the reach of office professionals who were com- Subscriptions: fortable enough with documents and spreadsheets, but scared-off by forms, [email protected] (617) 497.9443 and proprietary data formats that made information integration costly and complex.
    [Show full text]
  • Jump Start Html5 by Tiffany B
    Summary of Contents Preface . xix 1. Basics: What is HTML5? . 1 2. Basics: The Anatomy of HTML5 . 7 3. Basics: Structuring Documents . 17 4. Basics: HTML5 Forms . 33 5. Basics: Multimedia, Audio and Video . 51 6. Multimedia: Preparing Your Media . 59 7. Multimedia: Using Native HTML5 Audio . 69 8. Multimedia: Using Native HTML5 Video . 77 9. Multimedia: The source Element . 87 10. Mutimedia: The track Element . 93 11. Multimedia: Scripting Media Players . 111 12. Canvas & SVG: An Introduction to Canvas . 123 13. Canvas & SVG: Canvas Basics . 127 14. Canvas & SVG: Handling Non-supporting Browsers . 137 15. Canvas & SVG: Canvas Gradients . 139 16. Canvas & SVG: Canvas Images and Videos . 145 17. Canvas & SVG: An Introduction to SVG . 149 18. Canvas & SVG: Using SVG . 159 19. Canvas & SVG: SVG Bézier Curves . 163 20. Canvas & SVG: SVG Filter Effects . 169 21. Canvas & SVG: Canvas or SVG? . 175 22. Offline Apps: Detecting When the User Is Connected . 179 23. Offline Apps: Application Cache . 185 24. Offline Apps: Web Storage . 197 25. Offline Apps: Storing Data With Client-side Databases . 215 26. APIs: Overview . 233 27. APIs: Web Workers . 239 28. APIs: The Geolocation API . 249 29. APIs: Server Sent Events . 255 30. APIs: The WebSocket API . 263 31. APIs: The Cross-document Messaging API . 269 JUMP START HTML5 BY TIFFANY B. BROWN KERRY BUTTERS SANDEEP PANDA iv Jump Start HTML5 by Tiffany B. Brown, Kerry Butters, and Sandeep Panda Copyright © 2014 SitePoint Pty. Ltd. Product Manager: Simon Mackie English Editor: Paul Fitzpatrick Technical Editor: Craig Buckler Cover Designer: Alex Walker Notice of Rights All rights reserved.
    [Show full text]
  • A Declarative Approach Based on Xforms
    Helsinki University of Technology Publications in Telecommunications Software and Multimedia Teknillisen korkeakoulun tietoliikenneohjelmistojen ja multimedian julkaisuja Espoo 2006 TML-A16 WEB USER INTERACTION - A DECLARATIVE APPROACH BASED ON XFORMS Mikko Honkala Dissertation for the degree of Doctor of Science in Technology to be presented with due permission of the Department of Computer Science and Engineering, for pub- lic examination and debate in Auditorium T2 at Helsinki University of Technology (Espoo, Finland) on the 12th of January, 2007, at 12 noon. Helsinki University of Technology Department of Computer Science and Engineering Telecommunications Software and Multimedia Laboratory Teknillinen korkeakoulu Tietotekniikan osasto Tietoliikenneohjelmistojen ja multimedian laboratorio Distribution: Helsinki University of Technology Telecommunications Software and Multimedia Laboratory P.O.Box 5400 FIN-02015 HUT Tel. +358-9-451 2870 Fax. +358-9-451 5014 c Mikko Honkala ISBN-13 978-951-22-8565-5 ISBN-10 951-22-8565-7 ISSN 1456-7911 ISBN-13 978-951-22-8566-2 (PDF) ISBN-10 951-22-8566-5 (PDF) ISSN 1455 9722 (PDF) URL: http://lib.tkk.fi/Diss/ Otamedia Oy Espoo 2006 ABSTRACT Author Mikko Honkala Title Web User Interaction - a Declarative Approach Based on XForms Published Doctoral thesis, Helsinki University of Technology, 2006 Keywords XML, User Interfaces, User Interaction, XForms, UIDL, XHTML This thesis studies next-generation web user interaction definition languages, as well as browser software architectures. The motivation comes from new end-user requirements for web applications: demand for higher interaction, adaptation for mobile and multimodal usage, and rich multimedia content. At the same time, there is a requirement for non- programmers to be able to author, customize, and maintain web user interfaces.
    [Show full text]
  • SMIL and SVG in Teaching
    SMIL and SVG in teaching Horst Eidenberger* Vienna University of Technology, Institute of Software Technology and Interactive Systems, Favoritenstrasse 9-11, 1040 Vienna, Austria ABSTRACT This paper describes how the web standards Synchronized Multimedia Integration Language (SMIL) and Scalable Vector Graphics (SVG) are used in teaching at the Vienna University of Technology. SMIL and SVG are used in courses on multimedia authoring. Didactically, the goal is to teach students how to use media objects and timing concepts to build interactive media applications. Additionally, SMIL is applied to generate multimedia content from a database using a content management system. The paper gives background information on the SMIL and SVG standards and sketches how teaching multimedia is organised at the Vienna University of Technology. Courses from the summer term 2003 are described and illustrated in two case studies. General design problems of SMIL-based presentations are modelled as patterns. Additionally, suggestions for improvement in the standards are given and shortcomings of existing user agents are summarised. Our conclusion is that SMIL and SVG are very well suited for teaching multimedia. Currently, the main problem is that all existing SMIL players lack some properties desired for teaching applications (stability, correctness, etc.). Keywords: Multimedia authoring, Synchronized Multimedia Integration Language, SMIL, Scalable Vector Graphics, SVG, content management, CMS, education, case study, personalisation, CC/PP 1. INTRODUCTION In recent years universities all over the world and, especially, in the German-speaking countries, that offer computer engineering studies have established courses on multimedia and temporal media processing. So at the Vienna University of Technology. Since the year 2000 it offers a very popular media informatics curriculum (about 350 beginners per year).
    [Show full text]
  • Leveraging Declarative Languages in Web Application Development
    World Wide Web DOI 10.1007/s11280-015-0339-z Leveraging declarative languages in web application development Petri Vuorimaa & Markku Laine & Evgenia Litvinova & Denis Shestakov Received: 7 February 2014 /Revised: 24 February 2015 /Accepted: 4 March 2015 # The Author(s) 2015. This article is published with open access at Springerlink.com Abstract Web Applications have become an omnipresent part of our daily lives. They are easy to use, but hard to develop. WYSIWYG editors, form builders, mashup editors, and markup authoring tools ease the development of Web Applications. However, more advanced Web Applications require servers-side programming, which is beyond the skills of end-user developers. In this paper, we discuss how declarative languages can simplify Web Application development and empower end-users as Web developers. We first identify nine end-user Web Application development levels ranging from simple visual customization to advanced three- tier programming. Then, we propose expanding the presentation tier to support all aspects of Web Application development. We introduce a unified XForms-based framework—called XFormsDB—that supports both client-side and server-side Web Application development. Furthermore, we make a language extension proposal—called XFormsRTC—for adding true real-time communication capabilities to XForms. We also present XFormsDB Integrated Development Environment (XIDE), which assists end-users in authoring highly interactive data-driven Web Applications. XIDE supports all Web Application development levels and, especially, promotes the transition from markup authoring and snippet programming to single and unified language programming. Keywords Web framework . Web application . Web development . End-user development . Declarative language . Real-time communication P. Vuorimaa (*) : M.
    [Show full text]
  • UBIWISE, a Simulator for Ubiquitous Computing Systems Design
    UBIWISE, A Simulator for Ubiquitous Computing Systems Design John J. Barton, Vikram Vijayaraghavan Mobile and Media Systems Laboratory HP Laboratories Palo Alto HPL-2003-93 April 29th , 2003* E-mail: {John_Barton, [email protected]} simulation, We describe UbiWise, a simulator for ubiquitous computing. The mobile, simulator concentrates on computation and communications devices ubiquitous, situated within their physical environments. It presents two views, handheld each in a separate window on the desktop of the users’ PC. One of the views provides a three dimensional world, built on the Quake III Arena graphics engine and serves to simulate a first-person view of the physical environment of a user. The other view, built using Java, shows a close-up view of devices and objects the user may manipulate. These views act as one unified whole by maintaining a client-server model with a central server. Multiple users can attach to the same server to create interactive ubiquitous computing scenarios. We describe how UbiWise looks to researchers and examples of its use as tool for ubiquitous computing research. * Internal Accession Date Only Approved for External Publication ã Copyright Hewlett-Packard Company 2003 UBIWISE, A Simulator for Ubiquitous Computing Systems Design John J. Barton, and Vikram Vijayaraghavan Hewlett-Packard Labs, 1501 Page Mill Road Palo Alto, CA 94304 {John_Barton, vikramv @hpl.hp.com} Abstract. We describe UbiWise, a simulator for ubiquitous computing. The simulator concentrates on computation and communications devices situated within their physical environments. It presents two views, each in a separate window on the desktop of the users' PC. One of the views provides a three dimensional world, built on the Quake III Arena graphics engine and serves to simulate a first-person view of the physical environment of a user.
    [Show full text]
  • Xforms 2.0: What's New?
    XForms 2.0: What's new? Steven Pemberton, CWI, Amsterdam Abstract XForms is a declarative language for defining applications on the web and elsewhere, used worldwide for large and small applications. This paper gives an overview of what has changed between the previous version and the up-coming XForms 2.0. Introduction XForms was originally designed as a new XML-based markup language for forms on the web, and version 1.0 [XF1] was just that. However, after initial experience, it was realised that the design had followed HTML too slavishly, in particular by only accepting static strings in places where expressions would be more useful. With some generalisation XForms became more powerful in the shape of XForms 1.1 [XF11], and in the process became a Turing-complete language that could still do forms, but very much more as well. Rather than procedural or functional, XForms's programming model is declarative, where you define what you want to achieve rather than exactly how. This has proven to be very successful in reducing the time and costs of producing applications, typically by a factor of ten, over a wide range of different applications, both large and small. XForms 2.0 [XF2] continues the process of generalisation, making the definition of applications even easier. We describe here some of the major differences. XForms The processing model of XForms is based on state: there is data, and a description of that data, such as types, constraints, and relationships between values. Initially the system ensures that the values are consistent with the description, and then goes into stasis until something changes, either from an action by the user, or internally from the system.
    [Show full text]
  • A Man and His Vision for the Browser
    A Man and His Vision for the Browser http://www.eweek.com/print_article2/0,1217,a=167407,00.asp A Man and His Vision for the Browser December 25, 2005 Tim Berners-Lee invented the World Wide Web in 1989 and introduced the first Web client in 1990, touching off a technological revolution that continues to play out in today's rapidly evolving Internet space. The inventor and self-proclaimed "user interface engineer" continues to help guide development of the Web and related technologies from his position as director of the W3C (Worldwide Web Consortium) and senior researcher at the Massachusetts Institute of Technology's CSAIL (Computer Science and Artificial Intelligence Laboratory). RELATED LINKS Browser Success Can't Be Measured in Market Share Apple Plugs Critical Safari Browser Flaws Firefox Blazes New Browser Trail MS Details More IE 7 Security Goodies Firefox Faces Uphill Battle, Analysts Predict Much of this work currently revolves around his concept for a more abstract, data-oriented online communications network, or what he calls the Symantec Web. Berners-Lee recently spoke with eWeek.com Senior Writer Matt Hines about the current state of Web browsing technologies and further outlined his plans for improving the software to help make his vision for the future a reality. Since launching the first Web client in 1990, the browser software arena has evolved in a lot of different ways. Is there anything about all of the different browser development that's been done to this point that really surprises you? When I wrote the browser, people were using documents with wizzywig editors, so I really assumed that what people were going to use for preparing content was wizzywig, or what you see is what you get.
    [Show full text]