Office 2007 Vulnerability: Excel Stores Data Connection Password in Plain Text

Aug 27 2007

Office 2007 Vulnerability: Excel Stores Data Connection Password in Plain Text

by Joe

Bradley Mountford, a digital forensics expert, today discovered a security vulnerability in Microsoft Office Excel 2007 regarding login information of external data sources.

Basically, there are two sides to this issue, if you password protect an entire Excel 2007 document entirely, it’s no longer a true XML document, rather, it’s an XML document wrapped in an OLE container1. If you tell your Excel document NOT to save the password to your data connection, but only password protect the Excel document against edits (not reads and edits), the password IS saved — in plain text!

Here’s how to recreate the issue:

Create new MS Access database.
Open the new DB in Exclusive mode.
Create a simple table to query.
Go to the Database tools tab, choose “Encrypt with Password”, and set your password (”grapes” for this example).
Create a new Excel worksheet.
Open the new worksheet and select a Cell.
Choose the Data tab and then “From other sources” and select “From Microsoft Query”.
Choose “MS Access Database*” and browse to the DB you just created.
Enter the password when prompted and select the data to be returned to Excel.
The query should populate. Now lets make sure we are not saving the password (or at least that we are telling Excel not to).
Select the “Data” tab and click “Connections”.
Double click the query to bring up the properties sheet.
Select the “Definition” tab and ensure that the “Save Password” box is unchecked (default).
If you open the Excel document with notepad, the passwords do not appear in plaintext. Great!
Now for some fun. Rename your excel doc to a .zip from .xlsx
Open the zip and then open the “xl” directory.
Now open the connections.xml file and Ta Da! There is your PWD plain as day.

If you encrypt the workbook with a password to open, you are okay, but a password to edit is not enough and you can still see the PWD.

What all this boils down to is: If you select the option not to save the password in Excel, why is Excel saving in the XML?

Files:

Excel Spreadsheet(Note: the data connection is hard-coded to a specific path to the database)
Access Database
Both, zipped

Related:

Categories: Experimentation, Joe, activism, friends, technology

blog comments powered by Disqus

Conditions of Use…

READ CAREFULLY. The contents of this website are the opinion of its author and/or contributors. Furthermore, by viewing this website you agree, on behalf of your employer, to release me from all obligations and waivers arising from any and all NON-NEGOTIATED agreements, licenses, terms-of-service, EULA, shrinkwrap, clickwrap, browsewrap, confidentiality, non-disclosure, non-compete and acceptable use policies ("BOGUS AGREEMENTS") that I have entered into with your employer, its partners, licensors, agents and assigns, in perpetuity, without prejudice to my ongoing rights and privileges. You further represent that you have the authority to release me from any BOGUS AGREEMENTS on behalf of your employer. For further details refer to ReasonableAgreement.org. Additionally, persons working for or with (whether directly or indirectly) the MPAA and/or RIAA are hereby expressly forbidden from viewing these pages and infractions will be considered tresspassing, copyright violation, and harassment.

Some links and/or posts may be sponsored/paid.

Greener Living thru Technology

Bringing technology, quality of life, geek humor, tech politics, self-defense, and environmental stewardship together.

Office 2007 Vulnerability: Excel Stores Data Connection Password in Plain Text