Bradley Mountford, a digital forensics expert, today discovered a security vulnerability in Microsoft Office Excel 2007 regarding login information of external data sources.
Basically, there are two sides to this issue, if you password protect an entire Excel 2007 document entirely, it’s no longer a true XML document, rather, it’s an XML document wrapped in an OLE container1. If you tell your Excel document NOT to save the password to your data connection, but only password protect the Excel document against edits (not reads and edits), the password IS saved — in plain text!
Here’s how to recreate the issue:
- Create new MS Access database.
- Open the new DB in Exclusive mode.
- Create a simple table to query.
- Go to the Database tools tab, choose “Encrypt with Password”, and set your password (“grapes” for this example).
- Create a new Excel worksheet.
- Open the new worksheet and select a Cell.
- Choose the Data tab and then “From other sources” and select “From Microsoft Query”.
- Choose “MS Access Database*” and browse to the DB you just created.
- Enter the password when prompted and select the data to be returned to Excel.
- The query should populate. Now lets make sure we are not saving the password (or at least that we are telling Excel not to).
- Select the “Data” tab and click “Connections”.
- Double click the query to bring up the properties sheet.
- Select the “Definition” tab and ensure that the “Save Password” box is unchecked (default).
- If you open the Excel document with notepad, the passwords do not appear in plaintext. Great!
- Now for some fun. Rename your excel doc to a .zip from .xlsx
- Open the zip and then open the “xl” directory.
- Now open the connections.xml file and Ta Da! There is your PWD plain as day.
If you encrypt the workbook with a password to open, you are okay, but a password to edit is not enough and you can still see the PWD.
What all this boils down to is: If you select the option not to save the password in Excel, why is Excel saving in the XML?
Files:
- Excel Spreadsheet(Note: the data connection is hard-coded to a specific path to the database)
- Access Database
- Both, zipped
Related:
- OOXML: Defective by Design?
- OOXML: Security Flaw Found, Microsoft Lies About It Again, African Revolt Against It, and ISO in Great Danger
Hi Joe,
I read with interest your recent blog post on Excel 2007 storing data connection passwords as plaintext. I don’t know if you’ve seen by blog or not, but I’ve covering a lot of technical flaws in the new Office Open XML (OOXML) formats that Office 2007 has introduced. This format is currently undergoing a ballot at ISO for approval as an International Standard.
I’d love to find out if this password was stored in the defined OOXML schema, or whether this is an undocumented extension to OOXML. Most of the protections in OOXML don’t involve storing the password directly, but by storing a 1-way hash of them, typically SHA-1. Personally I think SHA-1 is the wrong choice here, but that is a story for another day.
Since I don’t have MS Access on my laptop, I was wondering if I could get a copy of your test document, or at least a copy of the connections.xml ?
Thanks,
-Rob
I don’t know if the data connection(s) password(s) is(are) defined in the OOXML spec or not.
Even a salted or SHA-1 password would be better than plain-text like we have now. Maybe someone in the Office Team (or OOXML Team) at Microsoft would care to answer that question for us (whether or not password storage/encryption is defined in or a proprietary extension to the OOXML spec).
The interesting part is that regardless of user selection, Excel 2007 DOES save the password in the .XML. That’s more an Excel bug than anything, but a substantial one at that. Once they recognize and fix that we’re back to the point you brought up about encrypting/salting passwords stored in the XML.
I’ve put in a request with the digital forensics expert for his sandbox files and will attach them to the post when he is able to do that for me.
Thanks for the feedback, Rob!
– http://www.JoeLevi.com
Rob, I’ve edited the original post and provided links to the files. Please note that the data connection is hard coded to a specific path.
– http://www.JoeLevi.com
This part of the XML is defined in Section 3.13.3 of the SpreadsheetML reference materials. The specification say of the dbPr element:
“The connection string is used to make contact with an OLE DB or ODBC data source. These can be constructed in a variety of ways (from UI wizards built into the data provider code, to external query applications, to advanced users editing text files). The spreadsheetML application need not understand the connection syntax at all; it can simply pass the command string to the data provider API in order to re-establish a
connection with the external data source.”
So it says nothing explicity about passwords. But it does seem like a defect that Excel is storin plain text password here.