MS08-043 : How to prevent this information disclosure vulnerability

In this month’s update for Excel we addressed an interesting CVE (CVE-2008-3003) – the first vulnerability to affect the new Open XML file format (but it doesn’t result in code execution). This is an information disclosure vulnerability that can arise when a user makes a data connection from Excel to a remote data source and checks a checkbox to have Excel NOT save the password used in that connection to the file. The checkbox had no affect when saving the file in the new Open XML (.XLSX) file format and the password was thus errantly saved to the file – thus the vulnerability. So in case you haven’t heard – the new Open XML files (the Office files that end with an ‘x’ in the extension i.e. .docx, .xlsx., .pptx) are actually ZIP containers! In fact if you change the file extension to .ZIP you can open the new Office Open XML files in Winzip or the Windows shell to check out the contents for yourself without the need of fancy hex editor. If you do that – what you will see is mostly a bunch of XML files and image files (assuming you have images in your Office apps) inside. As it turns out – to verify / repro this bug report – all that was needed was the Windows shell (to open the renamed Office ‘.zip’ file) and Notepad (to edit one of the XML files inside). In fact the Windows shell and Notepad are all that’s needed to work around this bug (as detailed in the workarounds section of the bulletin for this vulnerability) and remove the accidentally leaked information from your .XLSX files!

Here’s how you can inspect an .XLSX file to see if it has an improperly saved database connection password in it and how you can remove it and fix the file up yourself!

  • Make a backup copy of the XLSX file that you will be editing.

  • On a Windows XP or Windows Vista machine change the file extension of the affected .XLSX file to .ZIP

  • Using the Windows shell (i.e. Windows Explorer) open the ZIP file by double clicking on it and then double click on the ‘XL’ folder inside.

  • In the ‘XL’ folder click on ‘connections.xml’ and drag it out of the ZIP file to a local folder or your desktop.

  • Right-click on the ‘connections.xml’ file and select ‘Open With’ and then choose ‘Notepad’

  • Locate the string “connection=” and then search for “PWD=” later in that string. Remove any characters after the “PWD=” and before the “;” characters as these are the improperly saved password for the connection. For example if you have an XLSX file with a saved connection password you might see a string like the following in connections.xmls:
  • <?xml version=”1.0″ encoding=”UTF-8″ standalone=”yes”?><CONNECTIONS xmlns=””>
    <CONNECTION id=1 saveData=”1″ background=”1″ refreshedVersion=”3″ type=”1″ name=”Query from Test Machine”>
    <DBPR command=”SELECT * FROM FOO” connection=”DRIVER=SQL Server;SERVER=SQLSERVER;UID=sa;PWD=sa;APP=2007 Microsoft Office system;WSID=CLIENT;DATABASE=master”>

  • Save the connections.xml

  • Drag the connections.xml file back into the ZIP folder making sure to place it in the ‘XL’ folder inside the ZIP file.
      a. NOTE: Some applications such as Winzip will default to placing the file at the root of the ZIP archive and will not overwrite the file in the ‘xl’ folder by default.

  • Change the file extension of the ZIP file back to XLSX and then open the document in Excel 2007, click on the ‘Data’ menu and then click ‘refresh all’ in the connections part of the ribbon and verify that you are prompted for the password.

– Security Vulnerability Research & Defense Bloggers
*Postings are provided “AS IS” with no warranties, and confers no rights.*