CG - Backdooring MS Office Documents with Secret Master Keys - Shigeo Mitsunari & Yoshinori Takesako

walk pick

they gave

sh

uh so just before we begin there is no session after this one so we can have questions go past 12:30 uh if you do have a question just come up to the mic other than that I'll turn it over to Yoshi to take it away hello my name is Yosh takak uh it's a very long name so uh it's difficult for us so please call me Yoshi uh it's short name uh I came from Tokyo Japan this side Las Vegas is the first time for me yeah who am I uh I am a chairman of the second second is the largest security city of contest in Japan I am a city organizer and a challenge Creator I am

also on the open web application security project uh was Japan Advisory Board and I am a revie board of for the Cod which is the biggest International Security conference in Japan okay uh second sh with is one of the death con qualifing contest in this year uh in this year about 2,500 people took part in the second she death qualifier from about 58 countries around the world we held the international Second City final competition in this year at Tokyo Japan finally Korean haaker team had won that was great I want to show the N Kai second customized Mark 2 uh this is a real time visualization system for the attack and defense batter of CTF

okay I'll show the

MBE yeah this realtime visualization system was developed by the National Institute of information and Communications technology n in Japan the orange hexagon prism is showing the 24 teams competing in the finals the blue hexagon prism surrounding it shows the city of challenge servers and their current stage the yellow exteral prism shows the team to solve the challenge the traffic between the team and the challenge servers are shown in real time it's a team display G uh when the team the orange hexagonal prism get enlarged the IP address gets shown as a crystal and trophic between individual IP addresses and the display each te the hexagonal prism is divided horizontally into two layers displaying the the current attack and

defense points uh this is Tower mold the CH St up in the to the orange hexagon pris representing the teams GL as teams accumulated more points the Orange Lines shooting to represented the te attacking the challenge servers yeah this is a top yeah it's per okay

I just want to speak a bit louder later Lou a little bit louder okay okay okay I talk about backing Microsoft Office document with secret master case we made a lot of CF challenges such as excesses revering bone and cryptography at seon sh DF project when I created some cryptography challenges I found that this backr problem uh Microsoft Office 2010 or later version employee agile imption algorithm in the o x documents we found a vulnerability in the file format specification that can allow an attacker to read decrypt strongly anded documents with the password this is possible by tracking Microsoft Office into incre uh into create creating an undetectable secret master key when it creates encrypted

documents uh Microsoft has standardized the ox file format by euma International uh it is not open Office XML format uh open Office is a Lial application for Microsoft so office open XML format is correct uh you can see that doc X suffix from F name uh and you know it is a just a Jeep archive

file however when you encrypted the doc x file it will become an old CL clal doc file format this encryp doc x file has a doc X sux but it is not the gep AR file you can see that the file hex damp header d0 cf11 e0 uh it is a do file read ch um all the classical doc file format has been standardized as a Ms CFB uh this specifications documentation was opened by Microsoft uh I think it is a great job yeah uh Ms CFB file format has some many fat sectors U miniat has a uh 64 by small sector size and many fat sectors are in the standard chain in the fat

structure and this is a figure of a file layout of incubated Doc XY uh any encrypted doc x file have this file in Min fat sectors uh encryption package is a binary file which was encrypted from original doc X GP file object encryption in is very important information for these encryption

parameters Microsoft opened this uh office cryptography and structures as MS Office crypto uh we try to read the uh this document carefully yes we can read the binary of docs X5 here yeah um if you want to protect your document with passwords in Microsoft Office you can use password to help prevent other people from opening or modifying your document select the protect documents menu on in information tab you can choose some Sub menu when you select encrypt with password the encrypt doc doent dialogue box appears in the password box uh type of password and confirm password then encrypted doc X is

saved there are another manipulation you can select the save as menu and push a tool button and to gener General option then you can input the password just the same [Music] way it is important to know that you don't forget the password uh because Microsoft cannot retrieve your forgotten passwords uh if you forgot the password we cannot retrieve the original documents but it is true I cannot decrypt

actually for then this occurs there are password recovery software uh o hashcat is one of the famous password recovery tools by command line if you want to crack password protected Microsoft Office documents uh type this command it is very easy uh recently o hashcat supports gpgpu power and supported new off document Ox file format before you have to ex direct to Hash value from encrypted file by offic2 john. pH uh py uh this is a python script okay there are another password recovery software with simple user interface uh I use the passw covery commercial Edition which is very powerful password recovery tool it's very simple graphic user interface only clicking click click click it can

decate I evaluated comparing the decription time of password cracking there are some destion file format uh classic G file and AES gep and all the do file and uh new Doc X Files you can see that uh doc X Files are very strong against the Blue Force

attack password consist of Latin small characters and Latin Capital characters and digits and special symbols characters if the password rage is eight uh time required to decrypt the encrypted classic G file by Blue Force attack was uh 15 minutes it's ention key bit is only uh 196b um wiip has a uh as encryption time required to decrypt the encrypted a new wiep five by Brute Force attack was six days time required Blu Force attacking has increased uh gradually with office versions is

newer this is a PO password and password consist of Latin small characters and Latin Capital characters and digit characters uh if the password R is eight uh doc X is time required of force attacking was about 20,000 years with office version is 201 1 now it's very long time I think so uh password consists of uh 97 letters which it includ Latin small characters and Latin Capital characters and digit and special shamol characters if the password rength is eight uh with 2013 do X time requireed the BL Force attacking was about 67 million years and if the password rank a 10 uh you will not able to decrypt even coming the next big bang yeah it's

perfect uh this program callede is a password cor uh password checking and decoding algorithm uh please attention the line that the secret key is used the code that data is dependent on only secret key and the key data sort by uh it is not dependent on password I think this this is a problem I will show another picture uh figure uh this is a figure of dependency of value in decoding decoded content is dependent on only secret key and key data sort value it is not not dependent on password it is uh problem no okay this is a figure of dependency of values in encoding encryption uh there are problem with generating the secret key the secret key used in AES

encryption needs to create an unique key with Lambda dat

so if the key is long enough and was created with truly random data then it is th to be extermin difficult to crack however if the secret key was chosen in uh predictable manner then it will be easy to crack the Integrity of secure random generators both software and Hardware based uh imperative for strong [Music]

encryption so we made the encryption and decryption tools for new Microsoft Office doc X and xlx and pbtx F command uh we call the MS script. ex uh this is a usage of this

tools i' would like to introduce my friends sh mitar is a software developer and researcher at cyos company uh he developed this MS Office CP EXA to uh I was working together with him uh he's a a coor of this paper okay uh msf script command has a decode with inputed password option uh it is minus D and minus p uh type this command uh then one ex generated them one under the decoded EX and we made a decode with the master key options mode uh it is minus care option uh 0 01 1 22 3 44 55 EF okay and we the enode option it is minus C uh then we have a minus C and minus K

and minus B options we can make two encrypted files by another password with same master key oh and so it is [Music]

V okay I will show the some demos speaker yeah okay in this demo uh demo one ex is encrypted with the password B the target software is Microsoft Excel uh 20 1 demo 2 x LX is encrypted with another password P ss12 C4 however Microsoft offic was manipulated to implant the hidden master key when these files were created therefore uh these files can be easily decrypted by same master key without any need to prove Force the password in this example the master key is set to 0 01122 33 and then FF 01122 FF okay okay I will show the

demo okay there are demo one XLS uh type password p uh password language is for yeah this is very privacy data so I want to prct it uh this document F and change a password uh BS 1 2 3 4 pass r eight uh demo two EXs and selected the generate gener option type pass PS 1 2 3 4 I'll re type the bs1 to C4 okay okay that's

save okay it's generated a demo to uh XLS type the uh p ss1 2 3 4 this is uh password L8 okay so we made the MSO script exit to the code option with secret master key mode so it can decode it's easily and it's a same key same master

key so no require your password just and start demo to yeah yeah don't recate the uh password um minus B option is a buus mode so uh they show the some hex

down this is SEC ke 1 1 2 24 [Music]

okay

okay so I consider the attack VOR uh first attack Vector is that an can replace the lter generation function by Windows API hooking there are so many API hooking techniques uh IAT input address table function hooking is one of the famous Windows AP hooking technique

next and moreover there are windows API overlight 32 and 64 application it is very nice software uh I like it yeah and Microsoft research uh created a general purpose function working in library did to us it can easily F the application by D injection uh in this case I can hook the cryptogenic uh s. D then hook the uh cryptog Jen London function always return return the fixed value uh z x 33 363 in other case I can f the CP gen random function on all the windows API hook shj random function always return the fixed value which is a not Rand

value in another case I can f the RTL random get bites function on s3. D which is used by Li Office application I can the randomness on my own computers okay second vctor is that some attacks can replace the random generator in embedded Hardware [Applause] chips uh Intel developed the lead random instruction in the hardware chips uh qu7 so on it's generated truly l by Intel's new hardware chips of course is this C the proced device SL random generat a virtually add stream of LOM numbers on G reux systems uh which are crucial for encrypting information in Secure manner a random is an interaction F in modern int Shu chips that stashed the high quality and high performance

enthropy

generated random number in the given CP register uh this hopefully uh unpredict values are but vital in producing secure session key new public private keys and pading in modern encryption technology it fed that Spooks within some government intelligence agencies have managed to PR in to H that interaction or otherwise ensure its output produces value that weaken the strength of encryption algorithms are relaying on that Rand of data L St answer is very short we use Al London as one of the many inputs into the London pool and we use it as a way to improve that London po so even IFD London were to be backed out by some government intelligence agencies our use of Al Lum actually

improved Pro improves that the quality of the ltime numbers you can get from SL Dev LOM so L Dev LOM seems like safety I think so that uh we can get the source code of Linux and this is because it can be verified binar on your own machines however part is the crow environment s attack vctor is that some attackers can use the predictable number generator secretly in Cloud environment uh recently Microsoft released on office online uh you can try this one as officer 2016 preview Edition uh the office application review on the Microsoft cloud system uh I think that we can not stop this cloud system movement now we should check how to the uh how

the cloud encryption algorithm and the encryption system is safety I think that is important things uh some industry companies become to have interested in safety and system okay conclusion recent Microsoft Office 2010 or later version Ox documents are normally encrypted very strongly making them difficult to Brute Force attack however there are techniques on attacker can use to secretly back these encrypted documents to make them trival to decrypt CR environment may be more dangerous uh than this as it is not possible for user to confirm the security of De encryption and it would be easy for cloud providers or Advanced attackers with access to do this croud providers to back encryption in and detected ways okay that's all uh thank you for

your attention uh and I want to say thanks for some supported members uh I'm not good at English thank you for your attention Okay okay that's [Applause] all so if you have questions just come up to the microphone I'm sure our speaker will stick around here for a bit

the