Mathcad 本地用户绕过安全机制漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1191611 漏洞类型 未知
发布时间 2007-02-22 更新时间 2007-02-22
CVE编号 CVE-2006-7037 CNNVD-ID CNNVD-200702-421
漏洞平台 N/A CVSS评分 4.4
|漏洞来源
https://www.securityfocus.com/bid/86839
https://cxsecurity.com/issue/WLB-2007030003
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200702-421
|漏洞详情
Mathcad12版本至13.1版本允许本地用户直接通过文本编辑器或其他类似程序编辑XML的工作表陈述,绕过安全机制,攻击者可以(1)通过替代具有已知密码信息的密码字段绕过密码保护机制,(2)修改时间标记以躲避修改检测,(3)通过删除"is-locked"属性解锁,(4)察看在空白文本中的锁定数据。
|漏洞EXP
Description of Vulnerability

============================

One of the features of Mathcad (www.mathsoft.com) is allowing the user to define ?Areas?. Mathsoft say that ?You can use areas to protect, lock, or hide information or equations in your worksheets? and that ?You can also protect the contents within the area, so no one else can edit them?.

Whilst this is true, it is also very easy to unlock these Areas without needing the password. In the newer versions of Mathcad (12 onwards) the sheets are stored in XML format. This provides an easy means of altering the Mathcad sheet, as it is simply plain text. There are 4 vulnerabilities in the way the Area locks work:

1.      Password - This attribute is stored as a hashed text string. However the hashes produced for the same word on different sheets are always identical. For example "XfAPUVYgXPg=" represents the string "password", and could be used in any sheet. So it is possible to create another Mathcad sheet, lock an Area with a known password and then use a text editor to copy and paste the known password over the unknown one.

2.      Timestamp - Like the password string, this can also be changed to be any value. So the sheet could be unlocked, modified, relocked and then the date of the relocking could be changed to be the original lock date.

3.      Complete removal of lock - Inside the Area tag there are is an ?is-locked? attribute. When a lock has been enabled this is set to true. However to remove the lock all that needs to be done is change this value to false. Out of completeness the ?timestamp? attribute should be changed to an empty string and then the ?password? attribute removed. Although these last two changes are not needed to unlock the Area.

4.      Protection can be bypassed completely - The data stored in the locked area can also be viewed in a text editor. So this could also be copied and pasted into another sheet, without the lock protection section.

Affected Versions

=================

12,

13,

13.1

(all prior ones are not vulnerable)

Exploit PoC

===========

None required, use a text editor.
|受影响的产品
Mathsoft Mathcad 13.1 Mathsoft Mathcad 13 Mathsoft Mathcad 12
|参考资料

来源:XF
名称:mathcad-locked-area-security-bypass(27118)
链接:http://xforce.iss.net/xforce/xfdb/27118
来源:XF
名称:mathcad-islocked-security-bypass(27117)
链接:http://xforce.iss.net/xforce/xfdb/27117
来源:XF
名称:mathcad-timestamp-security-bypass(27116)
链接:http://xforce.iss.net/xforce/xfdb/27116
来源:XF
名称:mathcad-area-password-security-bypass(27115)
链接:http://xforce.iss.net/xforce/xfdb/27115
来源:BUGTRAQ
名称:20060608MathcadAreaLockVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/436441/30/4560/threaded
来源:SREASON
名称:2305
链接:http://securityreason.com/securityalert/2305