Bug: Mathcad Area Lock Vulnerability ( Ascii Version )

Search:
WLB2

Mathcad Area Lock Vulnerability

Published
Credit
Risk
2007.03.02
mail - (bugtraq firewraith co uk)
Medium
CWE
CVE
Local
Remote
N/A
CVE-2006-7037
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.4/10
6.4/10
3.4/10
Exploit range
Attack complexity
Authentication
Local
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

Description of Vulnerability

============================

One of the features of Mathcad (www.mathsoft.com) is allowing the user to define ?Areas?. Mathsoft say that ?You can use
areas to protect, lock, or hide information or equations in your worksheets? and that ?You can also protect the contents
within the area, so no one else can edit them?.

Whilst this is true, it is also very easy to unlock these Areas without needing the password. In the newer versions of
Mathcad (12 onwards) the sheets are stored in XML format. This provides an easy means of altering the Mathcad sheet, as
it is simply plain text. There are 4 vulnerabilities in the way the Area locks work:

1. Password - This attribute is stored as a hashed text string. However the hashes produced for the same word on
different sheets are always identical. For example "XfAPUVYgXPg=" represents the string "password",
and could be used in any sheet. So it is possible to create another Mathcad sheet, lock an Area with a known password
and then use a text editor to copy and paste the known password over the unknown one.

2. Timestamp - Like the password string, this can also be changed to be any value. So the sheet could be unlocked,
modified, relocked and then the date of the relocking could be changed to be the original lock date.

3. Complete removal of lock - Inside the Area tag there are is an ?is-locked? attribute. When a lock has been
enabled this is set to true. However to remove the lock all that needs to be done is change this value to false. Out of
completeness the ?timestamp? attribute should be changed to an empty string and then the ?password? attribute removed.
Although these last two changes are not needed to unlock the Area.

4. Protection can be bypassed completely - The data stored in the locked area can also be viewed in a text editor.
So this could also be copied and pasted into another sheet, without the lock protection section.

Affected Versions

=================

12,

13,

13.1

(all prior ones are not vulnerable)

Exploit PoC

===========

None required, use a text editor.

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version