File Name: CryptedDocxHider
File Submitter: joakim
File Submitted: 15 Dec 2011
File Category: Security
These tools are also about data hiding and implements a tiny nice trick that fools Word when opening encrypted documents. Specifically there appears to be a flaw in Word 2003/2007/2010 that fails to identify certain erronous crypt headers. This flaw will lead Word to decrypt the docx and open what appears to be an empty document, when the actual document is kept "invisible". And of course no error message is presented with any indication that anything might be wrong. The flaw affects Word 2003 (with compatibility pack), 2007 and 2010, and I have tried both norwegian and english versions. The document must be first encrypted in 2007 for the trick to work. In 2010 the default encryption scheme changed and the trick apparently no longer works. That means;
- A docx encrypted in 2007 will have the trick work in 2003, 2007 and 2010.
- A docx encrypted in 2007, and later saved/modified in 2010, will have the trick work in 2003, 2007 and 2010.
- A docx encrypted in 2010 with default encryption settings, will not have the trick work in any version.
- A docx encrypted in 2010 with CompatMode configured in registry (see below), will have the trick work in 2003, 2007 and 2010.
Excel and Powerpoint seems not affected by the flaw. OpenOffice will ask for password and then just silently exit in the background without giving any error message.
Registry mod for 2010.
To create docx's from within 2010 with the trick working, we must modify the registry so that it uses the encryption method used in 2007. Merge this into registry right before you create the docx, and remove it after docx is created. When such a docx with 2007 encryption is worked on in 2010, the encryption method is kept while just some header changes are made.
Windows Registry Editor Version 5.00
So what is the trick?
It is simply a matter of injecting 00's right before the crypted data. Testing reveals that a minimum of 8 bytes must be injected (ie 7 bytes will trigger an error message). The crypted data usually starts at either 0x1000 or 0x1400.
For what use?
Hide your original docx. If asked for password, give it and an empty document is all that shows up.. Anyways, a funny trick.
If you open and save the "empty" document, the original document will be lost. If the encrypted docx is also digitally signed, the trick will not work.
The hider is console compiled and can take 2 parameters. First is a valid docx file path, and the second is the number of bytes to inject. If not used from command line, just double click and a fileopen dialog will be presented (a default of 16 bytes is injected if params are not used.
CryptedDocxHider.exe "%CD%\mytest.docx" 32
CryptedDocxHider.exe D:\tmp\mytest.docx 8
The unhider is similarly compiled, but does not take a second parameter. Ie 1 param is needed and must the full path to your docx. Or just double click the exe and a fileopen dialog will be opened.
Just note that any error messages will not be seen if the exe's are double-clicked and not run from command line.
Test the included file "joakim.docx" by opening it in Word. The encryption password is "joakim". Now run the CryptedDocxUnHider on the file and reopen it in Word..
Any discussion would preferrably be at; http://reboot.pro/16008/
Click here to download this file