__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Microsoft Office Documents Expose ODBC Passwords September 25, 2002 24:00 GMT Number M-127 ______________________________________________________________________________ PROBLEM: When an ODBC database query is used to import information into Microsoft Excel or Word, the username and password used to access the database is stored by default in the office document in clear text along with the imported data. That document could be used by another user to access the database and download other, possibly sensitive, data or the document could be examined to get the username and password. PLATFORM: Windows and Macintosh versions of Microsoft Excel and Word that use ODBC to get data from an external database. DAMAGE: Documents passed to other users may directly give access to the underlying database or can be examined to get the username and password needed to access the database. SOLUTION: Make sure your users know that these files can contain the username and password. For Excel, make the registry setting indicated below to disable the “Save Password” checkbox. Remove the links to linked data by using the Cut, Paste Special, Values method. For Word, make sure your users don’t share the mail merge files. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. Unprivileged users may gain access to ASSESSMENT: sensitive information in a database. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-127.shtml INFORMATION: XL2000: How to Avoid Saving Password in Text File When You Get External Data (Q253300) http://support.microsoft.com/support/kb/ articles/Q253/3/00.asp ACC2000: How to Use a Secured Database in Word Mail Merge (Q208933) http://support.microsoft.com/support/ kb/articles/Q208/9/33.asp ______________________________________________________________________________ It was brought to our attention that Microsoft Word and Excel documents that have content based on an ODBC query to an external database have the username and password for the query embedded in clear text within the documents. We tested this for several ODBC drivers (Access, dBase, Oracle) and found that the default is to save the username and password along with the query that generated the data. This is not an unknown feature as evidenced by Microsoft Knowledge Base articles going back over two years but we have found that most users are unaware of it. Open Database Connectivity (ODBC) drivers are a method by which application programs can connect to different databases. Microsoft Excel uses them to import data from an external database and Microsoft Word uses them to get mail merge data such as names and addresses from an external database. The Windows versions of Word and Excel and the Macintosh versions of Excel store the query and connection string within the document that imported the data. The connection string can contain the username and password needed to connect to the database. The default option for Excel is to include the password in the saved connection string. Also, the check box that you would need to uncheck to prevent saving the password is not displayed during the creation of a normal, data query. For the Windows version of Word, you must save the password in the query or the query will not work. The Macintosh version of Word does not use ODBC queries yet. The problem here is that if a user extracts some information from a database into an Excel worksheet and then sends that worksheet to someone else, that other person can rerun the query without having to enter the username and password. If their system has a data source setup correctly and has electronic access to the database, they will be able to change the query and extract other, possibly sensitive information from the database. They can also look at the Excel workbook file with a text editor and extract the username, password, and other connection information. For example, the following image shows the sector of an Excel file that contains the query information. Note that this text can also be seen by opening the Excel file in a text editor such as Notepad. _________________________________________________________________________ | test.xls - Disk Probe [_] [O] [x] | |________________________________________________________________________| | [ ][ ][ ][ ][ ][ ] | |________________________________________________________________________| | 0000 00 00 76 00 73 00 00 53 45 4C 45 43 54 20 50 60 ..v.s..SELECT Ph | | 0010 6F 6E 65 62 6F 6F 6B 2E 4E 61 6D 65 2C 20 50 68 onebook.Name, Ph | | 0020 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. onebook.phone..F | | 0030 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ROM 'C:\Document | | 0040 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. s and Settings\o | | 0050 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. rvis\My Document | | 0060 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. s\db1'.Phonebook | | 0070 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. Phonebook...... | | 0080 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .DSN=testdb;DBQ= | | 0090 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. C:\Documents and | | 00A0 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. Settings\orvis\ | | 00B0 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. My Documents\db1 | | 00C0 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .mdb;DriverID=25 | | 00D0 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ;FIL=MS Access;M | | 00E0 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. axBufferSize=204 | | 00F0 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 8;PageTimeout=5; | | 0100 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..a.^..PWD=stupi | | 0110 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. dpwd;SystemDB=C: | | 0120 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. \Documents and S | | 0130 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ettings\orvis\My | | 0140 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. Documents\Secur | | 0150 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ed1.mdw;UID=test | | 0160 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. user;..&........ | | 0170 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ............Quer | | 0180 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. y from testdbts. | | 0190 .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ................ | | | |________________________________________________________________________| |For Help press F1 [ ][ ][ ] | |________________________________________________________________________| Note also that the text not only contains the username (UID=testuser) and password (PWD=stupidpwd) it also contains the type and location of the database file. The Windows version of Microsoft Word has a similar problem when creating a mail merge document using data obtained from an ODBC query. When you do a mail merge, you must create a connection to the database. The first step is to create a data connection file. One of the options for creating the file is to “Save password in file”. Next you get a Data Link properties dialog box with an “Allow saving password” checkbox. You must check one of these two boxes or the query will not work. The result of checking the second box but not the first is that the password is saved in the mail merge (template) document. Checking the first check box but not the second stores the password in both the data connection file and the mail merge document, even though you have not checked the “Allow saving password” check box. We have tested this problem with the following ODBC drivers, all of which give the same results. * Microsoft Access Driver * Microsoft ODBC for Oracle * MyODBC driver for MySQL * Microsoft dBase Driver Protecting Passwords; Excel for Windows --------------------------------------- To prevent passwords from being saved with an Excel for Windows document, you have four options. * Uncheck the Save Password checkbox. * Block the Save Password checkbox with a registry key. * Change the imported table into plain text. * Save the worksheet in a text format. When you create a query in Excel, you do not see any requests to save the password. To see the option, you must already have created the query and returned the data to the Excel worksheet. Click in the returned data and choose the Data, Import External Data, Data Range Properties command (you can also right click on the data to access the command). The following dialog box appears. _______________________________________________________________________ | External Data range roperties [?] [x] | |______________________________________________________________________| | | |Name: [Query from CIACDB ] | | | |Query Definition ---------------------------------------------------- | | [/] Save query definition | | [/] Save password | | | |Refresh control ----------------------------------------------------- | | [/] Enable Background refresh | | [ ] Refresh every [ 60 ] minutes | | [ ] Refresh data on file open | | [ ] Remove external data from worksheet before saving | | | |Data formatting and layout ------------------------------------------ | | [/] Include field names [/] Preserve column sort/filter/layout | | [ ] Include row numbers [/] Preserve cell formatting | | [/] Adjust column width | | | | If the number of rows in the data range changes upon refresh: | | @ Insert cells for new data, delete unused cells | | O Insert entire rows for new data, clear unused cells | | O Overwrite the existing cells with new data, clear unused cells | | | | [ ] Fill down for flrmulas in columns adjacent to data | | | | [ OK ] [ Cancel ] | |______________________________________________________________________| Unchecking the Save password check box prevents the password from being saved with the query. Another way to do this is to block the Save Password dialog box with a registry key. Keep in mind that editing the registry can have disastrous effects if you are not careful. Open the registry with Regedit or Regedit32 and add the following key. Path: HKEY_LOCAL_MACHINE/Software/Microsoft/Office/10.0/Common/Security/ Key: DisablePwdCacheing = (DWORD) 1 The 10.0 in the path refers to Word XP. This number will be different depending on which version of Word you have. With this key set, the Save Password check box will be unchecked and grayed out for all future queries. Note that this does not fix those you have already saved. Another way to set the registry key is to create a .reg (regedit) file with the following contents. --------------------------- Windows Registry Editor Version 5.00 ;For Office 97 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\8.0\Common\Security] "DisablePwdCaching"=dword:00000001 ;For Office 2000 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\9.0\Common\Security] "DisablePwdCaching"=dword:00000001 ;For Office XP [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\10.0\Common\Security] "DisablePwdCaching"=dword:00000001 --------------------------- Double clicking this file creates registry keys for Office 97, Office 2000, and Office XP. Note that installing keys for versions of Office that you don't have is not a problem. The third way to remove the password is to select all the data that was returned by the database, Choose Copy, click in a new location, and choose Paste Special, Values or Values and Number Formats, choose all the imported data again and choose Edit, Delete. This process replaces the imported table with simple values that have no links back to the original data. When you save the worksheet, the password will not be saved. Finally, you can save the worksheet in one of the text formats such as text (.txt), comma separated (.csv), or Formatted Text (.prn). The database connection string, query, and username and password are not saved in these formats. Protecting Passwords; Excel for Macintosh ----------------------------------------- Excel for the Macintosh works in much the same manner except that there isn’t a registry key you can set to gray out the Save password check box. The remaining three methods for the Windows version of Excel work on the Macintosh version of Excel. Protecting Passwords; Word for Windows -------------------------------------- Windows versions of Word unfortunately, won’t work if you don’t save the password in either the data connection file or the merge file. Because of this, you need to be sure to not share your data connection and merge files with anyone who is not authorized to access your database. Protecting Passwords; Word for Macintosh ---------------------------------------- Macintosh versions of Word do not currently allow the use of ODBC drivers to get data for a mail merge operation and so are not a problem. ______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Guy Cortesi at BPMI for the information contained in this bulletin. ______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) M-117: Microsoft Office Web Components Vulnerabilities M-118: HP Tru64 Unix Multiple Vulnerabilities M-119: Cisco VPN 3000 Concentrator Multiple Vulnerabilities M-120: Microsoft Visual FoxPro 6.0 Vulnerability M-121: Microsoft Certificate Validation Vulnerability M-122: Remotely Exploitable Buffer Overflow in PGP M-123: Polycom Videoconferencing Remote Vulnerabilities M-124: Konqueror Secure Cookie Vulnerability M-125: Apache/mod_ssl Worm M-126: MS VM JDBC Classes Vulnerabilities