BuyMeACoffee

Forgot password of file ?

In case you ever forget the password for any Microsoft Office file (pptx/xlsx/docx) you locked there is a tool that removes the password from the file without cracking it.

OfficeBreaker

LogoGitHub - nedlir/OfficerBreaker: OOXML password removerGitHub

All pptx/xlsx/docx files are part of the Office Open XML format family (for further reading please refer to OOXML Format Family -- ISO/IEC 29500 and ECMA 376 ).

For example, a standard .pptx file will have the following file tree structure:

myFile.pptx
.
β”œβ”€β”€ docProps
β”‚   β”œβ”€β”€ app.xml
β”‚   β”œβ”€β”€ core.xml
β”‚   β”œβ”€β”€ custom.xml
β”‚   └── thumbnail.jpeg
β”œβ”€β”€ ppt
β”‚   β”œβ”€β”€ handoutMasters
β”‚   β”œβ”€β”€ media
β”‚   β”œβ”€β”€ media
β”‚   ...
β”‚   ...
β”‚   ...
β”‚   └── presentation.xml
β”œβ”€β”€ _rels
β”‚   β”œβ”€β”€ .rels
└── [Content_Types].xml

We can see this structure by opening the file using a program like 7zip or by changing the filetype to .zip and then opening it.

Each OOXML file type contains an .xml file with settings and preferences, including read-only protection. In our example the security element will be located inside presentation.xml file which is located inside the ppt folder of myFile.pptx.

Inside presentation.xml there is a specific element we will focus on called p:modifyVerifier which should look like this:

<p:modifyVerifier cryptProviderType="rsaAES" cryptAlgorithmClass="hash" cryptAlgorithmType="typeAny" cryptAlgorithmSid="14" spinCount="100000" saltData="3R1lmtJocEj5GzEGRn3MHA==" hashData="iR0jIUtVcGsTx62z/hqcbzaReLJemv$eZyqTlpWhl0Lph+osBKEiEYmyReJHmypMy6wj+VFmDGuNZvsMA9tX9g=="/>

The file editing is protected by a password which was salted and hashed which makes it nearly impossible to crack within reasonable time. But instead of trying to crack the password, we can just... Remove it. :shrug:

Turns out that simply deleting the security element p:modifyVerifier as a whole will make myFile.pptx behave as if it never had any password at all. This kind of security measure is a bit like the photo in the title of this repository - a good lock placed on the door handle... πŸ˜…

The program will create a copy of presentation.xml, parse it and delete the security element. Once the element is deleted, the copied presentation.xml will be replaced with the original presentation.xml which will effectively remove the password from myFile.pptx.

What makes this whole thing worse is the fact that we could simply remove the password created by the author, alter the file in some way and then return the original password of the author by inserting the same security element which was removed. This hurts the integrity of the whole OOXML format family.

Future changes / possible deprecation

Future versions of OOXML file type may make drastic changes of naming convention of elements or/and structure of the folders or/and files.

This might make this project deprecated but not obsolete if the same security measures will be taken in future versions. If a "lock with different name" (the hashing) will be placed on the "door handle" (removable .xml element), the file still could be altered/edited without a password. All that's needed is to find the new security element and simply remove it from the file.

PreviousAnalyze office filesNextCVE-2023-21716 (Microsoft Word RCE)

Last updated

Was this helpful?