xlsx password remover (opens in new tab)

(github.com)

221 pointsAnonymous42723y ago28 comments

28 comments

This password specifically refers to "Password to Modify" and Excel 2019 / 365 clearly warn in the reenter password popup:

> Caution: Password to modify is not a security feature. ... Malicious users can edit the file and remove the password.

This type of "protection" is also present in the VBA blobs (where you can change a few bytes and work around the VBA protection)

Saving a file with a password to open actually employs encryption. The exact setting can be tuned with registry settings, but is typically AES-128-CBC.

Saving a file as "read-only" encrypts the file with the standard password "VelvetSweatshop"

bbkane3y ago

Huh? I wonder where that default password came from

sheetjs3y ago

A Seattle Times article from 1989:

> Inside Microsoft – A ‘Velvet Sweatshop’ or a High-Tech Heaven?

https://www.seattletimes.com/business/archive-inside-microso...

userbinator3y ago

In other words, not much different from PDF's permissions feature.

SeriousM3y ago

Does PDF has a default password?

1 more reply

noodlesUK3y ago

Note: this is only for write protection passwords. Files that require a password to read are actually encrypted. I think any password that would prevent editing but allow reading would necessitate a fairly complex digital signature management scheme for data provenance (which might be useful in some settings).

conradludgate3y ago

I feel like a hash of the contents + some secret bytes could be a convincing signature that only the owners of the secret bytes could author.

Alternatively, hash the contents and signed using asymmetric keys. This would allow for non private key owners to validate the integrity

martinko3y ago

> I feel like a hash of the contents + some secret bytes could be a convincing signature that only the owners of the secret bytes could author.

How would you validate the signature?

1 more reply

lucassen3y ago

Some «security» features dont need to be secure. This is obviously one of those as the data is readable by all, but only modifiable by «those in the know», but if someone does anyway who cares.

I’ve done hardcoded frontend identity whitelists for authorization. Some times it’s fine to let hackers access stuff, but not the vanilla mass-market browsers. Feature flags etc

just_boost_it3y ago

Actually, I think this one is better if it isn't perfectly secure. I make spreadsheets with passwords just so people won't go in there and accidentally delete something or make other silly mistakes. I'm not trying to hide anything or keep it safe from the outside worldor anything. Every once in a while I forget one of the passwords or set it up with a typo or something, and I have to crack it. I'm sure there's loads of people doing something similar. For me, the weak security on this particular password is a feature.

yuriko3y ago

Based on the information in the README, wouldn't that be possible to accomplish in a simple bash script?

Tarq0n3y ago

There's VBA macros that do it from within the document.

viraptor3y ago

It would. Unzip, grep, zip.

Nerada3y ago

Reading through it quickly, it looks like this is for files that are available to read, but write-protected? Not read-protected documents like a password protected Excel workbook?

kevin_b_er3y ago

A modern read-protected Office document is AES encrypted, so you cannot read those at all. But the read-only one, much like PDF do-not-print/do-not-copy protections, is just relying on the viewer to honor the protection marker.

lazyeye3y ago

Yes I think you can just save the readonly doc to a new writeable doc anyway.

1 more reply

t_mann3y ago

Nice. In older versions of xlsx they used a weird hash function with tiny hash space that could be brute-forced in <1s. There were some VBA code snippets circulating and in my old team where we had to deal with a lot of such files we all had a script as a shortcut in the Excel toolbar.

I knew about the xml trick, but I could never get it to work consistently. This looks useful, thanks for sharing.

cpressland3y ago

I know this may be slightly off topic as this specifically deals with the modify, not the access password. But Office for Mac still limits access passwords to 15 characters, my understanding is that this is a significant weakness for documents saved from Office for Mac. Does anybody have any insights into how big of an attack vector this actually is?

tims333y ago

Hopefully no one treated these passwords as an actual security feature.

miladiir3y ago

I have some bad news for you. I know of at least 2 occasions.

alexanderh3y ago

haha I wrote something like this in python once.

karteum3y ago

Me too : I wrote a few lines of Python for my personal use, to remove docx write protection, and a few other useful stuffs e.g. changing author names, shrinking the size of the document by converting .png/.emf to .jpg, etc. The function for removing the write protection is very short :)

  xmldata = ZipFile(docxfile).open("word/settings.xml").read().decode()
  xmldata = re.sub("<w:documentProtection .\*/>", "", xmldata)

=> I wrote it for my personal use and for a few friends, and it is unfinished and not very well written, but if it can be useful to others, my little tool is here https://github.com/karteum/Doctool

j / k navigate · click thread line to collapse

28 comments

sheetjs3y ago

This password specifically refers to "Password to Modify" and Excel 2019 / 365 clearly warn in the reenter password popup:

> Caution: Password to modify is not a security feature. ... Malicious users can edit the file and remove the password.

This type of "protection" is also present in the VBA blobs (where you can change a few bytes and work around the VBA protection)

Saving a file with a password to open actually employs encryption. The exact setting can be tuned with registry settings, but is typically AES-128-CBC.

Saving a file as "read-only" encrypts the file with the standard password "VelvetSweatshop"

bbkane3y ago

Huh? I wonder where that default password came from

sheetjs3y ago

A Seattle Times article from 1989:

> Inside Microsoft – A ‘Velvet Sweatshop’ or a High-Tech Heaven?

https://www.seattletimes.com/business/archive-inside-microso...

userbinator3y ago

In other words, not much different from PDF's permissions feature.

SeriousM3y ago

Does PDF has a default password?

1 more reply

noodlesUK3y ago

conradludgate3y ago

I feel like a hash of the contents + some secret bytes could be a convincing signature that only the owners of the secret bytes could author.

Alternatively, hash the contents and signed using asymmetric keys. This would allow for non private key owners to validate the integrity

martinko3y ago

> I feel like a hash of the contents + some secret bytes could be a convincing signature that only the owners of the secret bytes could author.

How would you validate the signature?

1 more reply

lucassen3y ago

Some «security» features dont need to be secure. This is obviously one of those as the data is readable by all, but only modifiable by «those in the know», but if someone does anyway who cares.

I’ve done hardcoded frontend identity whitelists for authorization. Some times it’s fine to let hackers access stuff, but not the vanilla mass-market browsers. Feature flags etc

just_boost_it3y ago

yuriko3y ago

Based on the information in the README, wouldn't that be possible to accomplish in a simple bash script?

Tarq0n3y ago

There's VBA macros that do it from within the document.

viraptor3y ago

It would. Unzip, grep, zip.

Nerada3y ago

Reading through it quickly, it looks like this is for files that are available to read, but write-protected? Not read-protected documents like a password protected Excel workbook?

kevin_b_er3y ago

lazyeye3y ago

Yes I think you can just save the readonly doc to a new writeable doc anyway.

1 more reply

t_mann3y ago

I knew about the xml trick, but I could never get it to work consistently. This looks useful, thanks for sharing.

cpressland3y ago

tims333y ago

Hopefully no one treated these passwords as an actual security feature.

miladiir3y ago

I have some bad news for you. I know of at least 2 occasions.

alexanderh3y ago

haha I wrote something like this in python once.

karteum3y ago

  xmldata = ZipFile(docxfile).open("word/settings.xml").read().decode()
  xmldata = re.sub("<w:documentProtection .\*/>", "", xmldata)

=> I wrote it for my personal use and for a few friends, and it is unfinished and not very well written, but if it can be useful to others, my little tool is here https://github.com/karteum/Doctool

j / k navigate · click thread line to collapse