Sorry for the Dutch text in the images.
I did not have an English version of Office at hand.


1. What is an exploit?


I could spend ages trying to explain what an exploit is, luckily there are dictionaries that can explain it in one full sentence:
Ex·ploit
A program or system designed to take advantage of a particular error or security vulnerability in computers or networks. TheFreeDictionary.com


2. What is VBA?


VBA (Visual Basic for Applications) is a programming language used mostly in Microsoft's office.
VBA is, however, also used in AutoCAD for plugins etc.

VBA's syntax is rather much identical to Visual Basic, there are just some API calls ready to be used to communicate back to the main application.
Initially VBA had been released to replace WordBasic as a "micro language".

Just like Visual Basic, VBA is a so-called Object-Oriented programming language.
VBA does have it's limitations, though, it still requires the main application to function as it can not be written to be a stand-alone application, which Visual Basic can do.

The close relation between VBA and the main application's core creates a big point of interest for virus', exploiters and malware, as these can all abuse the wide variety of options available to them thanks to VBA.


3. What does this specific exploit do?


The specific exploit I am referring to in this article is the Excel page password cracking method, done from within VBA.
The basics of this exploit are identical to a brute-force attack.
You overflow the page unlock function with as many fail attempts as you can until it breaks under the pressure and just lets you through.


4. Facts

  • Exploit confirmed to work on: Excel 2003, Excel 2010
  • A lot of people think they can "secure" their Excel sheets with amazing passwords, these people are all wrong!
  • Over 90% of the users of Office products are not aware of the existence of VBA.
  • It is way too easy to crack the passwords of Excel sheets!


5. What did the developers do to solve this?

  • Microsoft never made any effort to solve this issue.
  • Microsoft ignored people who told them about this issue and denies it's existence.
  • Microsoft went as far as to request a handful of websites to take all the information about this exploit off of their website in there default "kind request" manners.


6. How can you avoid this being used?

  • Lock the full document with a password (Can be easily bypassed too, but that's not for this article).
  • Lock the VBA pages with passwords.
  • Only send finalized versions of the document to others. (Finalize or save as PDF)


7. Full demonstration of the actual exploit.


All you require is some basic knowledge of Visual Basic and how Office allows us to use macros in their programs.

I created a little excel sheet holding a lovely "Lorem Ipsum" in it to demonstrate how easy it is to crack these passwords:

hugfkjv.png
As seen in the image I highlighted a specific option, it shows that the current page is locked.

When I try to edit anything in the file I get this pop-up:

5HCsQUZ.png

Now, the password I entered was some random keyboard bashing. I forgot my password!
We open the VBA scripting area by pressing ALT+F11 and select the locked page:

pdgd6fv.png

In here we simply type a staggering 25 lines of VBA code to accomplish our goal of unlocking the page:

N3WUXOc.png

Then we press F5 to execute our tiny bit of code and wait a bit (0.002-3 seconds, depending on your processor) and get this lovely pop-up:

pP8auPD.png

Now we can edit our file again

And for the ones who would like to have this little bit of code:
Show spoiler
Code:
Sub PasswordBreaker()
  Dim i As Integer, i1 As Integer, i2 As Integer, i3 As Integer, _
      i4 As Integer, i5 As Integer, i6 As Integer, i7 As Integer, _
      i8 As Integer, i9 As Integer,  i10 As Integer, i11 As Integer, _
      unusedVar As VbMsgBoxResult, passLine As String

  On Error Resume Next

  For i = 65  To 66: For i1 = 65 To 66: For i2 = 65 To 66:
  For i3 = 65 To 66: For i4 = 65 To 66: For i5 = 65 To 66:
  For i6 = 65 To 66: For i7 = 65 To 66: For i8 = 65 To 66:
  For i9 = 65 To 66: For i10 = 65 To 66: For i11 = 32 To 126:
    passLine = Chr(i) & Chr(i1) & Chr(i2) & Chr(i3) & Chr(i4) & _
               Chr(i5) & Chr(i6) & Chr(i7) & Chr(i8) & Chr(i9) & _
               Chr(i10) & Chr(i11)

    ActiveSheet.Unprotect passLine

    If ActiveSheet.ProtectContents = False Then
      unusedVar = MsgBox("Password cracked at random string: " & _
                         passLine & vbCrLf & "|xxxxx[;;;;;;;;;>", _
                         vbOKOnly, "VBA Brute")
      Exit Sub
    End If
  Next: Next: Next: Next: Next: Next:
  Next: Next: Next: Next: Next: Next:
End Sub