Exploring the CFB File Format 9

  • Article

Exploring the CFB File Format 9

File Security

Due to the nature of a compound file, a single file in a file-system, the operating system security mechanisms is ultimately what controls the security regarding the file in question. Using the ACL, you can control who can read and/or write to the file. Using file-system encryption, you can also secure the contents of the file.

Since this is ultimately covered by the [MS-CFB] Open Specification Document, I will present a means of examples of using python to alter Windows specific file-system security.

Python provides a means for native file manipulation using the win32security module. This module allows the application in question call all relevant Win32 Security API functions. These functions will correlate to the exact security API function names found in the Windows API. These functions can be found on MSDN at the following URL: https://msdn.microsoft.com/en-us/library/aa375742(v=VS.85).aspx. However, the module in question only implements a subset of these functions, and the entire list of supported functions can be found here: https://docs.activestate.com/activepython/2.4/pywin32/win32security.html.

Displaying the current file-system controls of a file

import win32security

# obtain security descriptor of said owner of file
secdesc = win32security.GetFileSecurity("C:\Temp\VerifySchTask.txt", win32security.OWNER_SECURITY_INFORMATION)

# the sec_desc object now contains everything we need in regards to file permissions.
# we can now call any of the various win32 security api functions.

# for example, let's get the owner's sid:
osid = secdesc.GetSecurityDescriptorOwner()
#display owner sid
print osid

# now let’s just dump the security descriptor object to view
print secdesc

Altering the ACL of a File

import win32security

# obtain security descriptor of said owner of file
secdesc = win32security.GetFileSecurity("C:\Temp\VerifySchTask.txt", win32security.OWNER_SECURITY_INFORMATION)

# apply the security descriptor to the aforementioned file.
SetFileSecurity( FILE, DACL_SECURITY_INFORMATION , secdesc)

Encryption

The contents of the file can be encrypted and stored in user-defined streams. In fact, if you review [MS-OFFCRYPTO], you will see this is how the latest version of Office 2010 works. It takes the XML content and stores it in a special stream that contains the encrypted-form of the working document. However, it is much easier to present/store the file on a file-system that is encrypted (e.g. on Windows you have BitLocker, EFS, etc…).

However, if you wish to perform your own security mechanism, you can review the \EncryptedPackage stream structure as defined in Section 2.3.4.4 of [MS-OFFCRYPTO]. This stream contains the entire office document in compressed & encrypted form.