From: Robinson, Sonja (SRobinson@HIPUSA.com)
Date: Tue Feb 18 2003 - 11:07:55 EST
Yes it does. You are trying to trace back to a particular machine I
presume? Back in Office 97 it was possible to view the PID information of
the user. You could view certain user/machine information. I think this was
"fixed" in higher versions due to privacy issues and complaints. Don't
quote me on this however...I tested on W2K9.0 about 2-3 years ago and found
that it was fixed but I can't say on other versions if this is still true.
I've incl the procedures I pulled from one of the original e-mails on a
listserv (original author unknown at this late time but whoever he/she is
deserves the credit) as well as some of my test results.
TO TRACE A DOCUMENT TO A PARTICULAR MACHINE
1) To determine or track a WORD97 or below document to a particular
machine. Open up the document using a simple text viewer (i.e. Notepad)
The last digits of the file identification line are the Ethernet (MAC)
address of the machine it was created on. This is a hidden line in WORD.
(was this taken out in subsequent versions?) This does not work in
WORD2000(9.0).
However, some basic testing revealed that if you open up a 2000 document in
notepad and alter revealing information such as pathname WORD can no longer
open up the document. It becomes unrecognizable. Thus it is very difficult
to hide or spoof info contained within the document. For instance, if I
changed the path from my directory to someone else's to shift suspicion, the
document is no longer readable. (This needs further testing and research to
100%verify)
determine of a WORD Doc came from a particular computer
> -----Original Message-----
> From: Romes, Randall J. [mailto:Rromes@larsonallen.com]
> Sent: Thursday, February 13, 2003 5:09 PM
> To: pen-test@securityfocus.com
> Subject: MS Office Files
>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> During the course of a pen test, we have been able to
> download some word documents from a web server. I have
> determined that the author of the documents is/was an
> employee of the company I am testing.
>
> I recall a while back seeing a post somewhere about pulling
> credential information from Office documents, but I can' t
> seem to find it now.
>
> Does this ring a bell, and if so, can anyone point me in the
> right direction?
>
> Thanks
> Randy Romes
> rromes@larsonallen.com
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0
>
> iQA/AwUBPkwXcDe9i44rosLHEQLd1ACfW4aS0PT/xDhogZl/qjZTEJxYFNQAoOth
> IWXGpDaT2URQN5oCL/1aaTlb
> =Kn7u
> -----END PGP SIGNATURE-----
>
> --------------------------------------------------------------
> --------------
> This list is provided by the SecurityFocus Security
> Intelligence Alert (SIA) Service. For more information on
> SecurityFocus' SIA service which automatically alerts you to
> the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
**********************************************************************
This message is a PRIVILEGED AND CONFIDENTIAL communication, and is intended only for the individual(s) named herein or others specifically authorized to receive the communication. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender of the error immediately, do not read or use the communication in any manner, destroy all copies, and delete it from your system if the communication was sent via email.
**********************************************************************
----------------------------------------------------------------------------
Do you know the base address of the Global Offset Table (GOT) on a Solaris 8
box?
CORE IMPACT does.
www.securityfocus.com/core
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:28 EDT