[9380] in bugtraq
FW: Microsoft Access 97 Stores Database Password as Plaintext
daemon@ATHENA.MIT.EDU (Eric Stevens)
Fri Feb 5 12:36:18 1999
Date: Fri, 5 Feb 1999 09:03:22 -0500
Reply-To: Eric Stevens <ejsteven@CS.MILLERSV.EDU>
From: Eric Stevens <ejsteven@CS.MILLERSV.EDU>
To: BUGTRAQ@NETSPACE.ORG
Appologies, the files were too large to send through Bugtraq, you may g=
o
here instead:
http://cs.millersv.edu/~ejsteven/linked.mdb
http://cs.millersv.edu/~ejsteven/protected.mdb
-----Original Message-----
From: Eric Stevens [mailto:ejsteven@cs.millersv.edu]
Sent: Friday, February 05, 1999 8:53 AM
To: bugtraq@netspace.org
Subject: RE: Microsoft Access 97 Stores Database Password as Plaintext
What our friend is saying is that if you File >> Get External Data >> L=
ink
Tables [which is something that I use regularly] on a password protecte=
d
database, the passwords to the protected database are stored in the dat=
abase
that contains the linked tables in plain text.
Attached are two databases, Protected.mdb and Linked.mdb. Their names =
are
self explanatory. If you text edit the Linked.mdb, you'll quickly disc=
over
the unprotected password. The threat is this: You have a database syst=
em
set up that may be prone to attack (and ALL general use systems are pro=
ne to
attack, perhaps by a disgruntled employee) which uses linked tables, an=
d a
simple-minded fool could figure out how to gain full access, and place =
in
some malicious code, even if the database that contains the links is
protected with a password. Here's some of the text right from Notepad =
to
your computer:
C:\My Documents\protected.mdb [...about 10 ASCII characters...] MS
Access;PWD=3Dprotected;protected
The passwords to the two databases attached are:
linked.mdb; linked
protected.mdb; protected
,----/ +
/ Eric Stevens \
/--/ ejsteven@cs.millersv.edu \
/ Dept. of Computer Science \
'----/ Millersville University, PA +
>-----Original Message-----
>From: Bugtraq List [mailto:BUGTRAQ@netspace.org]On Behalf Of Ricardo
>Peres
>Sent: Thursday, February 04, 1999 4:57 PM
>To: BUGTRAQ@netspace.org
>Subject: Re: Microsoft Access 97 Stores Database Password as Plaintext
>
>
>Hello,
>
>I have several password-protected MS Access databases, and *none* of
>them has it's password stored as plain text... Your exploit never work=
ed!
>
>Best wishes,
>
>-------------------------------------------------------------------
>----------
>Ricardo Peres
>E-mail: rjperes@student.dei.uc.pt
>ICQ UIN: 708926
>TM: 0931 9459192
>Departamento de Engenharia Inform=E1tica
>Universidade de Coimbra
>PORTUGAL
>-------------------------------------------------------------------
>----------
>
>On Thu, 4 Feb 1999, Donald Moore (MindRape) wrote:
>
>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>> Title: Microsoft Access 97 Stores Database Password as Plaintext
>> Date: 02/03/99
>> Author: Donald Moore (MindRape)
>> E-mail: damaged@futureone.com
>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>>
>> Microsoft Access 97 databases protected with a password are stored i=
n
>> foreign mdb's table attachements as plaintext. This can be accessed=
very
>> easily by issuing a strings and grep operation on the foreign mdb.
>>
>> Example:
>> % strings db1.mdb | grep -i "pwd"
>>
>> MS Access;PWD=3Dplaintext;Table2pppppppjI'%
>> MS Access;PWD=3Dplaintext;Table1qqqqqqqkJ(&
>>
>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>> Impact of Exploit
>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>>
>> Having the password allows the secured mdb to be unlocked,
>giving permission
>> to view database objects, possibily revealing other database connect=
ion
>> strings, propiertary source code, tampering of data. One such comme=
rcial
>> database marketed by FMS, Inc., Total VB SourceBook 6.0, can be easi=
ly
>> compromised using this method.
>>
>>
>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>> How to Recreate
>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
>>
>> 1. Create an mdb
>> 2. Create a Table
>> 3. Reopen the new mdb in exclusive mode
>> 4. From the Tools Menu, select Security and then click Set Database
>> Password
>> 5. Set database password
>> 6. Exit Access
>> 7. Create another mdb
>> 8. From the File Menu, select Get External Data, and click Link
>Tables....
>> Select
>> the passworded mdb and then select the table you created.
>> 9. Exit Access
>> 10. Perform a strings+grep on the 2nd mdb to reveal the password.
>>
>>
>> - - - ------------------------------------------------- - -- ---
>> ______ ______ .
>> .:_\___ \\_ . \_::.
>> Donald Moore (MindRape) . .::./ ./ // ./__/.:::. .
>> _<_____/<____ >_:.
>> Email: mindrape@home.com . \/ .
>> damaged@futureone.com Damaged Cybernetics
>> - - - ------------------------------------------------- - -- ---
>>
>
