[9473] in bugtraq
Re: Microsoft Access 97 Stores Database Password as Plaintext
daemon@ATHENA.MIT.EDU (Paul Leach)
Thu Feb 11 15:33:54 1999
Date: Tue, 9 Feb 1999 18:56:08 -0800
Reply-To: Paul Leach <paulle@MICROSOFT.COM>
From: Paul Leach <paulle@MICROSOFT.COM>
X-To: Jim Paris <jim@JTAN.COM>
To: BUGTRAQ@NETSPACE.ORG
> -----Original Message-----
> From: Jim Paris [mailto:jim@JTAN.COM]
> Sent: Tuesday, February 09, 1999 2:46 PM
> To: BUGTRAQ@NETSPACE.ORG
> Subject: Re: Microsoft Access 97 Stores Database Password as Plaintext
>
>
> > The following text was posted to USENET, and indexed on a
> Russian cypherpunk
> > site. I found it when I was doing some work with Access 97
> databses. I
> > think you will agree that this particular "feature" makes the linked
> > database password issue moot.
>
> Most definately!
No, I claim it was _always_ moot. Even if the password were strongly
encrypted, the rest of the data in the database is not. So, unless you've
used ACLs to protect the database, the data in it _is_ available, it's just
a matter of a some amount of work.
Unless the programmer went to a lot of work to obscure the password storage,
the following procedure should work on nearly any of that generation of
applications that pretended to "password protect" their files in the absence
of file system security:
1. Create as small a database/file as possible, with an empty password.
2. Copy it.
3. Change the password on one copy
4. Diff the databases/files -- this will isolate even a strongly encrypted
encrypted blank password.
5. Copy the target
5. Copy the encrypted blank password into the same offset in the copy of the
target database/file.
On the other hand, if you used ACLs to protect the database/file, then you
could use a blank password, and it wouldn't matter.
It is a fundamental security principle that effective security checks must
be enforced by something that can _not_ be bypassed. Since, without ACLs or
using the password to encrypt the whole database/file, there is no way to
prevent the password checking from being bypassed, the approach is only good
for what it was orignally intended for -- keeping out unsophisticated users.
Paul
