Re: Microsoft Access 97 Stores Database Password as Plaintext

From: Donald Moore (MindRape) (mindrapeat_private)
Date: Thu Feb 04 1999 - 21:07:40 PST

Next message: Olaf Seibert: "Re: Buffer overflow and OS/390"

Previous message: Ragnar Hojland Espinosa: "Cyrix bug: freeze in hell, badboy"
Maybe in reply to: Donald Moore (MindRape): "Microsoft Access 97 Stores Database Password as Plaintext"
Next in thread: Kehoe, Anthony (Exchange): "Re: Microsoft Access 97 Stores Database Password as Plaintext"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Paul,

This recreation just demonstrates how you can recreate this situation.  The
problem is that Microsoft Access stores the password to the database in
plaintext.  Without knowing the password beforehand, one can search other
mdb's looking for table attachments orginiating from the passworded
database.  The commercial product from FMS has been compromised, and a
number of others (including our own product).


                                          ______ ______ .
                                       .:_\___  \\_ .  \_::.
   Donald Moore (MindRape)          . .::./ ./  // ./__/.:::. .
                                        _<_____/<____  >_:.
   Email: mindrapeat_private            .             \/  .
           damagedat_private       Damaged Cybernetics
-   -  - ------------------------------------------------- - -- ---



-----Original Message-----
From: Paul Leach <paulleat_private>
To: 'Donald Moore (MindRape)' <mindrapeat_private>; BUGTRAQat_private
<BUGTRAQat_private>
Date: Thursday, February 04, 1999 12:32 PM
Subject: RE: Microsoft Access 97 Stores Database Password as Plaintext


>I'm not an Access guru, so please forgive me, but I don't quite understand
>the scenario. Please see the questions below.
>
>> -----Original Message-----
>> From: Donald Moore (MindRape) [mailto:mindrapeat_private]
>> Sent: Thursday, February 04, 1999 3:15 AM
>>
>> ======================================================================
>>  How to Recreate
>> ======================================================================
>>
>>  1. Create an mdb
>>  2. Create a Table
>>  3. Reopen the new mdb in exclusive mode
>>  4. From the Tools Menu, select Security and then click Set Database
>> Password
>>  5. Set database password
>>  6. Exit Access
>>  7. Create another mdb
>>  8. From the File Menu, select Get External Data, and click
>> Link Tables....
>> Select
>>     the passworded mdb and then select the table you created.
>
>At this point, didn't you have to enter the password of the first mdb to
get
>access to it?
>
>If so, then the fact you got access to the passwords after knowing the
>password doesn't seem very interesting.
>
>If not, then it seems like that's _actually_ the bug: you got access to a
>password protected database without having to know the password.
>
>>  9. Exit Access
>> 10. Perform a strings+grep on the 2nd mdb to reveal the password.
>>
>
>Finally, why wouldn't ACLs be used to protect the database instead of
>passwords?
>
>Paul

Next message: Olaf Seibert: "Re: Buffer overflow and OS/390"
Previous message: Ragnar Hojland Espinosa: "Cyrix bug: freeze in hell, badboy"
Maybe in reply to: Donald Moore (MindRape): "Microsoft Access 97 Stores Database Password as Plaintext"
Next in thread: Kehoe, Anthony (Exchange): "Re: Microsoft Access 97 Stores Database Password as Plaintext"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:32:44 PDT