This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_01BE50EB.74037D78 Content-Type: text/plain; charset="iso-8859-1" I have tried this exploit on an already-created database. The parent database, containing just the tables, is accessed by a second database with all the forms, reports etc. The second database *does* indeed contain the parent db's password in plain text. This exploit is only going to be of use to someone who, for whatever reason, needs to get into a parent db without knowing the password. Regards, Anthony Kehoe Bear Stearns Information Technology - Dublin ****************************************************** -----Original Message----- From: Ernie Souhrada [mailto:ewsat_private] Sent: 04 February 1999 20:48 To: BUGTRAQat_private Subject: Re: Microsoft Access 97 Stores Database Password as Plaintext I just tried to duplicate this, as some of our products rely on MS Access 97, and it'd be a useful thing to know about, and I couldn't do it. When I follow the procedure below, I get to step 8 where I'm to select the MDB that I've put a password on, and instead of giving me a list of tables to select from, it asks me for the password to the MDB. Can't get past that point to get to step 10. Anyone out there have any luck in making this work? I'm using Access97 SR-1 on NT 4.0 Workstation SP4 (128-bit). TiA... ------------------- Ernie Souhrada Network Administrator RSmart, Inc. Email: ewsat_private / Voice: 602.224.4720 / ICQ: 13748304 >====================================================================== > Title: Microsoft Access 97 Stores Database Password as Plaintext > Date: 02/03/99 > Author: Donald Moore (MindRape) > E-mail: damagedat_private >====================================================================== > >Microsoft Access 97 databases protected with a password are stored in >foreign mdb's table attachements as plaintext. This can be accessed very >easily by issuing a strings and grep operation on the foreign mdb. > > Example: > % strings db1.mdb | grep -i "pwd" > > MS Access;PWD=plaintext;Table2pppppppjI'% > MS Access;PWD=plaintext;Table1qqqqqqqkJ(& > >====================================================================== > Impact of Exploit >====================================================================== > >Having the password allows the secured mdb to be unlocked, giving >permission to view database objects, possibily revealing other database >connection strings, propiertary source code, tampering of data. One such >commercial database marketed by FMS, Inc., Total VB SourceBook 6.0, can be > How to Recreate > ====================================================================== > > 1. Create an mdb > 2. Create a Table > 3. Reopen the new mdb in exclusive mode > 4. From the Tools Menu, select Security and then click Set Database > Password > 5. Set database password > 6. Exit Access > 7. Create another mdb > 8. From the File Menu, select Get External Data, and click Link > Tables.... > Select > the passworded mdb and then select the table you created. > 9. Exit Access > 10. Perform a strings+grep on the 2nd mdb to reveal the password. > ------_=_NextPart_000_01BE50EB.74037D78 Content-Type: application/octet-stream; name="Kehoe, Anthony (Exchange).vcf" Content-Disposition: attachment; filename="Kehoe, Anthony (Exchange).vcf" Content-Location: ATT-0-117F845BD7BCD211940100A0C94AE925-K EHOE_%7E1.VCF BEGIN:VCARD VERSION:2.1 N:Kehoe;Anthony FN:Kehoe, Anthony (Exchange) ORG:Bear Stearns & Co.;Information Services TITLE:Employee TEL;WORK;VOICE:8-981-6655 ADR;WORK;ENCODING=QUOTED-PRINTABLE:;;Block 8 Harcourt Centre=0D=0ACharlotte way;Dublin;;2;Ireland LABEL;WORK;ENCODING=QUOTED-PRINTABLE:Block 8 Harcourt Centre=0D=0ACharlotte way=0D=0ADublin 2=0D=0AIreland EMAIL;PREF;INTERNET:KehoeA@pcinetgw REV:19981102T105937Z END:VCARD ------_=_NextPart_000_01BE50EB.74037D78-- Content-Type: text/plain ******************************************************************************** Bear Stearns is not responsible for any recommendation, solicitation, offer or agreement or any information about any transaction, customer account or account activity contained in this communication. ********************************************************************************
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:32:46 PDT