FW: Microsoft Access 97 Stores Database Password as Plaintext

From: Eric Stevens (ejstevenat_private)
Date: Fri Feb 05 1999 - 06:03:22 PST

Next message: Hale: "Re: open socket in java"

Previous message: Simon Kilvington: "Re: open socket in java"
Maybe in reply to: Donald Moore (MindRape): "Microsoft Access 97 Stores Database Password as Plaintext"
Next in thread: Fernald, Brian: "Re: Microsoft Access 97 Stores Database Password as Plaintext"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Appologies, the files were too large to send through Bugtraq, you may go
here instead:
http://cs.millersv.edu/~ejsteven/linked.mdb
http://cs.millersv.edu/~ejsteven/protected.mdb

-----Original Message-----
From: Eric Stevens [mailto:ejstevenat_private]
Sent: Friday, February 05, 1999 8:53 AM
To: bugtraqat_private
Subject: RE: Microsoft Access 97 Stores Database Password as Plaintext


What our friend is saying is that if you File >> Get External Data >> Link
Tables [which is something that I use regularly] on a password protected
database, the passwords to the protected database are stored in the database
that contains the linked tables in plain text.
Attached are two databases, Protected.mdb and Linked.mdb.  Their names are
self explanatory.  If you text edit the Linked.mdb, you'll quickly discover
the unprotected password.  The threat is this: You have a database system
set up that may be prone to attack (and ALL general use systems are prone to
attack, perhaps by a disgruntled employee) which uses linked tables, and a
simple-minded fool could figure out how to gain full access, and place in
some malicious code, even if the database that contains the links is
protected with a password.  Here's some of the text right from Notepad to
your computer:

C:\My Documents\protected.mdb [...about 10 ASCII characters...] MS
Access;PWD=protected;protected

The passwords to the two databases attached are:
linked.mdb; linked
protected.mdb; protected

    ,----/                       +
   /          Eric Stevens        \
  /--/   ejstevenat_private  \
 /      Dept.  of Computer Science  \
'----/ Millersville  University, PA  +

>-----Original Message-----
>From: Bugtraq List [mailto:BUGTRAQat_private]On Behalf Of Ricardo
>Peres
>Sent: Thursday, February 04, 1999 4:57 PM
>To: BUGTRAQat_private
>Subject: Re: Microsoft Access 97 Stores Database Password as Plaintext
>
>
>Hello,
>
>I have several password-protected MS Access databases, and *none* of
>them has it's password stored as plain text... Your exploit never worked!
>
>Best wishes,
>
>-------------------------------------------------------------------
>----------
>Ricardo Peres
>E-mail: rjperesat_private
>ICQ UIN: 708926
>TM: 0931 9459192
>Departamento de Engenharia Informática
>Universidade de Coimbra
>PORTUGAL
>-------------------------------------------------------------------
>----------
>
>On Thu, 4 Feb 1999, Donald Moore (MindRape) wrote:
>
>> ======================================================================
>>   Title: Microsoft Access 97 Stores Database Password as Plaintext
>>    Date: 02/03/99
>>  Author: Donald Moore (MindRape)
>>  E-mail: damagedat_private
>> ======================================================================
>>
>> Microsoft Access 97 databases protected with a password are stored in
>> foreign mdb's table attachements as plaintext.  This can be accessed very
>> easily by issuing a strings and grep operation on the foreign mdb.
>>
>>     Example:
>>         % strings db1.mdb | grep -i "pwd"
>>
>>         MS Access;PWD=plaintext;Table2pppppppjI'%
>>         MS Access;PWD=plaintext;Table1qqqqqqqkJ(&
>>
>> ======================================================================
>>  Impact of Exploit
>> ======================================================================
>>
>> Having the password allows the secured mdb to be unlocked,
>giving permission
>> to view database objects, possibily revealing other database connection
>> strings, propiertary source code, tampering of data.  One such commercial
>> database marketed by FMS, Inc., Total VB SourceBook 6.0, can be easily
>> compromised using this method.
>>
>>
>> ======================================================================
>>  How to Recreate
>> ======================================================================
>>
>>  1. Create an mdb
>>  2. Create a Table
>>  3. Reopen the new mdb in exclusive mode
>>  4. From the Tools Menu, select Security and then click Set Database
>> Password
>>  5. Set database password
>>  6. Exit Access
>>  7. Create another mdb
>>  8. From the File Menu, select Get External Data, and click Link
>Tables....
>> Select
>>     the passworded mdb and then select the table you created.
>>  9. Exit Access
>> 10. Perform a strings+grep on the 2nd mdb to reveal the password.
>>
>>
>> -   -  - ------------------------------------------------- - -- ---
>>                                           ______ ______ .
>>                                        .:_\___  \\_ .  \_::.
>>    Donald Moore (MindRape)          . .::./ ./  // ./__/.:::. .
>>                                         _<_____/<____  >_:.
>>    Email: mindrapeat_private            .             \/  .
>>            damagedat_private       Damaged Cybernetics
>> -   -  - ------------------------------------------------- - -- ---
>>
>

Next message: Hale: "Re: open socket in java"
Previous message: Simon Kilvington: "Re: open socket in java"
Maybe in reply to: Donald Moore (MindRape): "Microsoft Access 97 Stores Database Password as Plaintext"
Next in thread: Fernald, Brian: "Re: Microsoft Access 97 Stores Database Password as Plaintext"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:32:50 PDT