Bugtraq mailing list archives

Re: Microsoft Access 97 Stores Database Password as Plaintext

From: ews () RSMARTINC COM (Ernie Souhrada)
Date: Thu, 4 Feb 1999 13:48:21 -0700


I just tried to duplicate this, as some of our products rely on MS Access
97, and it'd be a useful thing to know about, and I couldn't do it.  When
I follow the procedure below, I get to step 8 where I'm to select the MDB
that I've put a password on, and instead of giving me a list of tables to
select from, it asks me for the password to the MDB.  Can't get past that
point to get to step 10.

Anyone out there have any luck in making this work?  I'm using Access97
SR-1 on NT 4.0 Workstation SP4 (128-bit).

TiA...

-------------------
Ernie Souhrada
Network Administrator
RSmart, Inc.
Email: ews () rsmartinc com / Voice: 602.224.4720 / ICQ: 13748304

======================================================================
 Title: Microsoft Access 97 Stores Database Password as Plaintext
  Date: 02/03/99
Author: Donald Moore (MindRape)
E-mail: damaged () futureone com
======================================================================

Microsoft Access 97 databases protected with a password are stored in
foreign mdb's table attachements as plaintext.  This can be accessed very
easily by issuing a strings and grep operation on the foreign mdb.

   Example:
       % strings db1.mdb | grep -i "pwd"

       MS Access;PWD=plaintext;Table2pppppppjI'%
       MS Access;PWD=plaintext;Table1qqqqqqqkJ(&

======================================================================
Impact of Exploit
======================================================================

Having the password allows the secured mdb to be unlocked, giving
permission to view database objects, possibily revealing other database
connection strings, propiertary source code, tampering of data.  One such
commercial database marketed by FMS, Inc., Total VB SourceBook 6.0, can be
 How to Recreate
======================================================================

 1. Create an mdb
 2. Create a Table
 3. Reopen the new mdb in exclusive mode
 4. From the Tools Menu, select Security and then click Set Database
Password
 5. Set database password
 6. Exit Access
 7. Create another mdb
 8. From the File Menu, select Get External Data, and click Link
Tables....
Select
    the passworded mdb and then select the table you created.
 9. Exit Access
10. Perform a strings+grep on the 2nd mdb to reveal the password.

Current thread:

Unsecured server in applets under Netscape Giao Nguyen (Feb 02)
- Re: Unsecured server in applets under Netscape BVE (Feb 02)
  - Re: Unsecured server in applets under Netscape Giao Nguyen (Feb 03)
    - Re: Unsecured server in applets under Netscape Tramale K. Turner (Feb 03)
    - Re: Unsecured server in applets under Netscape Alex Muntada (Feb 05)
- Net::RawIP 0.05 has been released Sergey V. Kolychev (Feb 03)
- Buffer overflow and OS/390 Do-Geun Jo (Feb 04)
- Re: Unsecured server in applets under Netscape Tor Houghton (Feb 04)
- Microsoft Access 97 Stores Database Password as Plaintext Donald Moore (Feb 04)
  - Widespread Router Access Port DoS HD Moore (Feb 04)
  - Re: Microsoft Access 97 Stores Database Password as Plaintext Ernie Souhrada (Feb 04)
  - NOBO denial of service Andrew J. Gavin (Feb 04)
    - Re: NOBO denial of service Flavio Veloso (Feb 09)
  - Re: Microsoft Access 97 Stores Database Password as Plaintext Ricardo Peres (Feb 04)
- <Possible follow-ups>
- Re: Unsecured server in applets under Netscape Philip Stoev (Feb 03)