Bugtraq mailing list archives

Re: Microsoft Access 97 Stores Database Password as Plaintext

From: akehoe () BEAR COM (Kehoe, Anthony)
Date: Fri, 5 Feb 1999 04:38:16 -0500


This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_000_01BE50EB.74037D78
Content-Type: text/plain;
        charset="iso-8859-1"

I have tried this exploit on an already-created database. The parent
database, containing just the tables, is accessed by a second database with
all the forms, reports etc. The second database *does* indeed contain the
parent db's password in plain text. This exploit is only going to be of use
to someone who, for whatever reason, needs to get into a parent db without
knowing the password.

Regards,
Anthony Kehoe
Bear Stearns Information Technology - Dublin
******************************************************



-----Original Message-----
From: Ernie Souhrada [mailto:ews () RSMARTINC COM]
Sent: 04 February 1999 20:48
To: BUGTRAQ () NETSPACE ORG
Subject: Re: Microsoft Access 97 Stores Database Password as Plaintext


I just tried to duplicate this, as some of our products rely on MS Access
97, and it'd be a useful thing to know about, and I couldn't do it.  When
I follow the procedure below, I get to step 8 where I'm to select the MDB
that I've put a password on, and instead of giving me a list of tables to
select from, it asks me for the password to the MDB.  Can't get past that
point to get to step 10.

Anyone out there have any luck in making this work?  I'm using Access97
SR-1 on NT 4.0 Workstation SP4 (128-bit).

TiA...

-------------------
Ernie Souhrada
Network Administrator
RSmart, Inc.
Email: ews () rsmartinc com / Voice: 602.224.4720 / ICQ: 13748304

======================================================================
 Title: Microsoft Access 97 Stores Database Password as Plaintext
  Date: 02/03/99
Author: Donald Moore (MindRape)
E-mail: damaged () futureone com
======================================================================

Microsoft Access 97 databases protected with a password are stored in
foreign mdb's table attachements as plaintext.  This can be accessed very
easily by issuing a strings and grep operation on the foreign mdb.

   Example:
       % strings db1.mdb | grep -i "pwd"

       MS Access;PWD=plaintext;Table2pppppppjI'%
       MS Access;PWD=plaintext;Table1qqqqqqqkJ(&

======================================================================
Impact of Exploit
======================================================================

Having the password allows the secured mdb to be unlocked, giving
permission to view database objects, possibily revealing other database
connection strings, propiertary source code, tampering of data.  One such
commercial database marketed by FMS, Inc., Total VB SourceBook 6.0, can be
 How to Recreate
======================================================================

 1. Create an mdb
 2. Create a Table
 3. Reopen the new mdb in exclusive mode
 4. From the Tools Menu, select Security and then click Set Database
Password
 5. Set database password
 6. Exit Access
 7. Create another mdb
 8. From the File Menu, select Get External Data, and click Link
Tables....
Select
    the passworded mdb and then select the table you created.
 9. Exit Access
10. Perform a strings+grep on the 2nd mdb to reveal the password.



------_=_NextPart_000_01BE50EB.74037D78
Content-Type: application/octet-stream;
        name="Kehoe, Anthony (Exchange).vcf"
Content-Disposition: attachment;
        filename="Kehoe, Anthony (Exchange).vcf"
Content-Location: ATT-0-117F845BD7BCD211940100A0C94AE925-K
        EHOE_%7E1.VCF

BEGIN:VCARD
VERSION:2.1
N:Kehoe;Anthony
FN:Kehoe, Anthony (Exchange)
ORG:Bear Stearns & Co.;Information Services
TITLE:Employee
TEL;WORK;VOICE:8-981-6655
ADR;WORK;ENCODING=QUOTED-PRINTABLE:;;Block 8 Harcourt Centre=0D=0ACharlotte way;Dublin;;2;Ireland
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:Block 8 Harcourt Centre=0D=0ACharlotte way=0D=0ADublin 2=0D=0AIreland
EMAIL;PREF;INTERNET:KehoeA@pcinetgw
REV:19981102T105937Z
END:VCARD

------_=_NextPart_000_01BE50EB.74037D78--
Content-Type: text/plain



********************************************************************************
Bear Stearns is not responsible for any recommendation, solicitation, offer or
agreement or any information about any transaction, customer account or account
activity contained in this communication.
********************************************************************************

Current thread:

Re: Microsoft Access 97 Stores Database Password as Plaintext Paul Leach (Feb 04)
- <Possible follow-ups>
- Re: Microsoft Access 97 Stores Database Password as Plaintext Donald Moore (Feb 04)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Allan Marillier (Feb 04)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Kehoe, Anthony (Feb 05)
- FW: Microsoft Access 97 Stores Database Password as Plaintext Eric Stevens (Feb 05)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Fernald, Brian (Feb 05)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Sozni (Feb 05)
- Re: Microsoft Access 97 Stores Database Password as Plaintext Ervin Fried (Feb 05)
- Re: Microsoft Access 97 Stores Database Password as Plaintext sozni () USA NET (Feb 08)
  - Pine _again_ :) Chris Evans (Feb 08)
  - Re: Microsoft Access 97 Stores Database Password as Plaintext Stephen M. Milton (Feb 08)
    - Re: Microsoft Access 97 Stores Database Password as Plaintext Jim Paris (Feb 09)
    - Re: Microsoft Access 97 Stores Database Password as Plaintext Jim Paris (Feb 09)
    - SECURITY: new wu-ftpd packages available (fwd) RHS Linux User (Feb 09)

(Thread continues...)