Vulnerability Development mailing list archives
Microsoft Access 97 MDW files
From: "Derek" <derekm () rogers com>
Date: Tue, 17 Jun 2003 15:04:09 -0400
Does anyone know if there is a document that describes the algorithm used to scramble the password found in Microsoft Access MDW files? I've tried my luck with the archives here, and on Google, and I don't believe that this is a topic that has been discussed. I'm particularily concerned with the Password column in the MSysAccounts table. At first glance I can see only 64 bits of entropy: Here is a snippet from two columns copied and pasted into notepad, one per line, saved, and then converted to hex: fffedd2bb1bf52e1e4926952ad67f3d5e1e60d000a006952ad67f3d5e1e66952a d67f3d5e1e6
From this I've guessed that "fffe" is a unicode header, which
gives me: dd2bb1bf52e1e4926952ad67f3d5e1e60d000a006952ad67f3d5e1e66952ad67f 3d5e1e6 Since the rows are CR/LF delimited we get: dd2bb1bf52e1e4926952ad67f3d5e1e6 0d000a00 6952ad67f3d5e1e66952ad67f3d5e1e6 This file is also stored little-endian, so we get: 2bddbfb1e15292e4526967add5f3e6e1 526967add5f3e6e1526967add5f3e6e1 The first is a row that contains a password, the second row contains a password of "" (0 length string) If we separate the rows where the data matches we get: 2bddbfb1e15292e4 526967add5f3e6e1 526967add5f3e6e1 526967add5f3e6e1 It seems that the LS = RS on the empty password line, and RS = RS between the two lines. I've tried putting in a single character password, but it seems to modify many bits in the LS. Based on this information, it seems that a 64-bit hash function is used to calculate the left side, and the right side is used to obfuscate the result of the function via XOR (which yeilds a result of 0 when LS = RS). I also presume that the value of obfuscating the results of the hash function is so that the output is not noticably predictable at a glance? Does anyone have information that they can share to help the progression of this train of thought, or documentation to point me in the right direction? Thanks, Derek
Current thread:
- Microsoft Access 97 MDW files Derek (Jun 17)
- Re: Microsoft Access 97 MDW files Charles N Wyble (Jun 18)
- <Possible follow-ups>
- Re: Microsoft Access 97 MDW files Dave Korn (Jun 18)