Re: Microsoft Access 97 MDW files

["Dave Korn" <davek_throwaway () hotmail com>]

> From: "Derek" <derekm () rogers com>
> To: <vuln-dev () securityfocus com>
> Subject: Microsoft Access 97 MDW files
> Date: Tue, 17 Jun 2003 15:04:09 -0400

> I'm particularily concerned with the Password column in the
> MSysAccounts table.  At first glance I can see only 64 bits of
> entropy:

 Try setting a password longer than seven characters.

> If we separate the rows where the data matches we get:
>
> 2bddbfb1e15292e4 526967add5f3e6e1
> 526967add5f3e6e1 526967add5f3e6e1
>
> It seems that the LS = RS on the empty password line, and RS = RS
> between the two lines.  I've tried putting in a single character
> password, but it seems to modify many bits in the LS.  Based on
> this information, it seems that a 64-bit hash function is used to
> calculate the left side, and the right side is used to obfuscate
> the result of the function via XOR (which yeilds a result of 0
> when LS = RS).  I also presume that the value of obfuscating the
> results of the hash function is so that the output is not
> noticably predictable at a glance?
>
> Does anyone have information that they can share to help the
> progression of this train of thought, or documentation to point
> me
> in the right direction?

 Yep.  It looks to me like it's based on that old lanman scheme of breaking 
up the password into two seven char chunks and hashing them independently.

 That's why LS == RS for the empty password: both empty 7 char subchunks 
hash to the same value.  That's also why if the pw is < 7 chars, the second 
chunk of the hash - based on the second (null!) 7 chars of the pw - will 
always be the same.

 Google "lanman hash weakness" for more info.

     DaveK

_________________________________________________________________
Use MSN Messenger to send music and pics to your friends 
http://www.msn.co.uk/messenger