{"id": "PACKETSTORM:12241", "type": "packetstorm", "bulletinFamily": "exploit", "title": "ms-access-97-passwords.txt", "description": "", "published": "1999-08-17T00:00:00", "modified": "1999-08-17T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/12241/ms-access-97-passwords.txt.html", "reporter": "Donald Moore (MindRape)", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:20:35", "viewCount": 1, "enchantments": {"score": {"value": -0.3, "vector": "NONE", "modified": "2016-11-03T10:20:35", "rev": 2}, "dependencies": {"references": [], "modified": "2016-11-03T10:20:35", "rev": 2}, "vulnersScore": -0.3}, "sourceHref": "https://packetstormsecurity.com/files/download/12241/ms-access-97-passwords.txt", "sourceData": "`Date: Thu, 4 Feb 1999 04:15:13 -0700 \nFrom: \"Donald Moore (MindRape)\" <mindrape@HOME.COM> \nTo: BUGTRAQ@netspace.org \nSubject: Microsoft Access 97 Stores Database Password as Plaintext \n \n====================================================================== \nTitle: Microsoft Access 97 Stores Database Password as Plaintext \nDate: 02/03/99 \nAuthor: Donald Moore (MindRape) \nE-mail: damaged@futureone.com \n====================================================================== \n \nMicrosoft Access 97 databases protected with a password are stored in \nforeign mdb's table attachements as plaintext. This can be accessed very \neasily by issuing a strings and grep operation on the foreign mdb. \n \nExample: \n% strings db1.mdb | grep -i \"pwd\" \n \nMS Access;PWD=plaintext;Table2pppppppjI'% \nMS Access;PWD=plaintext;Table1qqqqqqqkJ(& \n \n====================================================================== \nImpact of Exploit \n====================================================================== \n \nHaving the password allows the secured mdb to be unlocked, giving permission \nto view database objects, possibily revealing other database connection \nstrings, propiertary source code, tampering of data. One such commercial \ndatabase marketed by FMS, Inc., Total VB SourceBook 6.0, can be easily \ncompromised using this method. \n \n \n====================================================================== \nHow to Recreate \n====================================================================== \n \n1. Create an mdb \n2. Create a Table \n3. Reopen the new mdb in exclusive mode \n4. From the Tools Menu, select Security and then click Set Database \nPassword \n5. Set database password \n6. Exit Access \n7. Create another mdb \n8. From the File Menu, select Get External Data, and click Link Tables.... \nSelect \nthe passworded mdb and then select the table you created. \n9. Exit Access \n10. Perform a strings+grep on the 2nd mdb to reveal the password. \n \n \n- - - ------------------------------------------------- - -- --- \n______ ______ . \n.:_\\___ \\\\_ . \\_::. \nDonald Moore (MindRape) . .::./ ./ // ./__/.:::. . \n_<_____/<____ >_:. \nEmail: mindrape@home.com . \\/ . \ndamaged@futureone.com Damaged Cybernetics \n- - - ------------------------------------------------- - -- --- \n \n-------------------------------------------------------------------------- \n \nDate: Thu, 4 Feb 1999 22:07:40 -0700 \nFrom: \"Donald Moore (MindRape)\" <mindrape@HOME.COM> \nTo: BUGTRAQ@netspace.org \nSubject: Re: Microsoft Access 97 Stores Database Password as Plaintext \n \nPaul, \n \nThis recreation just demonstrates how you can recreate this situation. The \nproblem is that Microsoft Access stores the password to the database in \nplaintext. Without knowing the password beforehand, one can search other \nmdb's looking for table attachments orginiating from the passworded \ndatabase. The commercial product from FMS has been compromised, and a \nnumber of others (including our own product). \n \n \n______ ______ . \n.:_\\___ \\\\_ . \\_::. \nDonald Moore (MindRape) . .::./ ./ // ./__/.:::. . \n_<_____/<____ >_:. \nEmail: mindrape@home.com . \\/ . \ndamaged@futureone.com Damaged Cybernetics \n- - - ------------------------------------------------- - -- --- \n \n \n \n-----Original Message----- \n>From: Paul Leach <paulle@microsoft.com> \nTo: 'Donald Moore (MindRape)' <mindrape@HOME.COM>; BUGTRAQ@NETSPACE.ORG \n<BUGTRAQ@NETSPACE.ORG> \nDate: Thursday, February 04, 1999 12:32 PM \nSubject: RE: Microsoft Access 97 Stores Database Password as Plaintext \n \n \n>I'm not an Access guru, so please forgive me, but I don't quite understand \n>the scenario. Please see the questions below. \n> \n>> -----Original Message----- \n>> From: Donald Moore (MindRape) [mailto:mindrape@HOME.COM] \n>> Sent: Thursday, February 04, 1999 3:15 AM \n>> \n>> ====================================================================== \n>> How to Recreate \n>> ====================================================================== \n>> \n>> 1. Create an mdb \n>> 2. Create a Table \n>> 3. Reopen the new mdb in exclusive mode \n>> 4. From the Tools Menu, select Security and then click Set Database \n>> Password \n>> 5. Set database password \n>> 6. Exit Access \n>> 7. Create another mdb \n>> 8. From the File Menu, select Get External Data, and click \n>> Link Tables.... \n>> Select \n>> the passworded mdb and then select the table you created. \n> \n>At this point, didn't you have to enter the password of the first mdb to \nget \n>access to it? \n> \n>If so, then the fact you got access to the passwords after knowing the \n>password doesn't seem very interesting. \n> \n>If not, then it seems like that's _actually_ the bug: you got access to a \n>password protected database without having to know the password. \n> \n>> 9. Exit Access \n>> 10. Perform a strings+grep on the 2nd mdb to reveal the password. \n>> \n> \n>Finally, why wouldn't ACLs be used to protect the database instead of \n>passwords? \n> \n>Paul \n \n------------------------------------------------------------------------- \n \nDate: Fri, 5 Feb 1999 09:03:22 -0500 \nFrom: Eric Stevens <ejsteven@CS.MILLERSV.EDU> \nTo: BUGTRAQ@netspace.org \nSubject: FW: Microsoft Access 97 Stores Database Password as Plaintext \n \n \nAppologies, the files were too large to send through Bugtraq, you may go \nhere instead: \nhttp://cs.millersv.edu/~ejsteven/linked.mdb \nhttp://cs.millersv.edu/~ejsteven/protected.mdb \n \n-----Original Message----- \n>From: Eric Stevens [mailto:ejsteven@cs.millersv.edu] \nSent: Friday, February 05, 1999 8:53 AM \nTo: bugtraq@netspace.org \nSubject: RE: Microsoft Access 97 Stores Database Password as Plaintext \n \n \nWhat our friend is saying is that if you File >> Get External Data >> Link \nTables [which is something that I use regularly] on a password protected \ndatabase, the passwords to the protected database are stored in the database \nthat contains the linked tables in plain text. \nAttached are two databases, Protected.mdb and Linked.mdb. Their names are \nself explanatory. If you text edit the Linked.mdb, you'll quickly discover \nthe unprotected password. The threat is this: You have a database system \nset up that may be prone to attack (and ALL general use systems are prone to \nattack, perhaps by a disgruntled employee) which uses linked tables, and a \nsimple-minded fool could figure out how to gain full access, and place in \nsome malicious code, even if the database that contains the links is \nprotected with a password. Here's some of the text right from Notepad to \nyour computer: \n \nC:\\My Documents\\protected.mdb [...about 10 ASCII characters...] MS \nAccess;PWD=protected;protected \n \nThe passwords to the two databases attached are: \nlinked.mdb; linked \nprotected.mdb; protected \n \n,----/ + \n/ Eric Stevens \\ \n/--/ ejsteven@cs.millersv.edu \\ \n/ Dept. of Computer Science \\ \n'----/ Millersville University, PA + \n \n------------------------------------------------------------------------- \n \nDate: Fri, 5 Feb 1999 09:14:11 MST \nFrom: Sozni <sozni@USA.NET> \nTo: BUGTRAQ@netspace.org \nSubject: Re: Microsoft Access 97 Stores Database Password as Plaintext \n \nI noticed that there was a bit of confusion about MindRape's comments and I \nthought I would help clear them up. \n \nWhat he is talking about is that when one Microsoft Access database attaches \nto tables from another Microsoft Access database, the connection string \n(including the password) is stored in the MSysObjects table. Since you will \nneed the database password to attach a table, you must have a database with \nthe table already attached. \n \nHowever, it is not uncommon (and considered good practice) to have one \ndatabase for code and another for the data tables. The point is to keep your \ncode in a separate database and attach to the other tables so that when you \nupdate your code, you just replace the code database. \n \nThe obvious problem with this is that the password to the data database is \nstored in the MSysObjects table of the code database. \n \nThe quickest solution is to encrypt the database as well as using password \nprotection. Of course, one should also set the proper rights and permissions \non a production database. As added protection, the tables could all be \nattached in code using an autoexec macro. You could use the ACL to limit \ndatabase access, but MindRapes' method would simply require read access. If \nyou take away read access to the database, it isn't very useful. \n \nThis same problem shows up anywhere you must save the connection string to a \ndatabase. I often find passwords visible in plaintext in an executable that \naccess a protected database. Connection strings can also be exposed on poorly \nprotected .asp pages and cgi scripts. \n \nIn short, it would be nice if Access encrypted the connection string by \ndefault but since it doesn't this is probably more of a misconfiguration \nexploit rather than a software bug. \n \n.sozni \n \n------------------------------------------------------------------------- \n \nDate: Mon, 8 Feb 1999 10:15:39 -0500 \nFrom: sozni@USA.NET \nTo: BUGTRAQ@netspace.org \nSubject: Re: Microsoft Access 97 Stores Database Password as Plaintext \n \nThis other issue you have brought up is indeed a very serious security risk. In fact I always open up \nAccess databases in a hex editor just to see what I can find. There was an old add-in from Microsoft \nthat contained a confidential (although not interesting) internal memo. I also once found a password \nfor an online brokerage account in a production database. \n \nThe problem is that Access allocates the the space it needs for its tables but until used, that space \nwill contain whatever used to be on those sectors on the hard drive. \n \nMy solution was to write a utility that will make a huge file filled with zeros the same size as the \nremaining space on the hard drive. Then I deleted that file and compacted the database into a new \nfilename. \n \nOf course this was several years ago when remaining space on a hard drive was negligent. I look at my \nremaining hard drive space now and making a 3GB file would not be practical. Perhaps you could make a \nsmall partition or even a ram drive just for this purpose. \n \n.sozni \n \n>Another issue: while looking ate mdb files in a text editor, i noticed \nthat the files contain 'garbage' info also (random memory \ncontent, since it was info i typed minutes ago). \n'compact database' didn't help. \n \nA service provided by TechAID Computer Services, http://www.techaid.net \nThe e-mail address of the sender MAY NOT BE AUTHENTIC. \n \n------------------------------------------------------------------------- \n \nate: Fri, 12 Feb 1999 10:07:18 -0800 \nFrom: Ian Holsman <IanHolsman@INAME.COM> \nTo: BUGTRAQ@netspace.org \nSubject: Re: Microsoft Access 97 Stores Database Password as Plaintext -- MS Money Affected \n \nThis also affect Microsoft Money.. as it stores it's details in a Access MDB \nformat. \n \nyou can use the all-access program posted here to find out your Money password \n \n`\n", "immutableFields": []}

{}