Vulnerability Development mailing list archives
Re: Microsoft Access 97 MDW files
From: "Dave Korn" <davek_throwaway () hotmail com>
Date: Tue, 17 Jun 2003 22:54:51 +0000
From: "Derek" <derekm () rogers com> To: <vuln-dev () securityfocus com> Subject: Microsoft Access 97 MDW files Date: Tue, 17 Jun 2003 15:04:09 -0400
I'm particularily concerned with the Password column in the MSysAccounts table. At first glance I can see only 64 bits of entropy:
Try setting a password longer than seven characters.
If we separate the rows where the data matches we get: 2bddbfb1e15292e4 526967add5f3e6e1 526967add5f3e6e1 526967add5f3e6e1 It seems that the LS = RS on the empty password line, and RS = RS between the two lines. I've tried putting in a single character password, but it seems to modify many bits in the LS. Based on this information, it seems that a 64-bit hash function is used to calculate the left side, and the right side is used to obfuscate the result of the function via XOR (which yeilds a result of 0 when LS = RS). I also presume that the value of obfuscating the results of the hash function is so that the output is not noticably predictable at a glance? Does anyone have information that they can share to help the progression of this train of thought, or documentation to point me in the right direction?
Yep. It looks to me like it's based on that old lanman scheme of breaking up the password into two seven char chunks and hashing them independently.
That's why LS == RS for the empty password: both empty 7 char subchunks hash to the same value. That's also why if the pw is < 7 chars, the second chunk of the hash - based on the second (null!) 7 chars of the pw - will always be the same.
Google "lanman hash weakness" for more info. DaveK _________________________________________________________________Use MSN Messenger to send music and pics to your friends http://www.msn.co.uk/messenger
Current thread:
- Microsoft Access 97 MDW files Derek (Jun 17)
- Re: Microsoft Access 97 MDW files Charles N Wyble (Jun 18)
- <Possible follow-ups>
- Re: Microsoft Access 97 MDW files Dave Korn (Jun 18)