******************************** * MS Access Security Breakdown * * * * By: Tesko905 * * Date: November 11, 2003 * ******************************** Introduction ------------ Recently, I stumbled across a security hole that may be present in many MS Access based systems. The whole thing started one day at work when I was assigned the task of making an addon for one of our client's custom information systems, which was based on MS Access and VBA. At first I made a prototype and got the basic functionality working. Then it hit me, this program is operational for all intents and purposes, yet I haven't even touched user authentication! How can this be I thought? So I tried to lookup information on how MS Access authenticates users, but it took quite some time and I had to piece bits together from different sources. From the data that I put together, I have come up with the following security structure: 1. Database Password A single password can be assigned to the database to control access. 2. Workgroup File The database can be checked against a file containing users & groups. 3. Network Permissions The network share permissions of the database file. How Did I Do It? ---------------- Now, I'll discuss how I was able to access the DB without any kind of authentication. This particular DB had no initial DB password in place, so there goes the first obstacle. The next part was also trivial. It involves connection strings when setting up DB connections in your programs. Below is an example of a standard DB connection in VB: Dim conn As New ADODB.Connection conn.Open "Provider=Microsoft.Jet.OLEDB.4.0; Data Source=;" _ & "Jet OLEDB:System Database=;", _ , The above code compares and to entries in the workgroup file and opens a connection to the DB if authentication is successful. Now here is the simple part, remove "Jet OLEDB:System Database=;" AND AND from the parameters and there is nothing to compare, thus allowing the connection to be established! So, simply forgetting to include some parameters in my connection call allowed me to gain more insight into MS Access. For the Non Programmers ----------------------- If you don't know how to program, but want access to the database through MS Access, here is how you can accomplish it. (Provided there is no initial password, just a workgroup file to compare logins to) 1. search your workstation for a file named "wrkgadm.exe" 2. run it 3. click join 4. select "system.mdw", it's usually located in "c:\windows" 5. open the database file with MS Access What the above does is changes your workgroup file from the custom one that is installed with the information system to the default windows one. Network Permissions ------------------- If the database is located on a network share, you may be thinking that you can just control access that way, but you'd be totally wrong! Think about it, the users of this database need to be able to lookup data (READ) and input new data (WRITE). So regardless, the user will be able to manipulate any data in the DB, and there is no way to restrict the user to specific areas. This is what the information system is supposed to do, and does. But if you're coding your own fronted, or using MS Access you're bypassing the information system totally and working with the inards, which have no security restrictions in place. But there is an initial password, what do I do now? --------------------------------------------------- This can be a pain, but this is what you can do. 1. Since you have access to the network share (needed to lookup and input data) you can simply copy the entire DB to your HardDisk. 2. grab a password cracker off the net, there are a bunch out there. 3. let it run until it cracks it. How do I, a programmer, secure my information system? ----------------------------------------------------- 1. Always have an initial password, make it huge, funky characters and don't base it on a dictionary word. 2. If you're using an interpreted language, like VBA, find a way to protect the code, for example, the "protect project" feature in VBA. This is needed because you don't want people running your application to go nosing around in the source and pick out the initial password from the connection string. 3. Switch to a real DB like PostgreSQL or MySQL. Honestly, you'll thank me. You'll be able to control access to specific areas of the DB and you won't be pissed off with the little annoyances of MS Access. Not to mention the props you'll get for saving the company some $$$. Outro ----- If you have any comments or questions, feel free to email me at rasterburn@sympatico.ca Remember to checkout the Canadian Hacking Scene at http://www.hackcanada.com or http://www.nettwerked.net --- Tesko905 Email: rasterburn@sympatico.ca Webpage: http://cyberdelia.homeunix.org MSN: rasterburn2@hotmail.com ICQ: 2319732 VoiceMail: (905) 434-3488