Solved "Encrypted-Split-No-Strings-DB" - Security Challenge Solved (1 Viewer)

FrankRuperto

Member
Local time
Today, 04:50
Joined
Mar 6, 2021
Messages
182
I am not an experienced Access/VBA developer and after not too much effort I was able to break into the accde frontend of the "encrypted-split-no-strings-demo-database" security challenge, alter settings, and view enough things which made it possible for me to reach RC4 encrypted data in the unknown to me password-protected backend, decrypt the data to plain text and export it to an excel sheet, which I emailed to demo's author
 

isladogs

MVP / VIP
Local time
Today, 08:50
Joined
Jan 14, 2017
Messages
18,186
"Welcome" to AWF :rolleyes:

Sad to see that you've moved from UA just to persist in making incorrect statements.

For info, this post relates to my Encrypted Spilt No Strings example database / security challenge

With a lot of help from me AND a huge amount of time and effort on your part, you made some limited progress in hacking the app.
However, you showed no evidence that you had actually decrypted the data to plain text.

At my request you sent me the Excel file which clearly indicated that you had just copied the decrypted data manually.
For those unaware of the app, the decrypted data is available for editing in the FE.

In recent weeks, you have made repeated false claims regarding the security of Access files including statements that ACCDE files could easily be reverse engineered to ACCDB and that ACCDB/ACCDE encryption passwords could easily be bypassed.

You have also forwarded my example app to the Microsoft Bounty Programs | MSRC without my permission. Whether that was to try and get a reward or to alert them to supposed weaknesses in Access isn't the point. You had no right to do so without asking me first.

If there are any weaknesses in the app, these are due to my errors rather than Microsoft.
 

theDBguy

I’m here to help
Staff member
Local time
Today, 01:50
Joined
Oct 29, 2018
Messages
21,357
Hi Frank. Welcome to AWF!
 

FrankRuperto

Member
Local time
Today, 04:50
Joined
Mar 6, 2021
Messages
182
The multiple security-holes in compiled accde front ends were the low hanging fruit I was able to exploit to unlock enough options which made it possible for me to use, e.g. the vba object browser to view values like RC4_Key, your Cipher key, strPassword, the password to your encrypted backend, etc. etc. Bypassing all the safeguards you put in the frontend was the easy part. The spreadsheet I sent you was not a copy of the data in your report, rather it was an export of the tblBEData in your backend. There was another hidden table with a Zen_Keys in it which I didn't bother to send you. The least you can do is acknowledge that no matter how much you try to protect an Access FE and its data, someone can crack it. I am not an experienced Access developer and was able to crack your challenge, so imagine what an expert can do. It's game over for your challenge, admit it and move on.
 
Last edited:

isladogs

MVP / VIP
Local time
Today, 08:50
Joined
Jan 14, 2017
Messages
18,186
Hmm. This is a direct quote from the article on my website:
a) Access databases can NEVER be made 100% secure
b) A capable and determined hacker can break any Access database given sufficient time and motivation.
c) However, by erecting various barriers, it is certainly possible to make the process so difficult and time consuming that it isn't normally
worth attempting.
d) Access apps (or any applications) are only as secure as the weakest part of the security used
The app will at some point be successfully solved by someone. However, it is clear that you haven't done so despite your claims.
admit it and move on.
 

The_Doc_Man

Immoderate Moderator
Staff member
Local time
Today, 03:50
Joined
Feb 28, 2001
Messages
26,996
@FrankRuperto - nobody in his/her right mind on this forum would claim that an Access FE is uncrackable. Since I have known Colin on this forum, I have never heard him say that something was uncrackable. He has always clarified that his "hardening" methods were merely to convert lower hanging fruit to higher hanging fruit. If you know the term "low-hanging fruit" then you are at least somewhat familiar with security issues.

Were you aware that even some of the shorter Advanced Encryption Standard methods used by the Federal Government have been cracked? At least the AES128 and AES192 are no longer recommended for Secret use by the U.S. Navy. Even military encryption can be hacked.

I know of only one bit of software that is (so far) uncrackable when configured correctly, and that is the OpenVMS operating system - and then, ONLY from the outside, since inside threats are almost unstoppable. Hackers at DEFCON 9 were unable to break into an OpenVMS 8.4 sitting on their network for a week of exposure. I could tell you why but then I'd have to shoot you. (Fortunately, only shoot to maim. It ain't THAT big of a secret. ;) )

Before you ask, I have 28 1/2 years of experience with U.S. Navy systems, hold security and O/S certifications, and held elevated clearances for at least 25 years before I retired. I understand the basics and some not-so-basics of security. Your claim, while true, is actually rather ho-hum. No big news. So be nice to Colin.
 

FrankRuperto

Member
Local time
Today, 04:50
Joined
Mar 6, 2021
Messages
182
Hi Doc,

I guess Colin needs to go back to the drawing board and improve the hardening of his frontend demo because as you are well aware that while the frontend has an open link to backend tables, if you enable the various FE UI features, options, and view string values with the vba object browser, it is possible to get to the backend data, reverse_engineer the encrypted data and export it.

For many years, I worked for DoD contractors who had VAX/VMS clustered shops, developing Informix and Oracle-based applications, and I agree with you that OpenVMS is a lot more secure than Windows and even Linux. OpenVMS has an ITSEC E3 rating and passwords are hashed using the Purdy Polynomial. However, a very old, but failry recently discovered vulnerability allowed an attacker with access to the DCL command line to bypass system security and take full control of the system, so as a reknown developer always says, "Security is an illusion" :)

EDIT: Note to Colin, is not "rmp4_key" your cipher key used for encrypting your backend data with the RC4 function?
If I have the cipher key, do you think it not possible to decrypt the data in your backend?
 

Attachments

  • rmp4_key.PNG
    rmp4_key.PNG
    43 KB · Views: 391
Last edited:

Mike Krailo

Well-known member
Local time
Today, 04:50
Joined
Mar 28, 2020
Messages
1,030
Frank you going to Home Depot tomorrow?

Frank

Frank the tank, Frank the tank, Frank the tank.
 

arnelgp

..forever waiting... waiting for jellybean!
Local time
Today, 16:50
Joined
May 7, 2009
Messages
19,169
You have also forwarded my example app to the Microsoft Bounty Programs | MSRC without my permission.
whatever you post in public becomes a public property.
there is no need for your permission, unless it was it was hacked from your
private messages or the conversation is strictly private between the two of you.
 

The_Doc_Man

Immoderate Moderator
Staff member
Local time
Today, 03:50
Joined
Feb 28, 2001
Messages
26,996
However, a very old, but failry recently discovered vulnerability allowed an attacker with access to the DCL command line to bypass system security and take full control of the system

As I said, "uncrackable from the outside." But of course, IF you have access to DCL, you HAVE to be inside because until you are logged in, you have NO command-line interface of record so CANNOT give ANY commands. The DCL "hack" is one that can be configured away and for which patches have been published. If you know DoD methods, you know that vulnerability alerts had LONG ago covered that problem. Which therefore makes me think your knowledge isn't recent.
 

gemma-the-husky

Super Moderator
Staff member
Local time
Today, 08:50
Joined
Sep 12, 2006
Messages
15,613
What am I doing wrong Colin?

I downloaded all the variants of the challenge to have a look, but each front end gives me this error after entering your password.
I am using Office 365, 16.0 32bit

2021-03-07 (2).png
 

isladogs

MVP / VIP
Local time
Today, 08:50
Joined
Jan 14, 2017
Messages
18,186
Hi Dave
Hmm. Not sure what would cause that unrecognised database format error

Just to clarify, have you downloaded v525 from my website or an earlier version from elsewhere?
The website has 3 versions - is that what you mean by all the variants?:
1615123326501.png

The A365 FE is called FEX32_365.accde. Have you renamed it for testing?
The ACCDE file is definitely OK and one of the security checks is the IsDbSecured procedure

If you are still stuck, please can we continue via email or PM
 

FrankRuperto

Member
Local time
Today, 04:50
Joined
Mar 6, 2021
Messages
182
What am I doing wrong Colin?

I downloaded all the variants of the challenge to have a look, but each front end gives me this error after entering your password.
I am using Office 365, 16.0 32bit

View attachment 89751
Hi Dave,

I noticed you tried opening them from your D drive, maybe it needs to be on C?
Also, are you opening it in exclusive or shared mode from the cmd shell command line?
 

isladogs

MVP / VIP
Local time
Today, 08:50
Joined
Jan 14, 2017
Messages
18,186
It doesn't matter which drive is used but both FE and BE need to be in the same folder.

However, Frank may be correct in his comments regarding Exclusive mode.
The application has been designed so that it will only run in shared mode

One of the checks made at startup is to test for exclusive mode
If detected, it SHOULD show this message and then close whichever version you use
1615192768018.png


However, I've just retested using Exclusive mode with the 365 version and opening it using A2010. It did indeed show this message for obvious reasons:
1615192930212.png


Hope that clarifies things
 
Last edited:

FrankRuperto

Member
Local time
Today, 04:50
Joined
Mar 6, 2021
Messages
182
Perhaps it could also be the infamous version 1803 / Win10 MS bug, or his D path is not a trusted location?
 

isladogs

MVP / VIP
Local time
Today, 08:50
Joined
Jan 14, 2017
Messages
18,186
The app checks whether the location is trusted at startup
 

FrankRuperto

Member
Local time
Today, 04:50
Joined
Mar 6, 2021
Messages
182
@isladogs ,

Ironically, I am planning to distribute a free templated version of my pawnshop management app to select pawnbrokers who will pay for customizations and I need to really lockdown the FE and BE from intrusion. Can you further harden your demo challenge?

See my related post: https://www.access-programmers.co.u...ment-of-demo-application.316715/#post-1753426

FYI, Microsoft Bounty Program closed the case I submitted. They're not interested in the vulnerabilites I identified in my PoC 🙁
 

Attachments

  • VULN.PNG
    VULN.PNG
    39.4 KB · Views: 529
Last edited:

isladogs

MVP / VIP
Local time
Today, 08:50
Joined
Jan 14, 2017
Messages
18,186
Hi Frank
Yes I can add further barriers to my security challenge and indeed intermittently started working on the next version several weeks ago.
Ironically, you gave me a couple of ideas in passing that I intend to implement.

However, I'm never going to state that an Access database can be guaranteed to be 100% secure. Nor indeed is SQL Server or any other application.. There are other methods of breaching security which make that impossible but I have not and will not discuss those methods in a forum.

That was exactly the response I expected from Microsoft. The vulnerabilities that I believe you reported have been well known for many years.
Whilst some of those could be overcome, there is little benefit from doing so when other methods of attack exist.

If you want my assistance in limiting unauthorised access to your application, you can contact me by email or PM
 

FrankRuperto

Member
Local time
Today, 04:50
Joined
Mar 6, 2021
Messages
182
Okay thanks.
That was exactly the response I expected from Microsoft. The vulnerabilities that I believe you reported have been well known for many years.
Whilst some of those could be overcome, there is little benefit from doing so when other methods of attack exist.

If you want my assistance in limiting unauthorised access to your application, you can contact me by email or PM
Me thinks MSRC rejected my submission because MS' priority focuses on the online M365 product. I pointed out all the loose ends I found in compiled accde's which need to be tied up. Perhaps approaching the MS Access Team would be more effective.

I will email you, thanks!
 

Users who are viewing this thread

Top Bottom