Team82 has made freely available a tool called AccessDB Parser
The Python-based AccessDB Parser supports software testing, fuzzing, research, and other activities
It supports Microsoft Access versions 1995 up to 2010
Team82 today shares AccessDB Parser, a new, purpose-built tool we developed to support activities such as testing, automation, fuzzing, and reverse-engineering research, among others. The standalone tool—which can be used to quickly parse through Microsoft AccessDB files (.mdb/.accdb)—is fully written in Python, thus eliminating any external binary dependencies.
Our parser supports Microsoft Access versions 1995 up to 2010. Microsoft Access is a database management system from Microsoft that combines the relational Microsoft Jet Database Engine with a graphical user interface (GUI) and software-development tools. It is a member of the Microsoft Office suite of applications, included in the Professional and higher editions or sold separately.
According to Claroty Researcher Uri Katz, who led the development of AccessDB Parser, the initial purpose of the tool was to support Claroty Continuous Threat Detection (CTD)'s Application DB (AppDB) scanning capabilities. Unique to Claroty, AppDB provides a safe, effective, and non-intrusive method for identifying and managing assets in operational technology (OT) environments by parsing artifacts such as programmable logic controller (PLC) and remote terminal unit (RTU) project configuration files.
As part of Claroty's efforts to deliver the highest level of visibility into OT environments, we sought to develop a tool that would allow AppDB to process additional types of SCADA project files containing .mdb files. In addition, we wanted this tool to allow us to create multiple tests, verify test results, and automate some of our testing processes.
To address these needs, we decided to invest time in developing our own parsing tool, below, which could easily be modified and improved on an ongoing basis as our needs evolve. We ensured to make the tool open-source, knowing that it would likely prove useful for other reverse engineers.
C Implementation: Our library of tools relies heavily on the well-documented work of mdb-tools, which can be accessed here.
Java Implementation: We also benefited greatly from Jackcess, an all-Java library for reading from and writing to MS Access databases, currently supporting versions 2000-2016. Jackcess is not an application and does not have a GUI. Rather, it is intended to help developers build Java applications.
OLE fields are currently not supported.
Only a subset of memo fields are parsed.
This library was tested on a limited subset of database files. Due to the differences between database versions and the complexity of the parsing, we expect to find more parsing edge-cases.
To help us resolve issues faster, please provide as much data as possible when opening an issue, including the DB file if possible, as well as full trace, including log messages.
Click here to watch a demo of Claroty AccessDB Parser
Click here to download the tool on Claroty's GitHub repository
CWE-257: Storing Passwords in a Recoverable Format
RND encrypts passwords with a hardcoded weak secret key and returns the passwords in plaintext. If the server were compromised, an attacker could gain all the plaintext passwords and decrypt them.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 5.3
CWE-321: Use of Hard-coded Cryptographic Key
A built-in user called sshuser, with root privileges, exists on the RND platform. Both public and private ssh keys exist in the sshuser home directory. Anyone with the private key can access an RND server as sshuser.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 10.0
CWE-259: Use of Hard-coded Password
RND includes a jailed environment to allow users to configure devices without complete shell access to the underlying operating system. The jailed environment includes a built-in jailbreak for technicians to elevate privileges. The jailbreak requires a weak password that is hardcoded into the environment. Anyone with this password can access an RND server with root permissions.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 8.2
CWE-321: Use of Hard-coded Cryptographic Key
RND uses a secret key on the backend web server to ensure that session JWTs are valid. This secret key is hardcoded into the web server. Anyone with knowledge of the secret key could create a valid JWT, thus bypassing the typical authentication to access the server with administrator privileges.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 9.8
CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
An authenticated vSZ user supplies an IP address as an argument to be run in an OS command, but this IP address is not sanitized. A user could supply other commands instead of an IP address to achieve RCE.
No patches have been supplied by the vendor at this time. To mitigate risk, network administrators should limit access to the wireless management environments that use these affected products, allowing a limited set of trusted users and their authenticated clients to manage Ruckus infrastructure via a secure protocol such as HTTPS or SSH.
CVSS v3: 9.0
