A potential security flaw in the EASY/AERIES product.
EASY-98
is designed to operate under Windows (version 3.1 or later, Windows 95, 98, 2000 or NT) and uses the Microsoft Access relational database management system to maintain student and other related data for schools. It is specially designed to provide an easy way to convert to Windows and Access with a minimum of retraining. All functions are very easy to invoke, either by clicking on a form "button" with the mouse, or by typing one letter on the keyboard.EASY-98 Control Panel. From this form you can quickly perform all the functions within EASY-98.
STUDENT DEMOGRAPHIC DATA
The Student Data form is shown below. It displays most of the personal data about each student, and has buttons which will display all the other student-related forms. Notice the function keys at the bottom of the form. These are consistent in all the data displays in EASY-98. For example, you can either press the F key on the keyboard, or click on the Forward button with the mouse to go forward in the student file. The other function keys work in the same way.
STUDENT SCHEDULING
This form is used to schedule students into their classes for the coming semester or school year. The student's requested courses are first entered into this file either using a scanner sheet or by adding them using this form. The Scheduling Master Schedule is then created. Then this form can be used to schedule one or all students into their new classes. Scheduling is very fast, most schools taking less than one minute to schedule all students!
STUDENT ATTENDANCE
The Attendance form is used to display and maintain each student's attendance record. Normally the absences are input via scanner sheets, and this form is used only to make corrections and enter reasons for absences.
STUDENT GRADES
This form displays the current grades for each student. The period, course, teacher, and credit value of each class the student has is saved in the grade table. Then the marks are gathered from the teacher, and added to the grade table. When all the grades are in, report cards and other reports are printed.
QUERY
The Eagle Software QUERY program is an updated Windows version of the classic QUERY language created in 1966 by the founder of Eagle Software. This QUERY language uses a simple structure in which files or tables are given three letter codes, such as STU, and fields are given two letter codes such as LN, FN, etc.
MISCELLANEOUS FUNCTIONS and other screen shots of EASY-98.
17821 Seventeenth Street, Suite 290 Tustin, CA 92780
(714) 832-9995
· Fax (714) 832-2172 · Toll Free (888) 324-5363All of the above screen shots of this product were taken directly from http://www.eagle2000.com. I thought this might help the people that would like access to this system. Aside from the Windows GUI it has, it is pretty much the same as its' earlier counterpart SASI 3. The Easy 98 database software is also 100% completely compatible with the SASI 3 database software. In case you haven't already figured it out, Eagle software has made both of these products, Easy 98 and SASI 3.
While there is no information regarding the hacking process of this GUI database yet, hopefully there will be. Stay tuned.
Here is the little blurb you can find on the eagle2000 website about Easy-98 (otherwise known as Easy-99; otherwise known as AERIES).
INTRODUCTION
AERIES™ is a modern Student Information System, designed to replace aging
DOS software with a state-of-the-art, easy-to-use Windows product.
AERIES™ is extremely easy to learn and to use. Designed to operate under
Windows (version 3.1 or later, Windows 95. 98, Windows 2000 or NT), AERIES™
uses the Microsoft Access relational database management system to maintain
student and other related data for schools. It is specially designed to provide an
easy way to convert to Windows and Access with a minimum of retraining. All
functions are very easy to invoke, either by clicking on a form "button" with the
mouse, or by typing one letter on the keyboard.
PRICING & SYSTEM REQUIREMENTS
Pricing for AERIES™ is very competitive, well within the reach of most schools.
Elementary schools pay $ 5,000, Middle Schools pay $ 7,000, Continuation High
Schools pay $ 6,000 and High schools pay $ 10,000 for the software. The first
year of support is $ 1,000 for elementary and $ 2,000 for secondary. If your
district has a data processing coordinator through which all support is directed,
the support costs are cut in half. Training costs are $ 1,000 per day. Traveling
expenses will be added if necessary for training.
AERIES™ requires a Windows capable computer system with at least 16
megabytes of memory. However, a 32 MB Pentium pro or Pentium II processor is
preferred. Any current version of Windows may be used, including Windows 3.1.
95, 98, Windows 2000 and NT. ACCESS should be installed on each AERIES™
computer. It is also possible to use a run-time version of Access, which is free.
Now would be an excellent time for you to try out AERIES™. We would be glad to
send you a demonstration copy that you can use with your own school's data. You
can easily create a new Access database from your schools files, and try out all
the features in AERIES™. You can also now download a demonstration copy of
AERIES™ that contains most of the features of the full version.
It should be mentioned that since this document was originally released, Eagle Software has put out other versions of this program that were simply named Easy-99 and AERIES. The product in question appears to be permanently named AERIES. AERIES is practically a clone of Easy-98 and Easy-99 (they have been updating it and renaming it for the current year, but they have finally stopped and called the product AERIES). The G.U.I. is still extremely similar to Easy-98 and the program is still compatible with SASI 3.
Something else that is important is if you ever have the oppurtunity to login to the Easy-99 system, you need to be aware that Easy-99 security login passwords are case sensitive. Make sure you are using lower case, (Caps Lock off) if that is how your password is supposed to be entered.
You should be aware that if the school you have access to is running the EASY-97, 98, 99 or AERIES product that is running under Microsoft Access, then it might be succeptable to a gaping security hole. If the database file itself can be accessed through a network, then it can potentially be tampered with. The security hole in question is as follows:
There is a main database file created under Microsoft Access that is named SCH.MDB. This file is created with the EASY/AERIES product via Microsoft Access. If the file in question is password protected, then that password can be retrieved in under one second. In other words, if you have to enter a password before you can open the SCH.MDB file, then you can get that password in just a few, short steps.
First, download this utility which can retrieve Microsoft Access 97 passwords in a snap. all-access.exe
After you have downloaded the program remove it from the zip archive and put it in any directory on YOUR computer. The program should be self explanatory. Tell the program where the *.MDB file is and it will get the password for you in a very short time.
Suppose that the all-access.exe program is located in C:\all-ac~1.exe on YOUR computer and then suppose the Microsoft Access *.MDB file is located in D:\EAGLE\db1.mdb on a mapped network drive. Usage for the program is as follows:
C:\>all-ac~1.exe D:\EAGLE\db1.mdb
It the above method doesn't work, you will get an error message saying something like "Unable to open file." That means that someone on the network has the file open and is working with it. If you encounter this, and you probably will, and assuming you have read access to the SCH.MDB file, then attempt to make a copy of it. Try copying it to YOUR computer by running Microsoft Word. Once you have started Microsoft Word try to open the file. Microsoft Word, if you're lucky, will give you the option of opening the file after making a copy of the file to cache memory. The file should be a minimum of 37 megabytes in size so loading it into Word might take a while (plan your schedule accordingly). Once the file is open save it as TEXT ONLY to somewhere on the hard drive and you should have an intact copy of the SCH.MDB file. You can then run the all-access.exe program on it.
Assuming you can get to the SCH.MDB file, then you should now be able to open the file in Microsoft Access because you know the password. The next level of security within the database file is usernames and passwords. I do not yet know of a method to acquire usernames and passwords within the SCH.MDB file, but as soon as I do, the procedure will be posted here.
It should be noted that the preceding method to acquire passwords will only work on the EASY/AERIES program if it is running with Microsoft Access '97, but it I don't yet know if the utility provided will work with Access 2000 *.MDB files. The EASY/AERIES program runs only with Access 2.0 and Access '97. The utility used to get Access passwords, however, will work on Access '97 and MIGHT work on Access 2000 *.MDB files. I just wanted to clarify that as to avoid confusion.
You should also be aware that I haven't had a chance to test this potential security flaw myself so I am not certain that it will work. This is just something to try if you have the oppurtunity to do so.