| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 14 May 2009 14:07:09 -0400 From: "KF (lists)" <kf_lists@...italmunition.com> To: bugtraq@...urityfocus.com Subject: Re: Insufficient Authentication vulnerability in Asus notebook While we are at it... quite a few Thin Clients based on Windows XPe deply with Administrator / Administrator and User / User as default user / pass combinations. By default User is part of the Administrator group. For an Aded bonus there is a VNC password of Wyse or viewonly with the default VNC service. -KF On May 14, 2009, at 10:16 AM, Susan Bradley wrote: > I don't mean to be rude but you do realize that all XP OEMs ship in > this manner? So rather than asking everyone to help you > investigate, just list all OEM vendors that still ship XP builds and > it might be more efficient for you. > > Which is why in Vista and Windows 7 as you set up the OEM build it > strongly suggests you set up a password. > > With all due respect this is > > 1. Not new > 2. Physical access trumps all > 3. For XPs it's kinda handy to have a blank admin password when you > sometimes come in on a network and need to get to that particular > machine and you didn't set it up, otherwise you have to use the > Admin password boot disk trick and reset the password to blank. > > There's an easy fix for this. Wait a few months for Asus to ship > systems with Windows 7. > > Otherwise this is very much not anything different then when someone > else years and years ago said that IBM laptops or Dell computers > were shipped in this manner and a basic law of computer security. > Show me a OEM build of a XP and this is how they ship. With all due > respect, if you want me to click on your web site, how about coming > up with a "vulnerability" that wasn't discussed on this very list in > 2004? http://marc.info/?l=vulndiscuss&m=109568970316652&w=2 > > I think we can come up with different vulnerabilities in five > years. :-) > > MustLive wrote: >> Hello SecurityFocus! >> >> I want to warn you about Insufficient Authentication vulnerability >> in Asus notebook. >> >> After publication of information about Insufficient Authentication >> vulnerability in Acer notebooks (http://www.securityfocus.com/archive/1/503398/30/0/ >> ), I decided to investigate all notebooks of my friends. >> Particularly I checked two Asus notebooks: at one with Windows XP >> Professional there is no such vulnerability, at another with >> Windows XP Home Edition there is such vulnerability. >> >> In Windows XP Home in default administrator's account >> “Administrator” there >> is empty password. And it does not set equal to password of first >> admin, >> when admin account is creating during first start of notebook (as >> it happens >> during installation of Windows XP). So with physical access to >> notebook, >> anybody can enter into the system with administrator's rights. >> >> Vulnerable models of notebooks: Asus А6500R and potentially other >> models. >> >> I mentioned about these vulnerability at my site (http://websecurity.com.ua/3139/ >> ). >> >> Now I'm continue to investigate this situation. If you'll find such >> case in your notebook or in desktop PC, then inform me on email. >> >> Best wishes & regards, >> MustLive >> Administrator of Websecurity web site >> http://websecurity.com.ua >>
Powered by blists - more mailing lists