lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 19 May 2009 17:42:30 -0700 From: Susan Bradley <sbradcpa@...bell.net> To: MustLive <mustlive@...security.com.ua> Cc: bugtraq@...urityfocus.com Subject: Re: Insufficient Authentication vulnerability in Acer notebooks Microsoft agrees with you which is why they disable the admin account by default in Vista. MustLive wrote: > Hello! > > Just came to securityfocus.com and found that there are some answers > on my post about Insufficient Authentication vulnerability in Acer > notebooks. > >> Is not that a simple design decission? (truly brain-dead, but a >> conscious decission). > > David, it's very bad design decision. As for Microsoft (if we will be > claiming that it's hole in Windows XP), as for Acer (because they use > their own program for first OS initialization process, so it's > definitely vulnerability in Acer). > > And also for Asus - recently I wrote to bugtraq about similar > vulnerability in Asus notebook. > >> That is I standard issue with Windows XP. > > Dave, this is not standard issue for all versions Windows XP. It can > be only issue of XP Home Edition (because I found such cases only in > XP HE), but I'm investigating it now to be completely sure in it. > > In all Windows XP (in all versions with which I worked from 2001), > after installation the default Administrator account's password was > always set equal to first admin's password. > > I used a lot of different Windows XP (XP Professional and also XP Home > on my > two notebooks). And in all versions from original (Gold) to SP1 and SP2 > (didn't work with XP's installations with SP3) it was the same behavior > (except these two notebooks with XP Home). So normal behavior for > Windows XP > is to set default admin's password equal to first admin's password. > >> With any installation of it you have to boot in safe mode and >> manually set a password on the hidden admin account. > > In XP Professional default admin account is not hidden, only in XP > Home Edition. And default admin password can be changed not only in > safe mode, but in normal mode from any admin account (in both XP > Professional and XP HE). Particularly it can be done in command prompt > with "net" command. > >> Try the "net user password ..." command (from the CMD prompt). >> That'll save you from having to do it in safe mode. > > Garrett, you mean the next command: > > net user Administrator password > > ;-) > > If in XP Professional you can use GUI or command prompt to change > default admin's password, then in XP HE you can only use command > prompt (due to Windows XP HE limitations). > > P.S. > > People, I'm not subscribed to bugtraq, so if you want to answer me, > than write directly to my email. > > Best wishes & regards, > MustLive > Administrator of Websecurity web site > http://websecurity.com.ua >
Powered by blists - more mailing lists