lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 6 Oct 2011 12:35:03 +1100
From: xD 0x41 <secn3t@...il.com>
To: halfdog <me@...fdog.net>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Strange Lenovo x121e

hrm...
I have known of this structure aplied, usually when a user is a 'newbie'
and, it is usually still done by shops or, workers at them... and, i was
originally thinking, maybe since i have also got blade IBM,but, I bought it
FROM MS directly and, nothing on it but empiness, and this is 2 machines we
bought at once...
IBM x342 PIII 1.4ghz 3U Rack Server - IBM 86695RX
-3U rack, small but as the MS emplyee told me, it MUST be completely
shredded,and sits on now just cmd prompt, and there is absolutely no files,
even for scsi, wich was first my thoughts.
I am really wondering what it was used as, like possible ex test/demo....
but, I know 2 pl other than me who can attest to this, and they have not
seen these files before, not in theyre blades from IBM.
I have not used Lenovo x series, although, i only can think of those things
added, if they think your a noob, in wich case it would have been specified
that it came with 'system utils to make it save itself.." or sum such other
infos.. but, i assume thats not the case atall.
Anyhow, i think this box was preused, but, i think if it was, to a minor
degree..altho, my blade, has NOT a scratch on it, and was pre used to..
hehe..so i really wonder, what does it take to even scratch a x1 :s
Theyre thick...and, a scratch could be nothing but, attests to wear n
tear... so i qwould be questioning my seller, for sure, and getting somekind
of discount, id also show them these files, and, even quotes from the FD
list, and i bet you they will say some kinda excuse, and refund you abit ;)
this should be wiped, on any sales, it should never be more than a cmd
prompt, and then, you would fdisk it and format it to use it perfect, you
should never have 13gig on windows os, considering those are also used for
windows ofc, but, still the seller should say that, "15gig taken up for the
system checking/saving/admin files..." , but clerarly they have tried to
cover something up.
I would expose this one hd. 100%.
You can..
regards,
xd


On 6 October 2011 12:05, halfdog <me@...fdog.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> xD 0x41 wrote:
> > Hrm this one is tricky, but smells so bad of preuse, specially when
> > you said this;
> >
> > * Inside seal on plastic bag also intact, but glue is suboptimal,
> > I opened the bag without damaging the seal
> >
> > Thats a clear sign of tamperage...thats when they tell you "do not
> > buy" ... so i wonder :s
>
> Yeah, but I've also got trained fingers. And applying stickers on
> completely fresh plastic surfaces can be tricky, especially when
> plastic foil was surface-treated, so that it does not stick to itself
> before being manufactured to plastic bags.
>
> > I know it could ..... Is it perhaps something being leftover, from
> > some badly warezd ISO Windows install...wich can lay dormant, even
> > after a format but, not after fdisk usually... strange, i cannot
> > figure this one. It smells of pre-use, or ex-demo, but, i have got,
> > 3 ibm netvista 2cpu boxes,1 3.3gig awesome IBM thinkcentre,fastest
> > box i have as in loading/swap access,and IBM Blade,IBM laptop, and
> > not one has those files...i even paid for ex-demo on the laptop,
> > and it was installed...
>
> I think, I have a good explanation: I looked through the files and
> found quite a mess, even for MS-system. Even c:\ is loaded with
> various nonstandard files. Many of these files are around testing
> (testplan xy, fantest, modemtest, mark3d, ..) and test orchestration
> scripts, one of them setting the clock back to 2010-01-01, so file mod
> dates should be meaningless.
>
> It seems, that the machine contains at least 13G of windows-OS and
> testing software. I found some test reports (dated 2010-01-01), that
> contain the hardware tag of the machine. The BIOS seems to be
> 2011-06-21, that is also proof for clock manipulation during testing.
>
> What could be interesting: Although I found some tools via google,
> e.g. rw-everything, a "hardware configuration reader/dumper", there
> are also some tools I do not know, that might deal about branding or
> special hardware initialization, e.g.
>
> ./WWAN/Leadcore/BAK/IMEI.TXT
> ./WWAN/Leadcore/IMEI.TXT
>
> with different IMEI in it. Perhaps the disk contains some new tools
> that allow to reset broken hardware/firmware internals to any state
> you like, e.g. perhaps the imei of your modem.
>
>
> > i can only see *no* good reason for .exe to be on the drive, after
> > a sale. It should have always been wiped/fdisk/shredded, as I know
> > i have had done withthe ex demos i have here, and, they are part
> > lenovo and part IBM and still, not one of those files exits on any
> > box, and the laptop wich, i thought would forsure have something,
> > if any of them did... but nope. I dont know this one, but, i will
> > try and ask a friend who works with IBM and see theyre practices,
> > and try get his own quotes.
>
> I do not know, if all systems have this "testing" image on it or if
> just one device was lost during quality control, but to me it seems
> highly likely, that somehow a test-branded disk made it out of the
> lenovo (or partner) production site.
>
> I've put a file-list at
> http://www.halfdog.net/TmpData/sda1-filelist.bz2, so that you can make
> up your own picture, if you want to.
>
> hd
>
> - --
> http://www.halfdog.net/
> PGP: 156A AE98 B91F 0114 FE88  2BD8 C459 9386 feed a bee
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFOjP7UxFmThv7tq+4RAkIEAJ9V+Pk3tr/CifsSpePixMwBvpyxkACgkL7z
> jQK7GokYe5ki5pzRhi/725A=
> =6sCw
> -----END PGP SIGNATURE-----
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ