| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 20 Sep 2004 08:53:03 -0500 From: "Larry Mitchell" <lists@...sd.com> To: <mwwilson@...o.hpc.mil>, "Chris Norton" <kicktd_list@...mail.com>, "Michael Scheidell" <scheidell@...nap.net>, <bugtraq@...urityfocus.com>, <vulnwatch@...nwatch.org>, <full-disclosure@...ts.netsys.com> Cc: <vuln@...urity-corporation.com>, <security-alert@...tin.ibm.com>, <cert@...ibm.com> Subject: Re: Vulnerability in IBM Windows XP: default hidden Administrator account allows local Administrator access Michael, Windows XP home edition hides the administrator account and disables access to it entirely even from a manual login unless you are in safe mode. This seems to be the most likely explaination of this "hidden" admin account. Regards, Larry ----- Original Message ----- From: "Michael Wilson, Contractor" <mwwilson@...o.hpc.mil> To: "Chris Norton" <kicktd_list@...mail.com>; "Michael Scheidell" <scheidell@...nap.net>; <bugtraq@...urityfocus.com>; <vulnwatch@...nwatch.org>; <full-disclosure@...ts.netsys.com> Cc: <vuln@...urity-corporation.com>; <security-alert@...tin.ibm.com>; <cert@...ibm.com> Sent: Friday, September 17, 2004 3:08 PM Subject: RE: Vulnerability in IBM Windows XP: default hidden Administrator account allows local Administrator access > Negative. > > In previous versions of Windows (NT core), the install would allow you to > simply strike <enter> at the appropriate time, when being queried for an > administrator password, and voila -> the administrative password would be > blank. > > Windows XP manual install will ask if you are sure, while warning of the > implications, and if you insist it disallows network access to the > administrator account to limit WAN or LAN hacking. I was working IA at a > major university when this, administrator account logins checking for blank > or the password "password", became quite a problem. The response would > often be, "I forgot to reset after the install!" I pushed a domain policy > denying access to the local administrator password from the network, > regardless of what the password was. > > Windows has instituted the same by default, thereby limiting this exploit to > a console login, if the password hash = blank hash. > > It is most likely the Vendor Install Customization that has caused this > issue, as true enough, most vendor installs force you to pick an > administrator password before using the system. If the account is hidden, > then it is definitely IBM's doing as I have never seen a Windows install > where the administrator account could not be seen under the accounts tab. > > Thank you, > > Michael Wilson CISSP (Contractor) > Lockheed Martin Space Operations > Computer Security Specialist > NAVO-MSRC > mwwilson@...o.hpc.mil > 228-688-4393 > > > > -----Original Message----- > From: Chris Norton [mailto:kicktd_list@...mail.com] > Sent: Friday, September 17, 2004 10:59 AM > To: Michael Scheidell; bugtraq@...urityfocus.com; > vulnwatch@...nwatch.org; full-disclosure@...ts.netsys.com > Cc: vuln@...urity-corporation.com; security-alert@...tin.ibm.com; > cert@...ibm.com > Subject: Re: Vulnerability in IBM Windows XP: default hidden > Administrator account allows local Administrator access > > > This "hidden" Administrator account is part of Windows XP and NOT IBM's > porblem. > Every Windows XP system ships and installs with the Administrator and blank > password. > This "hidden" account has been known about for some time, just like Windows > 2000 > Administrator account is the same way. There are ways to disable or change > the > Administrator name and password or to disable the account completely. > -- > Chris Norton > UAT Student Software Engineering Network Defense > > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists