lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <21ae1b060602071735m39ad6b80q@mail.gmail.com>
Date: Wed, 8 Feb 2006 09:35:11 +0800
From: Louis Wang <bill.louis@...il.com>
To: vulnwatch@...nwatch.org, ntbugtraq@...ugtraq.com, bugtraq@...urityfocus.com
Subject: Fwd: [Full-disclosure] What can a Remote Vulnerability Scanner do in Future?


hi, there
   Most of vulnerabilities are also remotely exploitable although
enhanced security configuration and firewall enabled. For example, an
IE flaw will cause pc's registry modified when the host browse some
malicious website.
   Client-Server model is a considerable solution. But our product is
a firmware box, it's not convenient for such a product to convey a
client agent software.
   Anybody did research on how to by windows xp sp2 security config
to read Registry? Like Windows 2000 or Windows xp sp1, remote scanner
could get Registry and file versions with only an administrative
username/password provided?

2006/2/6, Michael Holstein <michael.holstein@...ohio.edu>:
> > But Windows XP with sp2 enhance the security configuration and block
> > these checking way. So we can not do local check on Windows XP sp2
> > except ask customers to do a lot of complex configuration.
>
> Well, with the enhanced security configuration and firewall enabled, the
> vulnerability is no longer "remotely exploitable", is it?
>
> If you want to check for local vulnerabilities, you'll to run something
> client-side. There's at least a half-dozen ways to do this in a domain
> model (eg: GPO or logon scripts) -- but in a standalone environment,
> you'll need an agent of some type.
>
> Cheers,
>
> Michael Holstein CISSP GCIA
> Cleveland State University
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ