lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 19 May 2009 17:42:30 -0700
From: Susan Bradley <sbradcpa@...bell.net>
To: MustLive <mustlive@...security.com.ua>
Cc: bugtraq@...urityfocus.com
Subject: Re: Insufficient Authentication vulnerability in Acer notebooks

Microsoft agrees with you which is why they disable the admin account by 
default in Vista.

MustLive wrote:
> Hello!
>
> Just came to securityfocus.com and found that there are some answers 
> on my post about Insufficient Authentication vulnerability in Acer 
> notebooks.
>
>> Is not that a simple design decission? (truly brain-dead, but a 
>> conscious decission).
>
> David, it's very bad design decision. As for Microsoft (if we will be 
> claiming that it's hole in Windows XP), as for Acer (because they use 
> their own program for first OS initialization process, so it's 
> definitely vulnerability in Acer).
>
> And also for Asus - recently I wrote to bugtraq about similar 
> vulnerability in Asus notebook.
>
>> That is I standard issue with Windows XP.
>
> Dave, this is not standard issue for all versions Windows XP. It can 
> be only issue of XP Home Edition (because I found such cases only in 
> XP HE), but I'm investigating it now to be completely sure in it.
>
> In all Windows XP (in all versions with which I worked from 2001), 
> after installation the default Administrator account's password was 
> always set equal to first admin's password.
>
> I used a lot of different Windows XP (XP Professional and also XP Home 
> on my
> two notebooks). And in all versions from original (Gold) to SP1 and SP2
> (didn't work with XP's installations with SP3) it was the same behavior
> (except these two notebooks with XP Home). So normal behavior for 
> Windows XP
> is to set default admin's password equal to first admin's password.
>
>> With any installation of it you have to boot in safe mode and 
>> manually set a password on the hidden admin account.
>
> In XP Professional default admin account is not hidden, only in XP 
> Home Edition. And default admin password can be changed not only in 
> safe mode, but in normal mode from any admin account (in both XP 
> Professional and XP HE). Particularly it can be done in command prompt 
> with "net" command.
>
>> Try the "net user password ..." command (from the CMD prompt). 
>> That'll save you from having to do it in safe mode.
>
> Garrett, you mean the next command:
>
> net user Administrator password
>
> ;-)
>
> If in XP Professional you can use GUI or command prompt to change 
> default admin's password, then in XP HE you can only use command 
> prompt (due to Windows XP HE limitations).
>
> P.S.
>
> People, I'm not subscribed to bugtraq, so if you want to answer me, 
> than write directly to my email.
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>

Powered by blists - more mailing lists