lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 15 May 2009 01:02:18 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <bugtraq@...urityfocus.com>
Subject: Re: Insufficient Authentication vulnerability in Acer notebooks

Hello!

Just came to securityfocus.com and found that there are some answers on my 
post about Insufficient Authentication vulnerability in Acer notebooks.

> Is not that a simple design decission? (truly brain-dead, but a conscious 
> decission).

David, it's very bad design decision. As for Microsoft (if we will be 
claiming that it's hole in Windows XP), as for Acer (because they use their 
own program for first OS initialization process, so it's definitely 
vulnerability in Acer).

And also for Asus - recently I wrote to bugtraq about similar vulnerability 
in Asus notebook.

> That is I standard issue with Windows XP.

Dave, this is not standard issue for all versions Windows XP. It can be only 
issue of XP Home Edition (because I found such cases only in XP HE), but I'm 
investigating it now to be completely sure in it.

In all Windows XP (in all versions with which I worked from 2001), after 
installation the default Administrator account's password was always set 
equal to first admin's password.

I used a lot of different Windows XP (XP Professional and also XP Home on my
two notebooks). And in all versions from original (Gold) to SP1 and SP2
(didn't work with XP's installations with SP3) it was the same behavior
(except these two notebooks with XP Home). So normal behavior for Windows XP
is to set default admin's password equal to first admin's password.

> With any installation of it you have to boot in safe mode and manually set 
> a password on the hidden admin account.

In XP Professional default admin account is not hidden, only in XP Home 
Edition. And default admin password can be changed not only in safe mode, 
but in normal mode from any admin account (in both XP Professional and XP 
HE). Particularly it can be done in command prompt with "net" command.

> Try the "net user password ..." command (from the CMD prompt). That'll 
> save you from having to do it in safe mode.

Garrett, you mean the next command:

net user Administrator password

;-)

If in XP Professional you can use GUI or command prompt to change default 
admin's password, then in XP HE you can only use command prompt (due to 
Windows XP HE limitations).

P.S.

People, I'm not subscribed to bugtraq, so if you want to answer me, than 
write directly to my email.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ