Re: Insufficient Authentication vulnerability in Asus notebook

XP Home Windows XPe Susan Bradley Home Edition Thin Clients web site Windows 7 Best wishes computer security boot disk desktop PC Physical access vulnerability notebooks password user Insufficient Authentication shipped Administrator of Websecurity default

While we are at it... quite a few Thin Clients based on Windows XPe  
deply with Administrator / Administrator and User / User as default  
user / pass combinations.  By default User is part of the  
Administrator group. For an Aded bonus there is a VNC password of Wyse  
or viewonly with the default VNC service.

-KF

On May 14, 2009, at 10:16 AM, Susan Bradley wrote:

> I don't mean to be rude but you do realize that all XP OEMs ship in  
> this manner?  So rather than asking everyone to help you  
> investigate, just list all OEM vendors that still ship XP builds and  
> it might be more efficient for you.
>
> Which is why in Vista and Windows 7 as you set up the OEM build it  
> strongly suggests you set up a password.
>
> With all due respect this is
>
> 1.  Not new
> 2.  Physical access trumps all
> 3.  For XPs it's kinda handy to have a blank admin password when you  
> sometimes come in on a network and need to get to that particular  
> machine and you didn't set it up, otherwise you have to use the  
> Admin password boot disk trick and reset the password to blank.
>
> There's an easy fix for this.  Wait a few months for Asus to ship  
> systems with Windows 7.
>
> Otherwise this is very much not anything different then when someone  
> else years and years ago said that IBM laptops or Dell computers  
> were shipped in this manner and a basic law of computer security.
> Show me a OEM build of a XP and this is how they ship.  With all due  
> respect, if you want me to click on your web site, how about coming  
> up with a "vulnerability" that wasn't discussed on this very list in  
> 2004?  http://marc.info/?l=vulndiscuss&m=109568970316652&w=2
>
> I think we can come up with different vulnerabilities in five  
> years.  :-)
>
> MustLive wrote:
>> Hello SecurityFocus!
>>
>> I want to warn you about Insufficient Authentication vulnerability  
>> in Asus notebook.
>>
>> After publication of information about Insufficient Authentication  
>> vulnerability in Acer notebooks (http://www.securityfocus.com/archive/1/503398/30/0/ 
>> ), I decided to investigate all notebooks of my friends.  
>> Particularly I checked two Asus notebooks: at one with Windows XP  
>> Professional there is no such vulnerability, at another with  
>> Windows XP Home Edition there is such vulnerability.
>>
>> In Windows XP Home in default administrator's account  
>> “Administrator” there
>> is empty password. And it does not set equal to password of first  
>> admin,
>> when admin account is creating during first start of notebook (as  
>> it happens
>> during installation of Windows XP). So with physical access to  
>> notebook,
>> anybody can enter into the system with administrator's rights.
>>
>> Vulnerable models of notebooks: Asus А6500R and potentially other  
>> models.
>>
>> I mentioned about these vulnerability at my site (http://websecurity.com.ua/3139/ 
>> ).
>>
>> Now I'm continue to investigate this situation. If you'll find such  
>> case in your notebook or in desktop PC, then inform me on email.
>>
>> Best wishes & regards,
>> MustLive
>> Administrator of Websecurity web site
>> http://websecurity.com.ua
>>