<<< Date Index >>>     <<< Thread Index >>>

Re: Insufficient Authentication vulnerability in Acer notebooks



Try the "net user password ..." command (from the CMD prompt). That'll save you from having to do it in safe mode.



----- Original Message ----- From: <dpo5003@xxxxxxxxx>
To: <bugtraq@xxxxxxxxxxxxxxxxx>
Sent: Monday, May 11, 2009 10:14 PM
Subject: Re: Insufficient Authentication vulnerability in Acer notebooks


That is I standard issue with Windows XP. With any installation of it you have to boot in safe mode and manually set a password on the hidden admin account.

-Dave Ortiz

Sent from my Verizon Wireless BlackBerry

-----Original Message-----
From: David Sánchez Martín <dsanchez@xxxxxxxx>

Date: Mon, 11 May 2009 15:55:04
To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: RE: Insufficient Authentication vulnerability in Acer notebooks


hi folk,

   Is not that a simple design decission? (truly brain-dead, but a
conscious decission).




-----Mensaje original-----
De: MustLive [mailto:mustlive@xxxxxxxxxxxxxxxxxx]
Enviado el: domingo, 10 de mayo de 2009 15:23
Para: bugtraq@xxxxxxxxxxxxxxxxx
Asunto: Insufficient Authentication vulnerability in Acer notebooks

Hello SecurityFocus!

I want to warn you about vulnerability in Acer notebooks.

It's Insufficient Authentication vulnerability. Which I found
28.04.2009 in
two my notebooks. At these notebooks Windows XP Home Rus is
using, in case
of other OS the vulnerability can be also present.

In Windows XP Home in default administrator's account
“Administrator” there
is empty password. And it does not set equal to password of
first admin,
when admin account is creating during first start of notebook
(as it happens
during installation of Windows XP). So with physical access
to notebook,
anybody can enter into the system with administrator's rights.

Vulnerable models of notebooks: Acer TravelMate 2313LC, Acer
TravelMate
2413LC and potentially other models.

I mentioned about these vulnerability at my site
(http://websecurity.com.ua/3127/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua