Re: Insufficient Authentication vulnerability in Asus notebook

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Insufficient Authentication vulnerability in Asus notebook
From: Michael Scheidell <scheidell@xxxxxxxxxx>
Date: Thu, 14 May 2009 12:25:57 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=secnap.net; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id; s=dkim; t=1242318358; x=1244132758; bh=qsy1TFaQUEVjplGEQMMwisJdUjP/COI4 aFcYMubls0M=; b=bnmvqqK98z7qNpmiRhho09wkTxtcixNQ7BbB8EHT/Hwk1OmI fvFCEMkeJ2Lf7ervxLIhMPB+d54S1fqUD2Mtpo9lZM/o545Qwf3tHmBetxhWPfrR gfLqzLl3BKd9y6eznokNIg+Ds8YtJQRktIJr9ZU0yZcnUp1x4jJfUxaCI2I=
In-reply-to: <4A0C27DA.1000207@xxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <008001c9d497$55238070$010000c0@ml> <4A0C27DA.1000207@xxxxxxxxxxx>
User-agent: Thunderbird 2.0.0.21 (Macintosh/20090302)



Susan Bradley wrote:

I don't mean to be rude but you do realize that all XP OEMs ship inthis manner? So rather than asking everyone to help you investigate,just list all OEM vendors that still ship XP builds and it might bemore efficient for you.
Otherwise this is very much not anything different then when someoneelse years and years ago said that IBM laptops or Dell computers wereshipped in this manner and a basic law of computer security.

im the years and years ago..  maybe.

Dell's response was to ask me for my serial number.
IBM fixed it.

my biggest compliant was that XP pro (non OEM) asked you to set apassword. XP pro (OEM) didn't.In fact, if you were smart enough to figure out how to set the localadmin password, it would in fact warn you NOT to, telling you that ifyou did you were likely to lose data.



www.secnap.com/press-room/first-alerts/ibm-windows-xp.html
www.secnap.com/press-room/first-alerts/vulnerability-in-dell-oem-xp-install.html


but, as you said, most XP OEM's do ship this way, for whatever reason.

network access to them is restricted, as you said, and once you do getphysical access, password or not, the guy trying to install a keystrokelogger when you are on a biobreak just needs a linux password reset bootdisk.

Its easy enough to fix (IBM did it) but seems IBM was the only companythat saw this very easy fix something they wanted to do.

(its a flag in the sysinstall ini files.. its just a flag that needs tobe set)



--
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
> *| *SECNAP Network Security Corporation

   * Certified SNORT Integrator
   * 2008-9 Hot Company Award Winner, World Executive Alliance
   * Five-Star Partner Program 2009, VARBusiness
   * Best Anti-Spam Product 2008, Network Products Guide
   * King of Spam Filters, SC Magazine 2008

_________________________________________________________________________

This email has been scanned and certified safe by SpammerTrap(r).For Information please see http://www.secnap.com/products/spammertrap/

_________________________________________________________________________

References:
- Insufficient Authentication vulnerability in Asus notebook
  - From: MustLive
- Re: Insufficient Authentication vulnerability in Asus notebook
  - From: Susan Bradley

Prev by Date: Re: Insufficient Authentication vulnerability in Asus notebook
Next by Date: MULTIPLE CODE INJECTION VULNERABILITIES --TUENTI--SPAIN-->
Previous by thread: Re: Insufficient Authentication vulnerability in Asus notebook
Next by thread: Re: Insufficient Authentication vulnerability in Asus notebook
Index(es):
- Date
- Thread