bugtraq@security.nnov.ru list issues [2]

Date: 08/21/02

Date: Wed, 21 Aug 2002 16:50:25 +0400
To: bugtraq@securityfocus.com

Dear bugtraq@securityfocus.com,

  There are few issues reported to bugtraq@security.nnov.ru list in
  Russian during last months.

  This issues have no relation to SECURITY.NNOV team.
  Please contact authors directly if you have any questions.
1. Eraser <er4s3r at mail.ru> reports vulnerabilities in Aquonics File
Manager (directory traversal, privelege escalation)

There are 2 bugs:

1.1 Directory traversal in source.php


shows /etc/passwd content

1.2 Privelege escalation

User with privilege to edit files can change userlist.cgi file.
userlist.cgi contains MD5 hashes of password. It makes it possible for
user without admin privileges to manipulate users accounts.

Tested on www.aquonics.com Aquonics File Manager 1.5

2. L0rda // BlackSun <gl at rhhz.ru> reports authentication bypass in
PalmOS 4.x

If "Auto lock handheld on power off" user can bypass authentication
after reboot.

Tested on
PalmOS 4.0 (Sony clie 320)
PalmOS 4.1 (Palm m130)

3. XYZ <xyz_miem at mail.ru> reports weakness in Windows 2000 Server
terminal services.

If terminal services client window is minimized console will not be
locked with screensaver.

Tested on Microsoft Windows 2000 Server

4. SereGa <sergio1902 at mail.ru> reports password recovery problem in
AccessDenied screensaver.

Password hash is stored in OLD field of %SYSTEMROOT%\access.ini. Hashing
algorithm is xoring password byte-by-byte with pseudo-random sequence
with feedback, with 8 bit PRG state. Because PRG state is too short and
initial state is known it's easy to bruteforce password byte-by-byte.

Tested software: www.uinc.ru AccessDenied ScreenSaver v1.3


        { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   }
+-------------o66o--+ /
You know my name - look up my number (The Beatles)