bugtraq () security nnov ru list issues [2]

[3APA3A <3APA3A () SECURITY NNOV RU>]

Dear bugtraq () securityfocus com,

  There  are  few  issues  reported  to bugtraq () security nnov ru list in
  Russian during last months.

  This issues have no relation to SECURITY.NNOV team.
  Please contact authors directly if you have any questions.
  
1.  Eraser  <er4s3r at mail.ru> reports vulnerabilities in Aquonics File
Manager (directory traversal, privelege escalation)

There are 2 bugs:

1.1 Directory traversal in source.php

www.vulnerable.url/filemanager/source.php?../../../../etc/passwd

shows /etc/passwd content

1.2 Privelege escalation

User  with  privilege  to  edit  files  can  change  userlist.cgi  file.
userlist.cgi  contains  MD5 hashes of password. It makes it possible for
user without admin privileges to manipulate users accounts.

Tested on www.aquonics.com Aquonics File Manager 1.5

2.  L0rda  //  BlackSun <gl at rhhz.ru> reports authentication bypass in
PalmOS 4.x

If  "Auto  lock  handheld  on  power off" user can bypass authentication
after reboot.

Tested on
PalmOS 4.0 (Sony clie 320)
PalmOS 4.1 (Palm m130)

3.  XYZ  <xyz_miem  at  mail.ru> reports weakness in Windows 2000 Server
terminal services.

If  terminal  services  client  window  is minimized console will not be
locked with screensaver.

Tested on Microsoft Windows 2000 Server

4.  SereGa  <sergio1902 at mail.ru> reports password recovery problem in
AccessDenied screensaver.

Password hash is stored in OLD field of %SYSTEMROOT%\access.ini. Hashing
algorithm  is  xoring  password byte-by-byte with pseudo-random sequence
with  feedback, with 8 bit PRG state. Because PRG state is too short and
initial state is known it's easy to bruteforce password byte-by-byte.

Tested software: www.uinc.ru AccessDenied ScreenSaver v1.3

  
-- 
http://www.security.nnov.ru
         /\_/\
        { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   }
+-------------o66o--+ /
                    |/
You know my name - look up my number (The Beatles)