Dear bugtraq@securityfocus.com, There are few issues reported to bugtraq@security.nnov.ru list in Russian during last months. This issues have no relation to SECURITY.NNOV team. Please contact authors directly if you have any questions. 1. Eraser <er4s3r at mail.ru> reports vulnerabilities in Aquonics File Manager (directory traversal, privelege escalation) There are 2 bugs: 1.1 Directory traversal in source.php www.vulnerable.url/filemanager/source.php?../../../../etc/passwd shows /etc/passwd content 1.2 Privelege escalation User with privilege to edit files can change userlist.cgi file. userlist.cgi contains MD5 hashes of password. It makes it possible for user without admin privileges to manipulate users accounts. Tested on www.aquonics.com Aquonics File Manager 1.5 2. L0rda // BlackSun <gl at rhhz.ru> reports authentication bypass in PalmOS 4.x If "Auto lock handheld on power off" user can bypass authentication after reboot. Tested on PalmOS 4.0 (Sony clie 320) PalmOS 4.1 (Palm m130) 3. XYZ <xyz_miem at mail.ru> reports weakness in Windows 2000 Server terminal services. If terminal services client window is minimized console will not be locked with screensaver. Tested on Microsoft Windows 2000 Server 4. SereGa <sergio1902 at mail.ru> reports password recovery problem in AccessDenied screensaver. Password hash is stored in OLD field of %SYSTEMROOT%\access.ini. Hashing algorithm is xoring password byte-by-byte with pseudo-random sequence with feedback, with 8 bit PRG state. Because PRG state is too short and initial state is known it's easy to bruteforce password byte-by-byte. Tested software: www.uinc.ru AccessDenied ScreenSaver v1.3 -- http://www.security.nnov.ru /\_/\ { , . } |\ +--oQQo->{ ^ }<-----+ \ | ZARAZA U 3APA3A } +-------------o66o--+ / |/ You know my name - look up my number (The Beatles)
