RE: Symantec LiveUpdate

["Peter Miller" <pcmiller61 () yahoo com>]

Hi All,

It has been a while since I played with this so I may have my facts wrong.

1. When you install Ghost it creates the account automatically using the
format GHOST_MACHINE for the account name.

2. The password it uses for the account is the same as the account name i.e.
GHOST_MACHINE. What this means is that you do not have to have access to the
registry to know what the passord is as long as you know what the machine
name is.

3. The account does not belong to any local user group and so can't be used
to log on locally to the box. I don't know what network access privilages
you can get from this account.

It would seem that the problem is more a default installation problem rather
than having the password in plain text in the registry. If you manually
change the password on the account to a more secure password and update the
entry in the registry things should be more secure.

My feeling is that it does not matter what rights the account has on the
box, just having a known account with known password is a security risk as
it makes you more vulnerable to a rights escalation exploit.

Regards
Peter

> -----Original Message-----
> From: saabstory () yahoo com [mailto:saabstory () yahoo com]
> Sent: 27 February 2002 03:13
> To: bugtraq () securityfocus com
> Subject: Re: Symantec LiveUpdate
>
>
>
> In-Reply-To: <LPBBLOPHKCDACODGKEFJIEGLDDAA.pcmiller61 () yahoo com>
>
> You are right about the Ghost keys being stored as
> clear text. What you might not realize is that the
> rights to the key require Administrator privileges.
>
> Try navigating to the key logged in as someone other
> than Administrator. You can't get there.