art@MITRE.ARPA (Art McClinton) (12/02/86)
Several user sessions were held at the S.F. DECUS discussing the methods that could be used to back up MicroVAX computers and other small VMS machines over DECnet. At the most recent Washington Area VAX LUG meeting, it came to my attention that a potential security hole exists if one is to misuse this scheme. If one issues the following command: $BACKUP/... *.* nodename[user password]::... BACKUP is will create the save set on the node specified. However it will also include in the save set header the full saveset name. THIS WILL INCLUDE THE NODENAME, ACCOUNT NAME, AND >>PASSWORD<<. Thus any user can do a BACKUP/LIS saveset" and get the password and account. The simple workaround is to use proxy logins to send the backup save sets. One more note: remeber that the password is available to any user who translates SYS$NET. Thus any network object can be a trojan horse and collect passwords of the various users who run them across the network. * *---Art * *Arthur T. McClinton Jr. ARPA: ART@MITRE.ARPA *Mitre Corporation MS-Z305 Phone: 703-883-6356 *7525 Colshire Drive Internal Mitre: ART@MWVMS or M10319@MWVM *McLean, Va. 22102 DECUS DCS: MCCLINTON *