news@zgdvda.UUCP (USENET News System) (04/12/89)
On Ultrix-32 3.0, unlike login(1) or su(1), dxsession(1) has a long life and keeps a user's plain-text password in its stack area. Unfortunately, the password will not be destroyed after authentication, even the user has logged out. Since the /dev/mem file is readable by everybody on Ultrix (sigh!), the password could be got by scanning the /dev/mem file for some specific string patterns. I don't know if DECwindows on VMS has the same problem. However, by looking up the source code (with patch[1-9]) of X11R3 from MIT, it seems that xdm(1) has the similar problem. Ning Zhang <zhang@zgdvda.uucp>
rich@WSL.DEC.COM (Richard L. Hyde) (04/13/89)
>On Ultrix-32 3.0, unlike login(1) or su(1), dxsession(1) has a long life and >keeps a user's plain-text password in its stack area. Unfortunately, the >password will not be destroyed after authentication, even the user has logged >out. Since the /dev/mem file is readable by everybody on Ultrix (sigh!), the >password could be got by scanning the /dev/mem file for some specific string >patterns. This is false. Only the encripted password is stored.
news@zgdvda.UUCP (USENET News System) (04/14/89)
In article <8904131552.AA25388@gnome2.pa.dec.com>, rich@WSL.DEC.COM (Richard L. Hyde) writes: > > This is false. Only the encripted password is stored. But on my system (VAXstation 3200, Ultrix-32 3.0 (REV 64) UWS 2.0), I always can get my plain password like this way: od -s /dev/mem | grep assw | grep name 12345678 name: zhang\npassword: xxxxxxxx\n zhang%zgdvda.uucp@ddoinf6.bitnet
fuzzy%aruba.dnet@WPAFB-AVLAB.ARPA (John Karabaic) (04/18/89)
But on my system (VAXstation 3200, Ultrix-32 3.0 (REV 64) UWS 2.0), I always can get my plain password like this way: od -s /dev/mem | grep assw | grep name 12345678 name: zhang\npassword: xxxxxxxx\n zhang%zgdvda.uucp@ddoinf6.bitnet This has also been reproduced on a VAXstation III, Ultrix 3.0, UWS 2.0 running DECWINDOWS. How about it, DEC? Lt John S. Karabaic (fuzzy%aruba.dnet@wpafb-avlab.arpa) WRDC/TXI 513 255 5800 It's not just a job. WPAFB, OH 45433-6543 AV 785 5800 It's an indenture. These opinions are mine. I cannot confirm or deny whether anyone else holds them.