[comp.windows.x] security problem in xdm

news@zgdvda.UUCP (USENET News System) (04/12/89)

On Ultrix-32 3.0, unlike login(1) or su(1), dxsession(1) has a long life and
keeps a user's plain-text password in its stack area. Unfortunately, the
password will not be destroyed after authentication, even the user has logged
out. Since the /dev/mem file is readable by everybody on Ultrix (sigh!), the
password could be got by scanning the /dev/mem file for some specific string
patterns.

I don't know if DECwindows on VMS has the same problem. However, by looking
up the source code (with patch[1-9]) of X11R3 from MIT, it seems that xdm(1)
has the similar problem.

Ning Zhang
<zhang@zgdvda.uucp>

rich@WSL.DEC.COM (Richard L. Hyde) (04/13/89)

>On Ultrix-32 3.0, unlike login(1) or su(1), dxsession(1) has a long life and
>keeps a user's plain-text password in its stack area. Unfortunately, the
>password will not be destroyed after authentication, even the user has logged
>out. Since the /dev/mem file is readable by everybody on Ultrix (sigh!), the
>password could be got by scanning the /dev/mem file for some specific string
>patterns.

	This is false.  Only the encripted password is stored.

news@zgdvda.UUCP (USENET News System) (04/14/89)

In article <8904131552.AA25388@gnome2.pa.dec.com>, rich@WSL.DEC.COM (Richard L. Hyde) writes:
>
> 	This is false.  Only the encripted password is stored.

But on my system (VAXstation 3200, Ultrix-32 3.0 (REV 64) UWS 2.0), I always
can get my plain password like this way:

	od -s /dev/mem | grep assw | grep name
	12345678 name: zhang\npassword: xxxxxxxx\n

zhang%zgdvda.uucp@ddoinf6.bitnet

fuzzy%aruba.dnet@WPAFB-AVLAB.ARPA (John Karabaic) (04/18/89)

   But on my system (VAXstation 3200, Ultrix-32 3.0 (REV 64) UWS 2.0), I always
   can get my plain password like this way:

	   od -s /dev/mem | grep assw | grep name
	   12345678 name: zhang\npassword: xxxxxxxx\n

   zhang%zgdvda.uucp@ddoinf6.bitnet

This has also been reproduced on a VAXstation III, Ultrix 3.0, UWS 2.0
running DECWINDOWS.  How about it, DEC?
	    Lt John S. Karabaic (fuzzy%aruba.dnet@wpafb-avlab.arpa)
     WRDC/TXI                    513 255 5800          It's not just a job.
     WPAFB, OH 45433-6543        AV 785 5800            It's an indenture.
			    These opinions are mine.
	    I cannot confirm or deny whether anyone else holds them.