Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!seismo!lll-crg!styx!ames!ucbcad!ucbvax!MITRE.ARPA!art
From: art@MITRE.ARPA (Art McClinton)
Newsgroups: mod.computers.vax
Subject: Security problem with BACKUP over DECnet
Message-ID: <8612011645.AA03275@mitre.ARPA>
Date: Tue, 2-Dec-86 03:54:05 EST
Article-I.D.: mitre.8612011645.AA03275
Posted: Tue Dec  2 03:54:05 1986
Date-Received: Tue, 2-Dec-86 07:57:47 EST
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The MITRE Corp., Washington, D.C.
Lines: 30
Approved: info-vax@sri-kl.arpa

Several user sessions were held at the S.F. DECUS discussing the methods
that could be used to back up MicroVAX computers and other small VMS
machines over DECnet.  At the most recent Washington Area VAX LUG
meeting, it came to my attention that a potential security hole exists
if one is to misuse this scheme.  If one issues the following command:

$BACKUP/...  *.*  nodename[user password]::...

BACKUP is will create the save set on the node specified.  However it
will also include in the save set header the full saveset name.  THIS
WILL INCLUDE THE NODENAME, ACCOUNT NAME, AND >>PASSWORD<<.  Thus any
user can do a BACKUP/LIS saveset" and get the password and account.

The simple workaround is to use proxy logins to send the backup save
sets.

One more note:  remeber that the password is available to any user who
translates SYS$NET.  Thus any network object can be a trojan horse and
collect passwords of the various users who run them across the
network.


*
*---Art
*
*Arthur T. McClinton Jr.     ARPA: ART@MITRE.ARPA
*Mitre Corporation MS-Z305   Phone: 703-883-6356
*7525 Colshire Drive         Internal Mitre: ART@MWVMS or M10319@MWVM
*McLean, Va. 22102           DECUS DCS: MCCLINTON
*