Path: utzoo!mnetor!uunet!husc6!bloom-beacon!gatech!purdue!i.cc.purdue.edu!j.cc.purdue.edu!pur-ee!iuvax!inuxc!ihnp4!homxb!mtuxo!mtune!codas!ufcsv!beach.cis.ufl.edu!kml
From: kml@beach.cis.ufl.edu (Kevin M. Lahey)
Newsgroups: comp.os.vms
Subject: Re: USER ID PASS VALIDATION ON VMS
Message-ID: <10047@ufcsv.cis.ufl.EDU>
Date: 6 Jan 88 21:32:56 GMT
References: <8712192213.AA27374@ucbvax.Berkeley.EDU> <13592@beta.UUCP> <9909@ufcsv.cis.ufl.EDU> <13921@beta.UUCP>
Sender: news@ufcsv.cis.ufl.EDU
Reply-To: kml@beach.cis.ufl.edu ()
Organization: UF CIS Department
Lines: 32
Summary: Be careful before you flame!

In article <13921@beta.UUCP> mbr@beta.UUCP (Mike Rose) writes:
>In article <9909@ufcsv.cis.ufl.EDU> jmb@beach.cis.ufl.edu (John M Boof) writes:
>>Ah, but GETUAI will give the hashed password and all UAF information for
>>any user in your Group ID (UIC) - at least on the VAXes I have used.
>
>I tested this under VMS 4.6 and it is implemented as described 
                         ^^^
>in the manual.  Does everyone have GRPPRV on your VAXen?  
>
>Mike Rose
>mbr@lanl.gov

Try under version 4.5 before the emergency patch issued by DEC.
It didn't behave the way the manuals claim -- thats why it was a BUG,
not a feature :-)

Now, does anybody have a reasonable explanation of how such an INCREDIBLE
hole made it into the final release?  I mean -- thats just the sorta 
new system service all the hacker types would just love to play with.

Even better, why doesn't somebody explain why it is so horrible that we
could get other people's names and hashed passwords -- you can do it on UNIX,
an operating system which is a hell of a lot more secure than you folks
seem to think.

Cheers,
Kevin

--
--------------------------------------------------------------------------------
Kevin Lahey                     UUCP: ...ihnp4!codas!ufcsv!beach.cis.ufl.edu!kml
University of Florida, CIS      Internet: kml@beach.cis.ufl.edu