Xref: utzoo comp.unix.ultrix:809 comp.windows.x:9274
Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!ames!lll-winken!uunet!mcvax!unido!zgdvda!news
From: news@zgdvda.UUCP (USENET News System)
Newsgroups: comp.unix.ultrix,comp.windows.x
Subject: security problem in xdm(1) of MIT X and dxsession(1) of DECwindows
Message-ID: <470@zgdvda.UUCP>
Date: 12 Apr 89 14:15:51 GMT
Followup-To: comp.unix.ultrix
Organization: ZGDV Darmstadt, FRG
Lines: 13

On Ultrix-32 3.0, unlike login(1) or su(1), dxsession(1) has a long life and
keeps a user's plain-text password in its stack area. Unfortunately, the
password will not be destroyed after authentication, even the user has logged
out. Since the /dev/mem file is readable by everybody on Ultrix (sigh!), the
password could be got by scanning the /dev/mem file for some specific string
patterns.

I don't know if DECwindows on VMS has the same problem. However, by looking
up the source code (with patch[1-9]) of X11R3 from MIT, it seems that xdm(1)
has the similar problem.

Ning Zhang
<zhang@zgdvda.uucp>