StarGROUP DOS Server insecurities.
John Breeden
jbreeden at netcom.UUCP
Sat Oct 27 11:18:30 AEST 1990
In article <40913 at cc.usu.edu> JRD at cc.usu.edu (Joe Doupnik) writes:
>
> Has anyone commented on the ability of an ordinary DOS client to
>execute the StarGROUP DOS Server command SRV and stop the entire server?
> I pulled the plug on mapping the attutil logical name across the
>network where this ability is sitting right in the open as SRV.EXE. The
>trick is to edit the file RULES.LST and remove the last line invoking
>server file NETSTART.BAT. But this was not quite enough because a user
>can use Kermit to log into the Unix server and do exactly the same bad
>things via FACE.
> Overall this seems to be a cavernous security hole.
> Joe D.
Yes, I'd say that leaving out passwords on a Unix system is a bit of a
security hole (-:
You have an old release of StarGroup. It no longer even uses the same
application layer that you are now using (nor support for DOS servers -
another big security hole in itself).
StarGROUP is up to release 3.4 - it's Lan Manager/X over either ISO,
Netbeui and one more unannounced transport layer - and three different
layers of security.
--
John Robert Breeden,
netcom!jbreeden at apple.com, apple!netcom!jbreeden, ATTMAIL:!jbreeden
-------------------------------------------------------------------
"The nice thing about standards is that you have so many to choose
from. If you don't like any of them, you just wait for next year's
model."
More information about the Comp.sys.att
mailing list