StarGROUP DOS Server insecurities.
Joe Doupnik
JRD at cc.usu.edu
Thu Oct 25 12:29:45 AEST 1990
Has anyone commented on the ability of an ordinary DOS client to
execute the StarGROUP DOS Server command SRV and stop the entire server?
I pulled the plug on mapping the attutil logical name across the
network where this ability is sitting right in the open as SRV.EXE. The
trick is to edit the file RULES.LST and remove the last line invoking
server file NETSTART.BAT. But this was not quite enough because a user
can use Kermit to log into the Unix server and do exactly the same bad
things via FACE.
Overall this seems to be a cavernous security hole.
Joe D.
More information about the Comp.sys.att
mailing list