[2930] in bugtraq
Re: hpux 10.0 remote administration
daemon@ATHENA.MIT.EDU (Matt Barrie SYD)
Tue Jul 16 02:07:25 1996
Date: Tue, 16 Jul 1996 00:02:21 -0600
Reply-To: Bugtraq List <BUGTRAQ@netspace.org>
From: Matt Barrie SYD <Matt_Barrie@oti.com>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
Hmmm. I have a hpux (10.01) box here. I took a brief look at it and
a) can't see where the default (or any password) is used,
nor b) see where sam_exec is used. Is sam_exec an executable
or a system call? The documentation mentions a few things have
been completely revised in 10.x re remote clusters etc, so if you
could tell me precisely to look for these problems, I'll tell you
if theyre still around
matt
----------
>>sam_exec is still used
>
>>Do you happen to know what password they use for sam_exec ;-)
>>(the concept looks dangerous, I have not had time to really
>>look at it. But I didn't enable it either...)
>
>Yes. there is a default password. Im not sure if
>it has been changed for 10.X, but if you run
>crack on it, you will find it without a question.
Where is this encrypted password stored?
>At that point, anyone can pretty much log into your
>machine as sam_exec and hit ctl-c to obtain a
>uid 0 shell.
>
