22 Apr
2007
22 Apr
'07
9:35 p.m.
An early generation of the Tandem (I'm gonna guess TNS-II) running the default shell
"COMINT" had the following pretty big weakness out of the box.
The logins and passwords were stored in cleartext in a file (my fuzzy memory says it was
probably called $SYSTEM.SYSTEM.USERID or USERS). You couldn't read it, however, if
you didn't have the supervisor login (usually called SUPER.SUPER, although at one
place I recall it being called SUPER.DUPER, either way being userid 255,255).
However, anyone could start a new instance of COMINT, which would start up in a logged off
state. The weakness was that you could also manually specify a "swap file" for
any program execution, rather than let the system automatically create a temporary file
for that purpose. You would start COMINT like this:
:COMINT/SWAP $DATA.MYFILES.MYSWAP/
and then it would create that memory swap file in your subvolume as it ran.
Then, attempt to log in. COMINT would read the userid file into memory, which would cause
it to be written into the swap file. Then, stop this instance of COMINT (you might have
to log in successfully as someone first in order to be able to stop the process with
Ctrl-Y (EOF!)), and check out your saved swap file to find the contents of the userid file
somewhere in there in cleartext.
They patched this hole later.
Disclaimer: This is all from memory from almost 30 years ago, and I was only around 9
years old at the time.
- Ken