[Info-vax] Unexpected DECnet Phase IV functionality with possible captive account implications
Jan-Erik Söderholm
jan-erik.soderholm at telia.com
Tue May 11 18:01:10 EDT 2021
Den 2021-05-11 kl. 19:34, skrev Simon Clubley:
> On 2021-05-11, Dave Froble <davef at tsoft-inc.com> wrote:
>> On 5/11/2021 9:08 AM, Simon Clubley wrote:
>>> Due to unexpected functionality, if you can get to the captive account
>>> via a network login, you can directly execute any DCL commands you choose
>>> regardless of whatever the login command procedure does in terms of
>>> interactive user input when you login from a terminal session.
>>
>> Not "unexpected functionality".
>>
>> A captive user, unless set up to do so, cannot create any command files.
>> So no choices available.
>>
>
> You cannot protect against something you didn't know about or when the
> security implications of that something were not explained well enough
> in the manuals.
>
> I only found out about the remote batch submission capability after
> reading the FAL specification recently and that's from someone who
> has been actively discussing security issues in VMS for a number of years.
>
> BTW, does anyone know if there are similar submit on close or submit
> on transfer complete functions in the implementation of the other VMS
> communication protocols that would work just fine with captive accounts ?
I haven't look closely, but when doing a FTP to on MVS system, you could
specify the outpout file as "INTRDR". That is the "internal card reader"
and sending anything to that "file" would submit a MVS batch job.
And this was over standard FTP.
I do not know if there exist some similar "batch spooling" feature
when FTP'ing a file to VMS...
>
> Simon.
>
More information about the Info-vax
mailing list