STAC Replica for NT Passwords Are Stored In Clear Text

Reported May 7, 1998 by Steven Kastl

Systems Affected

Windows NT

Description:

STAC International markets a product for various OS" called Replica. It is a backup/restore/disaster-recovery tool. This message deals specifically with the version for NT.

Problem:

Passwords are stored in plain text.

========
Details
========

With the update to the latest version of Replica (3.05, I believe) there
is a scripting facility for creating scripts to backup systems. These
scripts are created via an application that presents the user with a
series of questions about the backup operation to be performed. Part of
this "config" information is "Username:" and "Password:" (Both username
and password need to be entered twice--which makes extraction even
easier). A check of the resulting file shows it contains the password in
clear text.

=======
Workaround
=======

Don"t use the scripting engine or else be *overly protective* of these
files. My current workaround is to call the files across (via FTP) from a
secure server behind a firewall to a protected directory on the server and
then execute them. Once execution is complete, delete them.

Not very sexy, but it works (kinda -- there are extenuating circumstances
here).

Overall, I would say the product is exceptional at what it does. I can
recover a completely obliterated box in about 15 minutes (including
*everything*). YMMV

But this issue is a wart on an otherwise beautiful package. I hope they
can get this fixed soon.

To learn more about new NT security concerns, subscribe to NTSD.

Credit:
Reported by: Steve Kastl
Posted here at NTSecurity.Net