COMMAND

    STAC Replica

SYSTEMS AFFECTED

    Win NT

PROBLEM

    Steven  Kastl  found  following.   STAC  International  markets  a
    product for various OS' called Replica.  It is a backup /  restore
    / disaster-recovery tool.   This advisory deals specifically  with
    the version for NT.

    Problem here is that passwords are stored in clear text.  With the
    update to the latest version of Replica (3.05, I believe) there is
    a scripting facility for creating scripts to backup systems. These
    scripts are created via an application that presents the user with
    a series of questions about the backup operation to be  performed.
    Part of this 'config'  information is 'Username:' and  'Password:'
    (Both username and password need to be entered twice--which  makes
    extraction even easier).  A  check of the resulting file  shows it
    contains the password in clear text.

SOLUTION

    STAC  International  has  been  notified,  but  do  not  have  any
    immediate plans to correct this  issue.  There is little  Stac can
    do.  This  is  the  general  problem  of  having a non-interactive
    process access a privileges service that requires a shared secret.
    Encrypting  or  obfuscating  the  password  would  gain  little as
    they would have to store the secret somewhere and their  algorithm
    could be reverse engineered. It  is the same problem with  the LSA
    secrets. The only thing you can do is protect the secret with  the
    operating system access controls.  Don't use the scripting  engine
    or else be *overly protective* of these files (e,g. call the files
    across  (via  FTP)  from  a  secure  server behind a firewall to a
    protected directory  on the  server and  then execute  them.  Once
    execution is complete, delete them).