From proff  Fri Jul 19 11:46:33 1996
Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id LAA22496 for best-of-security; Fri, 19 Jul 1996 11:46:33 +1000
Received: from brimstone.netspace.org ([128.148.157.143]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id KAA20102 for <proff@SUBURBIA.NET>; Fri, 19 Jul 1996 10:39:49 +1000
Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with ESMTP id <23153-21009>; Thu, 18 Jul 1996 20:38:53 -0500
Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id UAA18177; Thu, 18 Jul 1996 20:38:14 -0400
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8b) with
          spool id 177740 for BUGTRAQ@NETSPACE.ORG; Thu, 18 Jul 1996 20:25:20
          +2000
Received: from netspace.org (netspace [128.148.157.6]) by netspace.org
          (8.7/8.6.12) with SMTP id UAA17229 for <BUGTRAQ@NETSPACE.ORG>; Thu,
          18 Jul 1996 20:24:14 -0400
Approved-By: ALEPH1@UNDERGROUND.ORG
Received: from command.com.inter.net (command.com.inter.net [38.250.25.1]) by
          netspace.org (8.7/8.6.12) with ESMTP id TAA13400 for
          <bugtraq@netspace.org>; Thu, 18 Jul 1996 19:46:44 -0400
Received: (from bogus@localhost) by command.com.inter.net (8.7.4/8.6.12) id
          RAA01077; Thu, 18 Jul 1996 17:50:46 GMT
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Approved-By:  bogus technician <bogus@COMMAND.COM.INTER.NET>
Message-ID: <Pine.BSF.3.91.960718173937.1047A-100000@command.com.inter.net>
Date: 	Thu, 18 Jul 1996 17:50:45 +0000
Reply-To: Bugtraq List <BUGTRAQ@netspace.org>
Sender: proff
From: bogus technician <bogus@command.com.inter.net>
Subject:      HPUX sam_exec
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>

The sam_exec password is "x7vpa5jh".

I sniffed the thing, and it doesn't look like the password is used at all
during any of the transactions -- a .rhosts file gets installed in the
sam_exec home dir, and r* methods are used.  The password does exist in
the clear, though, in the same place it's always been.  strings through
the shared library and it'll be right after the word 'None'; 9.x you'll
see 'None' and then 'Yosemite' on the next line, 10.x you'll see 'None'
and then 'x7vpa5jh' on the next line.  (The remote access shared library
is at /usr/sam/lib/ra/ra.sl, and it looks to be world readable by default.)

Moo