Rexec on the Internet

Impact

This vulnerability allows remote, untrusted users to execute commands on a target machine as if they were trusted on the target machine. Also, as passwords are transmitted as plaintext and "in the clear" (in other words, the passwords are not encrypted), hackers may be able to "grab" the passwords, allowing malicious users to login to the target system.

Background

The rexec service allows remote users, using an rexec client, to execute commands and programs on the rexec server. The rexec service uses a .rhosts file to determine which remote hosts it trusts. If the .rhosts is misconfigured, it is possible for any remote user, in any location, to execute commands with the permissions of the user they are attempting to connect as, including root.

Essentially, rexec is a method for people to execute commands on remote machines, without using a terminal emulator, such as telnet. In a normal situation, the server prompts the user for a password, but by using a .rhosts file, a user can instruct the server to not prompt for a password for rexec requests from certain locations. Because the .rhosts file uses wildcards, such as * and ?, the file is very easy to misconfigure.

The Problem

This vulnerability allows any untrusted user to execute commands on a target system as if they were trusted. Also, as passwords are transmitted plaintext and in the clear, hackers might be able to "grab" passwords and compromise accounts on the target system.

Resolution

The one sure method to eliminate this vulnerability is to turn off the rexec service, by editing the /etc/inetd.conf file, commenting out the rexec service, and sending a HUP (restart) signal to the inetd process. To help limit access to vulnerable services on your network, you should use TCP wrappers.

Where can I read more about this?

Search your system's man pages for information on the rexec and rexecd services for more information.