Remote Shell on the Internet

Summary

This vulnerability allows for remote shell/remote login access from arbitrary hosts.

Impact

The machine can be taken over by any malicious (super) user on the network. In other words, depending on the configuration of the target system, a malicious user will be able to logon to the target without a password. Once logged in, the user can replace/delete important system programs and/or configuration files and generally wreak havoc on the target system.

The Problem

When the remote login/remote shell service trusts every host on the network, a malicious superuser on an arbitrary host can gain access as any user (except perhaps root). Once inside, the intruder can replace system programs or configuration files (such as the password file) and take over the machine.

In addition, there are guest or administrative accounts that might not have passwords protecting the account, which allows anyone to remotely login as that user and gain access to the host.

Resolution

Remove the wildcard (+) from the /etc/hosts.equiv file. Be careful with the use of the -@group netgroup feature, as there are many incorrect implementations. Also, delete or disable any accounts without a password from the system or NIS password file. Another fix is to give system accounts such as bin and daemon a non-functional shell (such as /bin/false) and put them in the /etc/ftpusers file so they cannot use FTP.

To help limit access to vulnerable services on your network, you should use TCP wrappers.

Where can I read more about this?

See the Admin Guide to Cracking for an example of why this vulnerability is a problem.