Rexec on the Internet
Impact
This vulnerability allows remote, untrusted users to execute commands on
a target machine as if they were trusted on the target machine. Also,
as passwords are transmitted as plaintext and "in the clear" (in other words,
the passwords are not encrypted), hackers may be able to "grab" the passwords,
allowing malicious users to login to the target system.
Background
The rexec service allows remote users, using an rexec
client, to execute commands and programs on the rexec server. The rexec
service uses a .rhosts file to determine which remote hosts it
trusts. If the .rhosts is misconfigured, it is possible for any
remote user, in any location, to execute commands with the permissions of the
user they are attempting to connect as, including root.
Essentially, rexec is a method for people to execute
commands on remote machines, without using a terminal emulator, such as
telnet. In a normal situation, the server prompts the user for a password,
but by using a .rhosts file, a user can instruct the server to not
prompt for a password for rexec requests from certain locations.
Because the .rhosts file uses wildcards, such as * and ?, the file
is very easy to misconfigure.
The Problem
This vulnerability allows any untrusted user to execute commands on a
target system as if they were trusted. Also, as passwords are transmitted
plaintext and in the clear, hackers might be able to "grab" passwords and
compromise accounts on the target system.
Resolution
The one sure method to eliminate this vulnerability is to turn off the
rexec service, by editing the /etc/inetd.conf file,
commenting out the rexec service, and
sending a HUP (restart) signal to the inetd process.
To help limit access to vulnerable services on your network, you should use
TCP wrappers.
Where can I read more about this?
Search your system's man pages for information on the rexec and
rexecd services for more information.