Tutorial - Remote Shell Access

Remote Shell Access

CAN 1999-0515

Summary

This vulnerability allows for remote shell/remote login access from arbitrary hosts.

Impact

The machine can be taken over by any malicious (super) user on the network. In other words, a malicious user could logon to the target without a password. Once the user has gained access, he/she will have access to any number of system programs and/or configuration files. This means, of course, that the user may, for example, gain access to password files, sensitive/classified information stored on the machine and delete/change important configuration information that the machine needs to operate properly. The potential harm that may be done to the compromised machine is almost unlimited.

Background

The rsh service allows remote users, using an rsh client, to execute shell commands on an rsh server without the need for a password. The rsh process is similar to rlogin, in that it can allow shell access to a remote computer. But, unlike rlogin, rsh is used to execute individual shell commands rather than providing an interactive login shell. The rsh process, like rlogin, uses the .rhosts file to list trusted hosts (those machines allowed to use the service).

The Problem

When the remote login/remote shell service trusts every host on the network, a malicious superuser on an arbitrary host can gain access as any user (except perhaps root). Once inside, the intruder can replace system programs or configuration files (such as the password file) and take over the machine. If the malicious user desires, he/she may cause damage to the machine ranging from the relatively innocuous to the nearly catastrophic. It is important to reiterate that not only may the machine be damaged by the hacker, but that also sensitive/classified information may be compromised by a malicious user exploiting this vulnerability.

In addition, there are guest or administrative accounts that might not have passwords protecting the account, which allows anyone to remotely login as that user and gain access to the host.

Resolution

Remove the wildcard (+) from the /etc/hosts.equiv file and all .rhosts files in users' home directories. Ensure that these files contain only trustworthy hosts. Be careful with the use of the -@group netgroup feature, as there are many incorrect implementations. Also, delete or disable any accounts without a password from the system or NIS password file. Another good idea is to give system accounts such as bin and daemon a non-functional shell (such as /bin/false) and put them in the /etc/ftpusers file so they cannot use FTP.

Where can I read more about this?

See the Admin Guide to Cracking for an example of why this vulnerability is a problem.