Remote Shell on the Internet
CAN 1999-0651
Impact
If configured to trust all remote hosts, the remote shell service allows
any remote user to gain shell access to a
target system without ever being prompted for a password.
Background
The rsh service allows remote users, using an rsh
client, to execute shell commands on an rsh server without the need
for a password. The rsh process is similar to rlogin, in
that it can allow shell access to a remote computer. But, unlike rlogin,
rsh is used to execute individual shell commands rather than
providing an interactive login shell.
The rsh process, like rlogin, uses
the .rhosts file to list trusted hosts (those machines allowed to use the service). If the
.rhosts file is not configured properly, it is possible for a hacker to execute
shell commands on a target machine, via the rsh process, without being
prompted for a password.
The Problem
This service, if misconfigured, allows unauthorized, untrusted users to gain shell
access to a target machine without being prompted for a password. In
other words, hackers exploiting this vulnerability can gain access to a
target machine as a trusted user and then delete system files, change
configuration files and generally wreak havoc on the target machine. Another
problem with this service is that even when passwords are prompted for, they
are transmitted plaintext and in the clear (in other words, they are
sent to and from the machine unencrypted), so that any hacker using a password
sniffer program can "grab" them and then access the target system as a trusted user.
Resolution
One fix for this vulnerability is to disable the rsh, or
shell, service in /etc/inetd.conf.
If that is not practical, then be sure that /etc/hosts.equiv
and users' .rhosts files contain only trusted hosts, and
do not contain "+" characters. Risks of password sniffing may be minimized by using
an encrypted version, such as Kerberos.
Or, you may use
TCP wrappers to help secure your network.
Where can I read more about this?
Search your system's man pages for information on the rshd
or in.rshd
service for more information.