Tutorial - Remote Shell on the Internet

Remote Shell on the Internet

CAN 1999-0651

Impact

If configured to trust all remote hosts, the remote shell service allows any remote user to gain shell access to a target system without ever being prompted for a password.

Background

The rsh service allows remote users, using an rsh client, to execute shell commands on an rsh server without the need for a password. The rsh process is similar to rlogin, in that it can allow shell access to a remote computer. But, unlike rlogin, rsh is used to execute individual shell commands rather than providing an interactive login shell. The rsh process, like rlogin, uses the .rhosts file to list trusted hosts (those machines allowed to use the service). If the .rhosts file is not configured properly, it is possible for a hacker to execute shell commands on a target machine, via the rsh process, without being prompted for a password.

The Problem

This service, if misconfigured, allows unauthorized, untrusted users to gain shell access to a target machine without being prompted for a password. In other words, hackers exploiting this vulnerability can gain access to a target machine as a trusted user and then delete system files, change configuration files and generally wreak havoc on the target machine. Another problem with this service is that even when passwords are prompted for, they are transmitted plaintext and in the clear (in other words, they are sent to and from the machine unencrypted), so that any hacker using a password sniffer program can "grab" them and then access the target system as a trusted user.

Resolution

One fix for this vulnerability is to disable the rsh, or shell, service in /etc/inetd.conf. If that is not practical, then be sure that /etc/hosts.equiv and users' .rhosts files contain only trusted hosts, and do not contain "+" characters. Risks of password sniffing may be minimized by using an encrypted version, such as Kerberos. Or, you may use TCP wrappers to help secure your network.

Where can I read more about this?

Search your system's man pages for information on the rshd or in.rshd service for more information.