Red Hat Bugzilla – Bug 49181
rexec lets anyone inpersonate anyone with a .rhosts file
Last modified: 2015-03-04 20:09:17 EST
Description of Problem:
auth sufficient /lib/security/pam_rhosts_auth.so
This allows rhosts authentication like rsh.
But, unlike the rsh daemon, the rexec daemon
does not require that the tcp connection
originates from a privileged port
and therefore that the remote username is
provided by a trusted application.
Any user can replicate the rexec protocol
and specify arbitrary remote username. This username
will then be considered for rhost authentication.
Steps to Reproduce:
1. Enable rexec service
2. Setup user joe on machine foo and bar
3. On bar, insert foo in joe's .rhosts file
4. Log as guest user on foo
5. Connect to rexec service on bar
using an unprivileged port number.
6. Execute rexec protocol specifying joe
as local and remote user name to joe.
Any password will do. Command is "rm *".
7. PAM performs rhost authentication for joe
and accepts the connection.
8. Joe's files on bar are detroyed
Remove the offending line in /etc/pam.d/rexec.
Traditional rexec does not honor rhost
Rhost authentication should only be used
when the remote user name can be trusted.
Meaning that :
1) the remote machine is trusted
(the user should not specify untrusted machines in .rhost)
2) the protocol was executed by a trusted program
(i.e. by a hopefully secure setuid program
that is allowed to open privileged sockets)
Neither rsh nor rlogin nor rexec are very secure to start
with (monitoring ip traffic reveals clear text passwords,
fake ip packets can pass as privileged packers, etc.)
But rhost authentication in rexec makes it a lot weaker,
because the attacker does not even need local root
Ok, removed the line.
Fix should appear in rawhide soon.
Read ya, Phil