Bugtraq mailing list archives

Re: Futile rexecd holes

From: J.S.Peatfield () damtp cam ac uk (Jon Peatfield)
Date: Sat, 23 Nov 1996 02:50:30 +0000


Some vendors do provide a rexec client e.g. HP.  I also use one written
locally to do xon style stuff but with password authentication.  But for my
client being poorly written (it doesn't handle signals well etc) I'd give you
a pointer to it...

In fact this "hole" isn't very exploitable as far as I can see.  The only host
you cn easily "scan" this way is one you can log onto, and netstat will tell
you the info more easily.  It is possible to cause system admins to think they
are being scanned by any 3rd party, and by spoofing to make them appear to
come from a 4th party.  This is only time wasting though.  No data will be
sent down the connection, and you can only easily get the result of the "scan"
if you are on the host (or close by) being scanned.

I'll add a patch to move the opening of the stderr port to after the user is
authenticated in my local in.rexecd and in.rshd though.  The port range stuff
is much less important though.

 -- Jon

Current thread:

Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit, (continued)
- - - Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Paul B. Henson (Nov 18)
    - Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Russell Street (Nov 18)
    - ALERT: Solaris 2.5.1 locks up on TCP connections in Pine 3.9x Todd Vierling (Nov 18)
    - Re: ALERT: Solaris 2.5.1 locks up on TCP connections in Pine 3.9x Brian Harvell (Nov 20)
    - ssh w/ solaris 2.5.[1] Aleph One (Nov 18)
    - Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Mike Battersby (Nov 18)
    - Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Casper Dik (Nov 19)
    - Futile rexecd holes jaeger (Nov 18)
    - Re: Futile rexecd holes Roger Espel Llima (Nov 19)
    - Irix: new LicenseManager is safe? No way Yuri Volobuev (Nov 22)
    - Re: Futile rexecd holes Jon Peatfield (Nov 22)
    - Administratrivia Aleph One (Nov 22)
    - Administratrivia Scriptors of DOOM (Nov 23)
    - A Stupid script. Efrain Torres (Nov 22)
    - A Stupid script. Aleph One (Nov 24)
    - AIX lquerypv Aleph One (Nov 25)
    - lquerypv fix Troy Bollinger (Nov 25)
    - Security Problems in XMCD David J. Meltzer (Nov 25)
    - FreeBSD Security Advisory: FreeBSD-SA-96:18.lpr FreeBSD Security Officer (Nov 25)
    - Digital FW2.0 question Peter Dieth (Nov 26)
    - Re: Digital FW2.0 question Alan Cox (Nov 27)

(Thread continues...)