Date: Thu, 8 Apr 1999 19:11:54 -0700
From: Eric Gisin <ericg@TECHIE.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: rsh/rcp is not secure

This is really a UNIX rshd bug, but it affects users of the NT clients.

It's old news that the BSD rsh/rcp services are not secure, however rshd is
still is enabled in many UNIX systems. There are rsh/rcp clients in Windows
NT, and people are not aware of the ease of defeating security in this
environment.

The security of this service is based on privileged ports, which are not
widely implemented. The NT versions of rcp/rsh have no special privileges
like the UNIX versions. Anyone can modify the source or use netcat to fake
the client username. For example,
    D:> nc -v unixhost 514 -p 666
    ^@newbie^@newbie^@chmod a= .^@
This will execute the chmod command under newbie's account, if he permits
access from that client machine in .rhosts.

Basically the problem is since Windows NT includes rsh/rcp, people assume
it's as secure as the UNIX counterpart, which is not the case.

--------------------------------------------------------------------------

Date: Fri, 9 Apr 1999 09:28:04 -0700
From: David LeBlanc <dleblanc@MINDSPRING.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: rsh/rcp is not secure

At 07:11 PM 4/8/99 -0700, Eric Gisin wrote:

>Basically the problem is since Windows NT includes rsh/rcp, people assume
>it's as secure as the UNIX counterpart, which is not the case.

The UNIX counterpart isn't really all that secure in any case - it assumes
that no one on the network can be root, and so come from a low port.

Something else to think about is that running a rshd on NT isn't usually a
good idea - several implementations run everything as LocalSystem, and the
ones that don't store live user passwords.

These utilities are full of other security holes - look at the checks in
the various scanning products for some examples.  Safest thing is just not
to run rsh, rlogin and rexec.


David LeBlanc
dleblanc@mindspring.com