REXD access


Summary

REXD remote access from arbitrary hosts.

Impact

A remote intruder can execute commands as any user.

Background

The rexd service, and the on client program, implement remote command execution via the network. To the extent that it is possible, the complete client environment, including working directory and environment variables, is made available on the remote system.

The problem

A request for remote command execution contains, among others, the command to be executed, and a user and group id. By default, the rexd server believes everything that the client sends it. An intruder can exploit the service to execute commands as any user (except perhaps root). The typical rexd server has no protection against abuse: most implementations have no provision for access control, nor do they require that the client uses a privileged network port.

Fix