REXD access

Summary

REXD remote access from arbitrary hosts.

Impact

A remote intruder can execute commands as any user.

Background

The rexd service and the on client program implement remote command execution via the network. To the extent that it is possible, the complete client environment, including working directory and environment variables, is made available on the remote system.

The problem

A request for remote command execution contains, among others, the command to be executed, and a user and group id. By default, the rexd server believes everything that the client sends it. An intruder can exploit the service to execute commands as any user (except perhaps root). The typical rexd server has no protection against abuse: most implementations have no provision for access control, nor do they require that the client uses a privileged network port.

Fix

Disable the rexd service. Usually this is accomplished by editing the inetd.conf file, and by sending a HUP signal to the inetd process.
Some rexd implementations can be configured to use a more secure protocol. Consult your manual pages for details.

Other tips

See the Admin Guide to Cracking for an example of why this is a problem.