Path: utzoo!attcan!uunet!cs.utexas.edu!rice!sun-spots-request
From: mlandau@diamond.bbn.com (Matt Landau)
Newsgroups: comp.sys.sun
Subject: Re: "on" command
Keywords: SunOS
Message-ID: <3107@brazos.Rice.edu>
Date: 13 Nov 89 15:56:07 GMT
Sender: root@rice.edu
Organization: Sun-Spots
Lines: 14
Approved: Sun-Spots@rice.edu
X-Refs:  Original: v8n167, Replies: v8n177
X-Sun-Spots-Digest: Volume 8, Issue 200, message 1 of 11

The basic problem is that rexd is too trusting about who a request is
coming from, making it trivial to masquerade as any host and (non-root)
user and execute remote commands on any machine that runs rexd.  I don't
want to provide any more details in a public forum, since there are
already too many people who know about this :-)

We fixed the problem by modifying the rexd sources so they get the host
name corresponding to the IP address of the incoming request and make sure
it's in /etc/hosts.equiv before agreeing to process the request.  This
makes on exactly as (in)secure as rsh/rlogin, which seems to be good
enough for most people's purposes.

 Matt Landau		    		Rebel without a clue.
 mlandau@bbn.com