FS#28819 - [inetutils] Stop building insecure rexec

Attached to Project: Arch Linux
Opened by Mantas Mikulėnas (grawity) - Wednesday, 07 March 2012, 23:14 GMT
Last edited by Eric Belanger (Snowman) - Wednesday, 25 April 2012, 19:48 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Eric Belanger (Snowman)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

inetutils 1.9.1-1 still packages the 'rexecd' daemon and 'rexec' client, among other things. The problems with it are:

1. The r* family is very much obsolete. The protocols are ugly. The authentication (.rhosts) sucks. Everyone has switched to 'ssh', and those who haven't, are using 'telnet'.

2. The security problems with the r* family are well-known, but rexec is worse than the others. Instead of .rhosts, the rexec protocol uses plain-text password authentication, and the daemon only checks /etc/shadow (no PAM support).

3. The best part? 'rexecd' will happily execute your command even if you give it a wrong password.

Steps to reproduce:
1. In /etc/xinetd.conf, add "enabled = exec" for the 'exec' service.
2. Restart or SIGHUP xinetd.
3. Run `rexec -h localhost -u root -p ANYTHING id`

Example:
$ rexec -h localhost -u root -p INCORRECT id
Password incorrectuid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),19(log)
$

It's possible to misconfigure anything, but such components as PAM and SSHd are well-documented and obviously security-related. OTOH, rexec has no documentation at all, and simply *enabling* it exposes the system without any knowledge by the user. It is not hard to imagine a user who discovers a bunch of services under xinetd.d, enables them to try them out, then forgets them.

Suggestion: Drop rexec & rexecd. Optionally, also drop rsh/rshd and rlogin/rlogind.
This task depends upon

Closed by  Eric Belanger (Snowman)
Wednesday, 25 April 2012, 19:48 GMT
Reason for closing:  Fixed
Additional comments about closing:  rcexec/rcexecd have been removed in inetutils-1.9.1-2
Comment by Mantas Mikulėnas (grawity) - Thursday, 08 March 2012, 10:19 GMT
Seems like the rexec bug was introduced in 2009 http://git.savannah.gnu.org/cgit/inetutils.git/commit/rexecd/rexecd.c?id=a051dc543f47b624f5aa54f67ebcb5125cd408a2 and first reported almost two months ago http://lists.gnu.org/archive/html/bug-inetutils/2012-01/msg00031.html with a one-line fix, and nobody bothered to add the exit() so far.

---

Update 2012-04-26: Hah, just noticed that it was fixed upstream on April 20th: http://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=f730d11f7f578db86ec699c619f4a65e7ac60752 . This doesn't make rexec suck any less, though.

Loading...