Some vendors do provide a rexec client e.g. HP. I also use one written
locally to do xon style stuff but with password authentication. But for my
client being poorly written (it doesn't handle signals well etc) I'd give you
a pointer to it...
In fact this "hole" isn't very exploitable as far as I can see. The only host
you cn easily "scan" this way is one you can log onto, and netstat will tell
you the info more easily. It is possible to cause system admins to think they
are being scanned by any 3rd party, and by spoofing to make them appear to
come from a 4th party. This is only time wasting though. No data will be
sent down the connection, and you can only easily get the result of the "scan"
if you are on the host (or close by) being scanned.
I'll add a patch to move the opening of the stderr port to after the user is
authenticated in my local in.rexecd and in.rshd though. The port range stuff
is much less important though.
-- Jon
Received on Nov 23 1996
Intro
