Brief description: Unauthorized users coming from an authorized host are given access
Full description: The rshsvc.exe provides remote access to a Windows system. When using Account Level Equivalence (ALE), it uses the .Rhosts file in the directory named in the key for the driver. on the local computer. The daemon denies access when any of the following occur:
1. The client computer's name is not specified in the .Rhosts file.
2. tHE NAme of the user attempting the connection is not specified in the .Rhosts file.
3. The rshsvc cannot resolve the name of a computer in the .Rhosts file, and the remote user is coming from that system.
In fact, rshsvc fails to check whether the user name is authorized in the .Rhosts file and allows any unauthorized user access the local computer as long as the user comes from an authorized host computer.
Components: Rshsvc.exe
Systems: Windows NT 3.5 (trusted); Windows NT 3.51 (trusted); Windows NT 4.0 (trusted)
Effect(s) of exploiting: Remote user gains access with privileges of an authorized user
Detecting the hole:
Fixing the hole:
Other information:
rsh authentication
PA Classification(s):
RISOS Classification(s):
DCS Classification(s):
CVE Number: CAN-1999-0249 -- Windows NT RSHSVC program allows remote users to execute arbitrary commands.
Attack:
Advisories: Microsoft Knowledge Base entry Q158320, RSHSVC included in Windows NT 3.5x and Windows 4.0 Resource Kit Poses Security Leak
Related Vulnerabilities:
Reporting: Microsoft Corporation in Microsoft Knowledge Base Q158320 ( Jan. 27, 1999 )