Back out recent security patch for rexecd. After more careful analysis,

it is both uneeded and breaks certain lock-step timing in the rexec protocol. Yes, an attacker can "relay" connections using this trick, but a properly configured firewall that would make this sort of subterfuge necessary in the first place (instead of direct packet spoofing) would also thwart useful attacks based on this.
HardenedBSD · Nov 22, 1996 · a13e275 · a13e275
1 parent ccddabb
commit a13e275
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 28 deletions.
diff --git a/libexec/rexecd/rexecd.8 b/libexec/rexecd/rexecd.8
@@ -99,11 +99,8 @@ by
 .El
 .Sh CAVEATS
 .Nm Rexecd
-will no longer allow root logins,
-access for users listed in /etc/ftpusers,
-access for users with no passwords,
-or reverse connections to privileged ports,
-which were all serious security holes.
+will no longer allow root logins, access for users listed in /etc/ftpusers,
+or access for users with no passwords, which were all serious security holes.
 The entire concept of rexec/rexecd is a major security hole and an example
 of how not to do things.
 .Nm Rexecd

diff --git a/libexec/rexecd/rexecd.c b/libexec/rexecd/rexecd.c
@@ -153,6 +153,18 @@ doit(f, fromp)
 		port = port * 10 + c - '0';
 	}
 	(void) alarm(0);
+	if (port != 0) {
+		s = socket(AF_INET, SOCK_STREAM, 0);
+		if (s < 0)
+			exit(1);
+		if (bind(s, (struct sockaddr *)&asin, sizeof (asin)) < 0)
+			exit(1);
+		(void) alarm(60);
+		fromp->sin_port = htons(port);
+		if (connect(s, (struct sockaddr *)fromp, sizeof (*fromp)) < 0)
+			exit(1);
+		(void) alarm(0);
+	}
 	getstr(user, sizeof(user), "username");
 	getstr(pass, sizeof(pass), "password");
 	getstr(cmdbuf, sizeof(cmdbuf), "command");
@@ -205,30 +217,8 @@ doit(f, fromp)
 		error("No remote directory.\n");
 		exit(1);
 	}
-
-	if (port != 0) {
-		if (port < IPPORT_RESERVED) {
-			syslog(LOG_ERR, "%s CONNECTION REFUSED to %s:%d "
-					"client requested privileged port",
-					user, remote, port);
-			error("Privileged port requested for stderr info.\n");
-			exit(1);
-		}
-		s = socket(AF_INET, SOCK_STREAM, 0);
-		if (s < 0)
-			exit(1);
-		if (bind(s, (struct sockaddr *)&asin, sizeof (asin)) < 0)
-			exit(1);
-		(void) alarm(60);
-		fromp->sin_port = htons(port);
-		if (connect(s, (struct sockaddr *)fromp, sizeof (*fromp)) < 0)
-			exit(1);
-		(void) alarm(0);
-	}
-
 	(void) write(2, "\0", 1);
-
-	if (port != 0) {
+	if (port) {
 		(void) pipe(pv);
 		pid = fork();
 		if (pid == -1)  {