Check or Attack Name: rwhod - vulnerable

The rwhod daemon was detected running, and is vulnerable to a buffer overflow. The rwhod daemon does not properly validate the information it receives, and presents a potential vulnerability by overflowing the hostname sent to it. On some machines, this results in rwhod crashing. On others, the result is a change in process status information for rwhod. You can check the status of most Unix machines by executing ps -a.

Rwhod fails to do bounds checking on data it receives from a UDP packet before copying it into a buffer. This results in a buffer overflow condition that can be used to modify or disrupt the daemon's operation, or possibly to execute code as root.

Note: This check may yield false positives under some conditions. Testing for the rwhod vulnerability explicitly relies on the Internet Control Message Protocol (ICMP) for positive identification. However, ICMP is by definition not a reliable protocol. Although the software takes many precautions to minimize false positives, some may still exist. Refer to your ISS software documentation for more information.

Most modern distributions of the affected systems include whod daemons that fix this buffer overflow. Sites that do not use the rwho services should disable this service by commenting it out of the inetd.conf file or appropriate RC scripts. AIX users should obtain and install the following patch: AIX 4.2: IX61127

BUGTRAQ Mailing List, rwhod buffer overflow, http://www.netspace.org/cgi-bin/wa?A2=ind9608D&L=bugtraq&P=R472