
Rwhod
The rwho daemon gathers information from other machines, including the status
of the machine and users on the machine. The daemon does not properly validate
the information it receives, and leaves a potential vulnerability by
overflowing the hostname sent to it. On some machines, this results in rwhod crashing. On
others, the result is a change in process status information for rwhod. You
can check the status of most UNIX machines by executing ps -a. The scan engine
checks to see if rwhod is running and attempts to exploit it.
Rwhod fails to do bounds checking on data it receives from a UDP packet before
copying it into a buffer. This results in a buffer overflow condition that can
be used to modify or disrupt the daemon's operation, or possibly to execute
code as root.
Risk: Low/Medium
Fix: Disable rwhod by putting # at the beginning of the rwhod line in your
etc/inetd.conf file and then restart inetd.