Rwhod contents.gifindex.gif

Rwhod

The rwho daemon gathers information from other machines, including the status of the machine and users on the machine. The daemon does not properly validate the information it receives, and leaves a potential vulnerability by overflowing the hostname sent to it. On some machines, this results in rwhod crashing. On others, the result is a change in process status information for rwhod. You can check the status of most UNIX machines by executing ps -a. The scan engine checks to see if rwhod is running and attempts to exploit it.

Rwhod fails to do bounds checking on data it receives from a UDP packet before copying it into a buffer. This results in a buffer overflow condition that can be used to modify or disrupt the daemon's operation, or possibly to execute code as root.

Risk: Low/Medium

Fix: Disable rwhod by putting # at the beginning of the rwhod line in your etc/inetd.conf file and then restart inetd.