Vulnerability Note VU#111673

SGI IRIX "xfsdump" creates quota information files insecurely

Overview

A vulnerability exists in xfsdump on SGI IRIX. Exploitation of this vulnerability may allow a local attacker to gain root privileges. Because other operating systems ship with xfsdump, vendors other than SGI may be affected.

I. Description

From the xfsdump man page:

xfsdump backs up files and their attributes in a filesystem. The files are dumped to storage media, a regular file, or standard output. Options allow the operator to have all files dumped, just files that have changed since a previous dump, or just files contained in a list of pathnames.

xfsdump does not create quota files in a secure manner. As a result, a local attacker may be able to gain superuser privileges on a vulnerable system. For more details, please see SGI Security Advisory 20030404-01-P.

II. Impact

A local attacker may be able to gain superuser privileges.

III. Solution

Apply a patch from your vendor.

Systems Affected

Vendor	Status	Date Updated
3Com	Unknown	10-Apr-2003
Alcatel	Unknown	10-Apr-2003
Apple Computer Inc.	Not Vulnerable	14-Apr-2003
AT&T	Unknown	10-Apr-2003
Avaya	Unknown	10-Apr-2003
BSDI	Unknown	10-Apr-2003
Cisco Systems Inc.	Unknown	10-Apr-2003
Computer Associates	Unknown	10-Apr-2003
Conectiva	Unknown	10-Apr-2003
Cray Inc.	Unknown	10-Apr-2003
D-Link Systems	Unknown	10-Apr-2003
Data General	Unknown	10-Apr-2003
Debian	Vulnerable	11-Apr-2003
Engarde	Unknown	10-Apr-2003
F5 Networks	Unknown	10-Apr-2003
Foundry Networks Inc.	Not Vulnerable	11-Apr-2003
FreeBSD	Unknown	10-Apr-2003
Fujitsu	Unknown	10-Apr-2003
Hewlett-Packard Company	Unknown	10-Apr-2003
Hitachi	Not Vulnerable	14-Apr-2003
IBM	Not Vulnerable	16-Jun-2003
Ingrian Networks	Not Vulnerable	10-Apr-2003
Intel	Unknown	10-Apr-2003
Juniper Networks	Unknown	10-Apr-2003
Lachman	Unknown	10-Apr-2003
Lotus Software	Unknown	10-Apr-2003
Lucent Technologies	Unknown	10-Apr-2003
MandrakeSoft	Vulnerable	16-Apr-2003
Microsoft Corporation	Unknown	10-Apr-2003
MontaVista Software	Unknown	10-Apr-2003
Multi-Tech Systems Inc.	Unknown	10-Apr-2003
Multinet	Unknown	10-Apr-2003
NEC Corporation	Unknown	10-Apr-2003
NetBSD	Not Vulnerable	11-Apr-2003
NetScreen	Unknown	10-Apr-2003
Network Appliance	Unknown	10-Apr-2003
NeXT	Unknown	10-Apr-2003
Nokia	Unknown	10-Apr-2003
Nortel Networks	Unknown	10-Apr-2003
OpenBSD	Unknown	10-Apr-2003
Openwall GNU/*/Linux	Unknown	10-Apr-2003
Oracle Corporation	Unknown	10-Apr-2003
Red Hat Inc.	Not Vulnerable	10-Apr-2003
Riverstone Networks	Unknown	10-Apr-2003
SCO	Unknown	10-Apr-2003
Sequent	Unknown	10-Apr-2003
SGI	Vulnerable	10-Apr-2003
Sony Corporation	Unknown	10-Apr-2003
Sun Microsystems Inc.	Unknown	10-Apr-2003
SuSE Inc.	Unknown	10-Apr-2003
Unisys	Unknown	10-Apr-2003
Wind River Systems Inc.	Unknown	10-Apr-2003
Wirex	Unknown	10-Apr-2003
Xerox Corporation	Not Vulnerable	30-May-2003
ZyXEL	Unknown	10-Apr-2003

References

http://lists.netsys.com/pipermail/full-disclosure/2003-April/009167.html
http://www.mcsr.olemiss.edu/cgi-bin/man-cgi?xfsdump+1

Credit

This vulnerability was discovered by Ethan Benson.

This document was written by Ian A Finlay.

Other Information

Date Public	04/10/2003
Date First Published	04/10/2003 03:55:10 PM
Date Last Updated	06/16/2003
CERT Advisory
CVE Name	CAN-2003-0173
Metric	6.75
Document Revision	5

If you have feedback, comments, or additional information about this vulnerability, please send us email.