Vulnerability Note VU#195371
SGI IRIX rpc.xfsmd does not filter shell metacharacters from user input before invoking popen() function
The XFS journaling filesystem daemon uses a call to popen(3) with unfiltered client-controlled input. This will lead to arbitrary command execution on remote systems.
XFS is a 64-bit compliant journaling file system. The XFS journaling filesystem daemon (xfsmd) on SGI systems uses a call to popen(3) with unfiltered client-controlled input.
As mentioned in VU#20276:
FILE *popen(const char *command, const char *type);
popen() creates a pipe between the calling program and the command to be executed. The arguments to popen() are pointers to null-terminated strings. "command" consists of a shell command line.
In essence, popen provides the calling program the output of "command." One example of a command you could pass to popen is
In this case, popen would return the output of the "cat /etc/passwd" file to the calling program. You can also pass more complex shell commands to popen, such as
cat /etc/passwd & rm *
The ampersand character (&) puts the preceding command in the background and executes the rest of the command in the foreground. As another example, you can execute a sequence of commands by separating them with semicolons (;). For example,
ls ; rm * ; touch filename
This runs the commands sequentially.
As such, users able to send a stream of characters via popen(3) to a vulnerable daemon like xfsmd running on an SGI system would be able to have that text interpreted by the system as if the attacker were actually logged into the system and running a shell. When used in conjunction with exploitation of the weak RPC authentication vulnerability reported in VU#521147, remote unauthenticated users can run arbitrary commands on a victim system.
A remote user can run arbitrary commands with root privileges.
SGI has reported they will not be providing a patch for this issue. Sites are strongly urged to disable the XFS daemon and related subsystems as soon as their service requirements permit.
Per SGI Security Advisory 20020606-02-I:
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|SGI||Affected||-||08 Aug 2002|
CVSS Metrics (Learn More)
Last Stage of Delirium reported this vulnerability in several public forums.
This document was written by Jeffrey S. Havrilla.
- CVE IDs: CVE-2002-0359
- Date Public: 18 Jun 2002
- Date First Published: 08 Aug 2002
- Date Last Updated: 21 Jul 2008
- Severity Metric: 35.10
- Document Revision: 20
If you have feedback, comments, or additional information about this vulnerability, please send us email.