Home | FAQ | Contact | Privacy Policy

Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information

View Notes By

Name

Other Documents

Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#195371

SGI IRIX rpc.xfsmd does not filter shell metacharacters from user input before invoking popen() function

Overview

The XFS journaling filesystem daemon uses a call to popen(3) with unfiltered client-controlled input. This will lead to arbitrary command execution on remote systems.

I. Description

XFS is a 64-bit compliant journaling file system. The XFS journaling filesystem daemon (xfsmd) on SGI systems uses a call to popen(3) with unfiltered client-controlled input.

As mentioned in VU#20276:

The popen(3) call is described by the man page as follows:

FILE *popen(const char *command, const char *type);

popen() creates a pipe between the calling program and the command to be executed. The arguments to popen() are pointers to null-terminated strings. "command" consists of a shell command line

.

In essence, popen provides the calling program the output of "command." One example of a command you could pass to popen is

cat /etc/passwd

In this case, popen would return the output of the "cat /etc/passwd" file to the calling program. You can also pass more complex shell commands to popen, such as

cat /etc/passwd & rm *

The ampersand character (&) puts the preceding command in the background and executes the rest of the command in the foreground. As another example, you can execute a sequence of commands by separating them with semicolons (;). For example,

ls ; rm * ; touch filename

This runs the commands sequentially.

As such, users able to send a stream of characters via popen(3) to a vulnerable daemon like xfsmd running on an SGI system would be able to have that text interpreted by the system as if the attacker were actually logged into the system and running a shell. When used in conjunction with exploitation of the weak RPC authentication vulnerability reported in VU#521147, remote unauthenticated users can run arbitrary commands on a victim system.

II. Impact

A remote user can run arbitrary commands with root privileges.

III. Solution

SGI has reported they will not be providing a patch for this issue. Sites are strongly urged to disable the XFS daemon and related subsystems as soon as their service requirements permit.

Per SGI Security Advisory 20020606-02-I:

There is no effective workaround available for these problems. SGI recommends either disabling or uninstalling the product.
To disable the product from running, perform the following steps:
# killall /usr/etc/xfsmd # vi /etc/inetd.conf
Look for a line in inetd.conf that looks like this:
sgi_xfsmd/1 stream rpc/tcp wait root ?/usr/etc/xfsmd xfsmd
...and comment it out by putting a "#" at the beginning of the line:
#sgi_xfsmd/1 stream rpc/tcp wait root ?/usr/etc/xfsmd xfsmd
...or simply remove the line from the file.
# killall -HUP inetd
To remove the product from the system, perform the following command:
# versions remove eoe.sw.xfsmserv

Systems Affected

Vendor	Status	Date Notified	Date Updated
SGI	Vulnerable	8-Aug-2002

References

http://www.kb.cert.org/vuls/id/521147
https://www.securecoding.cert.org/confluence/x/1IAg
https://www.securecoding.cert.org/confluence/x/-AY
ftp://patches.sgi.com/support/free/security/advisories/20020606-02-I
http://www.securityfocus.com/bid/5075
http://www.iss.net/security_center/static/9402.php
http://oss.sgi.com/projects/xfs/
http://www.sgi.com/software/xfs/

Credit

Last Stage of Delirium reported this vulnerability in several public forums.

This document was written by Jeffrey S. Havrilla.

Other Information

Date Public:	2002-06-18
Date First Published:	2002-08-08
Date Last Updated:	2008-07-21
CERT Advisory:
CVE-ID(s):	CVE-2002-0359
NVD-ID(s):	CVE-2002-0359
US-CERT Technical Alerts:
Metric:	35.10
Document Revision:	20

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Get Adobe Reader