Vulnerability Note VU#195371

SGI IRIX rpc.xfsmd does not filter shell metacharacters from user input before invoking popen() function

Original Release date: 08 Aug 2002 | Last revised: 21 Jul 2008

Overview

The XFS journaling filesystem daemon uses a call to popen(3) with unfiltered client-controlled input. This will lead to arbitrary command execution on remote systems.

Description

XFS is a 64-bit compliant journaling file system. The XFS journaling filesystem daemon (xfsmd) on SGI systems uses a call to popen(3) with unfiltered client-controlled input.

As mentioned in VU#20276:

    The popen(3) call is described by the man page as follows:

                     FILE *popen(const char *command, const char *type);

                     popen() creates a pipe between the calling program and the command to be executed. The arguments to popen() are pointers to null-terminated strings. "command" consists of a shell command line.

    In essence, popen provides the calling program the output of "command." One example of a command you could pass to popen is

                     cat /etc/passwd

    In this case, popen would return the output of the "cat /etc/passwd" file to the calling program. You can also pass more complex shell commands to popen, such as

                     cat /etc/passwd & rm *

    The ampersand character (&) puts the preceding command in the background and executes the rest of the command in the foreground. As another example, you can execute a sequence of commands by separating them with semicolons (;). For example,

                     ls ; rm * ; touch filename

    This runs the commands sequentially.

As such, users able to send a stream of characters via popen(3) to a vulnerable daemon like xfsmd running on an SGI system would be able to have that text interpreted by the system as if the attacker were actually logged into the system and running a shell. When used in conjunction with exploitation of the weak RPC authentication vulnerability reported in VU#521147, remote unauthenticated users can run arbitrary commands on a victim system.

Impact

A remote user can run arbitrary commands with root privileges.

Solution

SGI has reported they will not be providing a patch for this issue. Sites are strongly urged to disable the XFS daemon and related subsystems as soon as their service requirements permit.

Per SGI Security Advisory 20020606-02-I:

There is no effective workaround available for these problems.
SGI recommends either disabling or uninstalling the product.

To disable the product from running, perform the following steps:

  # killall /usr/etc/xfsmd
 # vi /etc/inetd.conf

  Look for a line in inetd.conf that looks like this:

    sgi_xfsmd/1 stream  rpc/tcp wait    root    ?/usr/etc/xfsmd     xfsmd

  ...and comment it out by putting a "#" at the beginning of the line:

    #sgi_xfsmd/1 stream  rpc/tcp wait    root    ?/usr/etc/xfsmd     xfsmd

  ...or simply remove the line from the file.

  # killall -HUP inetd

To remove the product from the system, perform the following command:

  # versions remove eoe.sw.xfsmserv

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
SGIAffected-08 Aug 2002
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Last Stage of Delirium reported this vulnerability in several public forums.

This document was written by Jeffrey S. Havrilla.

Other Information

  • CVE IDs: CVE-2002-0359
  • Date Public: 18 Jun 2002
  • Date First Published: 08 Aug 2002
  • Date Last Updated: 21 Jul 2008
  • Severity Metric: 35.10
  • Document Revision: 20

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.