Vulnerability Note VU#583020

XMMS Remote input validation error

Original Release date: 14 May 2003 | Last revised: 15 May 2003

Overview

There is an input validation error in the stand-alone SOAP server XMMS Remote which allows unauthorized remote command execution.

Description

XMMS Remote is a stand-alone XML/SOAP HTTP server implemented in PERL created by X2 Studios. It is used to monitor a running xmms media player client, typically on Mac OS X systems, but it appears to be easily ported to multiple platforms. (xmms, the X Multimedia System, is an audio player for X) The PERL module XMMS.pm contains an input validation error which allows arbitrary commands received from a network port (8086/tcp by default) to be executed in the command shell running the service.

Details

In XMMS.pm, calls to the PERL function system()were passed in unfiltered:

sub do {
        shift;
        $do_call = "xmms -" . shift;
        system $do_call;
        return $do_call;
  }

To mitigate this vulnerability, a regular expression was added to limit $command to one single character of input before being passed to system():

sub do {
    shift;
    $command = shift;
    $command =~ /([\w])/;
    $command = $1;
    $do_call = "xmms -" . $command;
    system $do_call;
    return $do_call;
  }

Impact

Unauthorized remote command execution with the privileges of the XMMS Remote service (note: not typically a privileged account).

Solution

Update to a non-vulnerable version of XMMS.pm (created after May 07, 2003 - 1:40PM PST):


http://www.x2studios.com/index.php?page=products&id=10

Workarounds


Block external access to the XML/SOAP service being offered by XMMS Remote, port 8086/tcp by default.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
X2 StudiosAffected-14 May 2003
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Credit to Chris Dolan for reporting this vulnerability to X2 Studios.

This document was written by Jeffrey S. Havrilla

Other Information

  • CVE IDs: Unknown
  • Date Public: 07 May 2003
  • Date First Published: 14 May 2003
  • Date Last Updated: 15 May 2003
  • Severity Metric: 1.62
  • Document Revision: 11

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.