{"vuid":"VU#195371","idnumber":"195371","name":"SGI IRIX rpc.xfsmd does not filter shell metacharacters from user input before invoking popen() function","keywords":["SGI","IRIX","rpc.xfsmd","shell metacharacters","user input","popen() function","xfs journaling file system","ENV04-C","STR02-C"],"overview":"The XFS journaling filesystem daemon uses a call to popen(3) with unfiltered client-controlled input. This will lead to arbitrary command execution on remote systems.","clean_desc":"XFS is a 64-bit compliant journaling file system. The XFS journaling filesystem daemon (xfsmd) on SGI systems uses a call to popen(3) with unfiltered client-controlled input. As mentioned in VU#20276: The popen(3) call is described by the man page as follows: FILE *popen(const char *command, const char *type); popen() creates a pipe between the calling program and the command to be executed. The arguments to popen() are pointers to null-terminated strings. \"command\" consists of a shell command line. In essence, popen provides the calling program the output of \"command.\" One example of a command you could pass to popen is cat /etc/passwd In this case, popen would return the output of the \"cat /etc/passwd\" file to the calling program. You can also pass more complex shell commands to popen, such as cat /etc/passwd & rm * The ampersand character (&) puts the preceding command in the background and executes the rest of the command in the foreground. As another example, you can execute a sequence of commands by separating them with semicolons (;). For example, ls ; rm * ; touch filename This runs the commands sequentially. As such, users able to send a stream of characters via popen(3) to a vulnerable daemon like xfsmd running on an SGI system would be able to have that text interpreted by the system as if the attacker were actually logged into the system and running a shell. When used in conjunction with exploitation of the weak RPC authentication vulnerability reported in VU#521147, remote unauthenticated users can run arbitrary commands on a victim system.","impact":"A remote user can run arbitrary commands with root privileges.","resolution":"SGI has reported they will not be providing a patch for this issue. Sites are strongly urged to disable the XFS daemon and related subsystems as soon as their service requirements permit.","workarounds":"Per SGI Security Advisory 20020606-02-I: There is no effective workaround available for these problems. SGI recommends either disabling or uninstalling the product. To disable the product from running, perform the following steps: # killall /usr/etc/xfsmd\n  # vi /etc/inetd.conf Look for a line in inetd.conf that looks like this: sgi_xfsmd/1 stream  rpc/tcp wait    root    ?/usr/etc/xfsmd     xfsmd ...and comment it out by putting a \"#\" at the beginning of the line: #sgi_xfsmd/1 stream  rpc/tcp wait    root    ?/usr/etc/xfsmd     xfsmd ...or simply remove the line from the file. # killall -HUP inetd To remove the product from the system, perform the following command: # versions remove eoe.sw.xfsmserv","sysaffected":"","thanks":"Last Stage of Delirium reported this vulnerability in several public forums.","author":"This document was written by Jeffrey S. Havrilla.","public":["ftp://patches.sgi.com/support/free/security/advisories/20020606-02-I","http://www.securityfocus.com/bid/5075","http://www.iss.net/security_center/static/9402.php","http://oss.sgi.com/projects/xfs/","http://www.sgi.com/software/xfs/"],"cveids":["CVE-2002-0359"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2002-06-20T17:13:57Z","publicdate":"2002-06-18T00:00:00Z","datefirstpublished":"2002-08-08T22:00:20Z","dateupdated":"2008-07-21T17:56:20Z","revision":21,"vrda_d1_directreport":"0","vrda_d1_population":"2","vrda_d1_impact":"2","cam_widelyknown":"20","cam_exploitation":"15","cam_internetinfrastructure":"4","cam_population":"8","cam_impact":"20","cam_easeofexploitation":"15","cam_attackeraccessrequired":"20","cam_scorecurrent":"35.1","cam_scorecurrentwidelyknown":"35.1","cam_scorecurrentwidelyknownexploited":"39.6","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":35.1,"vulnote":null}