The XFS journaling filesystem daemon uses a call to popen(3) with unfiltered client-controlled input. This will lead to arbitrary command execution on remote systems.
XFS is a 64-bit compliant journaling file system. The XFS journaling filesystem daemon (
xfsmd) on SGI systems uses a call to
popen(3) with unfiltered client-controlled input.
As mentioned in VU#20276:
The popen(3) call is described by the man page as follows:
``_FILE *popen(const char *command, const char *type);_
_ popen() creates a pipe between the calling program and the command to be executed. The arguments to popen() are pointers to null-terminated strings. "command" consists of a shell command line_``.
In essence, popen provides the calling program the output of "command." One example of a command you could pass to popen is
In this case, popen would return the output of the "cat /etc/passwd" file to the calling program. You can also pass more complex shell commands to popen, such as
cat /etc/passwd & rm *
The ampersand character (&) puts the preceding command in the background and executes the rest of the command in the foreground. As another example, you can execute a sequence of commands by separating them with semicolons (;). For example,
ls ; rm * ; touch filename
This runs the commands sequentially.
As such, users able to send a stream of characters via
popen(3) to a vulnerable daemon like
xfsmd running on an SGI system would be able to have that text interpreted by the system as if the attacker were actually logged into the system and running a shell. When used in conjunction with exploitation of the weak RPC authentication vulnerability reported in VU#521147, remote unauthenticated users can run arbitrary commands on a victim system.
A remote user can run arbitrary commands with root privileges.
SGI has reported they will not be providing a patch for this issue. Sites are strongly urged to disable the XFS daemon and related subsystems as soon as their service requirements permit.
Per SGI Security Advisory 20020606-02-I:
There is no effective workaround available for these problems.
SGI recommends either disabling or uninstalling the product.
To disable the product from running, perform the following steps:
` # killall /usr/etc/xfsmd
Look for a line in inetd.conf that looks like this:
sgi_xfsmd/1 stream rpc/tcp wait root ?/usr/etc/xfsmd xfsmd
...and comment it out by putting a "#" at the beginning of the line:
#sgi_xfsmd/1 stream rpc/tcp wait root ?/usr/etc/xfsmd xfsmd
...or simply remove the line from the file.
# killall -HUP inetd
To remove the product from the system, perform the following command:
# versions remove eoe.sw.xfsmserv`
Vendor| Status| Date Notified| Date Updated
SGI| | -| 08 Aug 2002
If you are a vendor and your product is affected, let us know.
Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A
Last Stage of Delirium reported this vulnerability in several public forums.
This document was written by Jeffrey S. Havrilla.