| VID |
17034 |
| Severity |
40 |
| Port |
|
| Protocol |
TCP |
| Class |
RPC |
| Detailed Description |
The RPC rpc.xfsmd service has several remotely exploitable vulnerabilities, which when properly exploited can result in an unauthorized root access to the vulnerable system.
Xfsmd service is installed and started by default on all versions of the IRIX operating system starting from version 6.2 to 6.5.16 (after full OS installation). This daemon provides functionality related with xfs file systems and disk volumes (xlv) management. Xfsmd handles requests for file system creation, mounting and unmounting. Through xfsmd, file systems' parameters can be modified as well as the whole partitions can be managed. Xfsmd is registered in IRIX operating system as RPC service number 391016.
1. Weak authentication problem
The first problem with xfsmd service is its weak RPC authentication scheme that is based on AUTH_UNIX RPC type. Such an authentication scheme can be easily bypassed what in result creates the possibility to remotely call potentially dangerous RPC functions, the ones that would allow to mount, unmount, create, delete or modify xfs file systems on a vulnerable host. The possibility to perform such actions in the Unix system is obviously equivalent to gaining root user privileges.
2. popen() vulnerabilities
The other vulnerability in xfsmd service is the result of bad coding practice and the way popen() function is called throughout the xfsmd code. Xfsmd RPC functions use the popen() call for invoking several external programs, that provide it with required, file system related functionality. As an argument to the popen() function call, a user provided argument is given without any checks for shell metacharacter, such as ';' or ''. A remote user by exploiting this flaw can execute arbitrary commands on the system.
* References:
http://online.securityfocus.com/archive/1/277957
ftp://patches.sgi.com/support/free/security/advisories/20020606-01-I |
| Recommendation |
SGI announced that fixes or patches for this issue were not provide, as the product was retired. As a temporary workaround, SGI recommended either disabling or uninstalling the product.
To disable the product from running, perform the following steps:
1. Edit /etc/inetd.conf file and comment out the xfsmd line.
2. After this change has been made, inetd daemon will must be restarted as the command:
kill -HUP PID
To remove the product from the system, perform the following command:
# versions remove eoe.sw.xfsmserv |
| Related URL |
CVE-2002-0359 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
