search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

XMMS Remote input validation error

Vulnerability Note VU#583020

Original Release Date: 2003-05-14 | Last Revised: 2003-05-15

Overview

There is an input validation error in the stand-alone SOAP server XMMS Remote which allows unauthorized remote command execution.

Description

XMMS Remote is a stand-alone XML/SOAP HTTP server implemented in PERL created by X2 Studios. It is used to monitor a running xmms media player client, typically on Mac OS X systems, but it appears to be easily ported to multiple platforms. (xmms, the X Multimedia System, is an audio player for X) The PERL module XMMS.pm contains an input validation error which allows arbitrary commands received from a network port (8086/tcp by default) to be executed in the command shell running the service.

Details

In XMMS.pm, calls to the PERL function system()were passed in unfiltered:

sub do {
        shift;
        $do_call = "xmms -" . shift;
        system $do_call;
        return $do_call;
  }

To mitigate this vulnerability, a regular expression was added to limit $command to one single character of input before being passed to system():

sub do {
    shift;
    $command = shift;
    $command =~ /([\w])/;
    $command = $1;
    $do_call = "xmms -" . $command;
    system $do_call;
    return $do_call;
  }

Impact

Unauthorized remote command execution with the privileges of the XMMS Remote service (note: not typically a privileged account).

Solution

Update to a non-vulnerable version of XMMS.pm (created after May 07, 2003 - 1:40PM PST):


http://www.x2studios.com/index.php?page=products&id=10

Workarounds


Block external access to the XML/SOAP service being offered by XMMS Remote, port 8086/tcp by default.

Vendor Information

583020
 
Expand all

X2 Studios Affected

Updated:  May 14, 2003

Status

Affected

Vendor Statement

Please see Security Alert: Update XMMS Remote Server

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

[Begin excerpt of "Security Alert: Update XMMS Remote Server", 05/14/2003 22:36:16 UTC]

<http://www.x2studios.com/index.php?page=kb&id=16>

Article: 16, Security Alert: Update XMMS Remote Server
Date: May 07, 2003 - 1:40PM

Topic:

This applies to inital release of XMMS Remote server script. Thanks to a MacSlash reader (Chris Dolan) a security hole that was unintentionally left in the XMMS.pm (part of the server scripts) was discovered.

Discussion:

The security hole had to do with the script not evaluating input that it was issuing using system() {BAD PROGRAMMING ALERT}. There was a corrected version that included a regular expression, that made sure that the command was safe to run. However, this version was not initally uploaded. The unsafe version had been on the server between the hours of 4am PST and 11am PST on May 7, 2003. It is recomended to all users who downloaded the script durring this time to IMMEDITALLY remove it and download the new version. The new script is avaliable on the product page.

[End excerpt of "Security Alert: Update XMMS Remote Server", 05/14/2003 22:36:16 UTC]

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Credit to Chris Dolan for reporting this vulnerability to X2 Studios.

This document was written by Jeffrey S. Havrilla

Other Information

CVE IDs: None
Severity Metric: 1.62
Date Public: 2003-05-07
Date First Published: 2003-05-14
Date Last Updated: 2003-05-15 14:33 UTC
Document Revision: 11

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis