{"vuid":"VU#583020","idnumber":"583020","name":"XMMS Remote input validation error","keywords":["XMMS","XMMS Remote","XMMS.pm","malicious characters","arbitrary command execution"],"overview":"There is an input validation error in the stand-alone SOAP server XMMS Remote which allows unauthorized remote command execution.","clean_desc":"XMMS Remote is a stand-alone XML/SOAP HTTP server implemented in PERL created by X2 Studios. It is used to monitor a running xmms media player client, typically on Mac OS X systems, but it appears to be easily ported to multiple platforms. (xmms, the X Multimedia System, is an audio player for X) The PERL module XMMS.pm contains an input validation error which allows arbitrary commands received from a network port (8086/tcp by default) to be executed in the command shell running the service. <h4> Details</h4> In XMMS.pm, calls to the PERL function system()were passed in unfiltered: sub do {\n        shift; $do_call = \"xmms -\" . shift; system $do_call; return $do_call; To mitigate this vulnerability, a regular expression was added to limit $command to one single character of input before being passed to system(): sub do {\n    shift; $command = shift; $command =~ /([\\w])/; $command = $1; $do_call = \"xmms -\" . $command; system $do_call; return $do_call;","impact":"Unauthorized remote command execution with the privileges of the XMMS Remote service (note: not typically a privileged account).","resolution":"Update to a non-vulnerable version of XMMS.pm (created after May 07, 2003 - 1:40PM PST): http://www.x2studios.com/index.php?page=products&id=10","workarounds":"<h4> Workarounds</h4>\nBlock external access to the XML/SOAP service being offered by XMMS Remote, port 8086/tcp by default.","sysaffected":"","thanks":"Credit to Chris Dolan for reporting this vulnerability to X2 Studios.","author":"This document was written by Jeffrey S. Havrilla","public":["http://www.x2studios.com/index.php?page=kb&id=16","http://www.x2studios.com/index.php?page=products&id=10","http://www.xmms.org/","http://www.macslash.org/article.pl?sid=03/05/07/1120250&mode=thread","http://www.perldoc.com/perl5.8.0/pod/perlsec.html"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2003-05-14T15:24:44Z","publicdate":"2003-05-07T00:00:00Z","datefirstpublished":"2003-05-14T22:29:47Z","dateupdated":"2003-05-15T14:33:53Z","revision":11,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"1","cam_population":"1","cam_impact":"15","cam_easeofexploitation":"19","cam_attackeraccessrequired":"19","cam_scorecurrent":"1.6245","cam_scorecurrentwidelyknown":"2.13215625","cam_scorecurrentwidelyknownexploited":"4.16278125","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":1.6245,"vulnote":null}