• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: IRIX rpcbind Symlink Vulnerability

Severity: MODERATE

Description:

rpcbind is a server that converts RPC program numbers into universal addresses. It must be running on the host to be able to make RPC calls on a server on that machine. It is included in the 'eoe.sw.svr4net' package shipped with IRIX.

A vulnerability has been discovered in rpcbind when using the '-w' switch. rpcbind incorrectly followings symbolic links, potentially resulting resulting in arbitrary files being corrupted/overwritten.

The '-w' command line switch is used to enabled a warm boot, which may allow rpcbind to recover gracefully after being terminated.

When starting rpcbind with the '-w' switch, the program attempts to locate a registered services list located in files in the /tmp directory. These files are written to when the rpcbind process receives a SIGINT or SIGTERM signal. Since rpcbind incorrectly follows symbolic links, this may possibly result in arbitrary files being corrupted/overwritten when a SIGINT or SIGTERM signal is received by rpcbind.

Critical files which are writeable by the rpcbind process may be corrupted, resulting in a denial of service. If an attacker can cause files to be corrupted with custom data, then it may be possible to elevate privileges.

It should be noted that rpcbind is included in the 'eoe.sw.svr4net' package, which is not installed by default.

Affected Products:

• SGI IRIX 6.5.0
• SGI IRIX 6.5.1
• SGI IRIX 6.5.10
• SGI IRIX 6.5.11
• SGI IRIX 6.5.12
• SGI IRIX 6.5.13
• SGI IRIX 6.5.13 m
• SGI IRIX 6.5.14
• SGI IRIX 6.5.14 m
• SGI IRIX 6.5.15
• SGI IRIX 6.5.15 m
• SGI IRIX 6.5.16
• SGI IRIX 6.5.16 m
• SGI IRIX 6.5.17
• SGI IRIX 6.5.17 m
• SGI IRIX 6.5.2
• SGI IRIX 6.5.3
• SGI IRIX 6.5.4
• SGI IRIX 6.5.5
• SGI IRIX 6.5.6
• SGI IRIX 6.5.7
• SGI IRIX 6.5.8
• SGI IRIX 6.5.9

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.