CVE-1999-0025
Description
A buffer overflow in SGI IRIX's setuid root df command allows local users to gain root privileges via a crafted directory argument.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A buffer overflow in SGI IRIX's setuid root df command allows local users to gain root privileges via a crafted directory argument.
Vulnerability
A buffer overflow vulnerability exists in the df command on SGI IRIX systems due to insufficient bounds checking on directory or block device arguments [1]. The df binary is setuid root, and any local user can trigger the overflow by supplying an overly long argument. Affected versions include all SGI IRIX releases that include the vulnerable df binary; specific version numbers are not provided in the available references.
Exploitation
A local attacker must have access to a shell on the targeted IRIX system and run the df command with a carefully crafted argument exceeding the buffer size [1]. No authentication beyond local system access is required. The attacker constructs an argument that overwrites the stack to redirect execution to injected shellcode, achieving arbitrary code execution as root.
Impact
Successful exploitation allows the attacker to execute arbitrary code with root privileges, resulting in a complete compromise of the system's confidentiality, integrity, and availability [1].
Mitigation
SGI released a patched version of the df command; details of the fixed version are not specified in the references [1]. As a workaround, system administrators can remove the setuid permission from df (chmod u-s $(which df)) or replace df with a wrapper that limits command-line argument length to 32 characters, as provided by AUSCERT [1].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"A buffer overflow vulnerability exists in the df command."
Attack vector
An attacker can exploit this vulnerability by supplying a long argument to the -f option of the df command. This crafted input can overwrite memory, allowing an attacker to execute arbitrary commands with root privileges. The exploit involves carefully constructing a buffer with machine executable code to achieve this. [ref_id=1]
Affected code
The vulnerability resides within the 'df' utility on SGI IRIX systems. The exploit code targets a buffer overflow that occurs when a long argument is passed to the '-f' option of the df command. [ref_id=1]
What the fix does
The advisory does not specify a patch or provide remediation guidance. Therefore, the exact fix is not detailed. However, the vulnerability is described as a buffer overflow in the df utility, suggesting that input validation or buffer size checks would be necessary to address it. [ref_id=1]
Preconditions
- inputA long argument must be supplied to the -f option of the df command. [ref_id=1]
- authThe attacker must have local access to the affected system to execute the df command. [ref_id=1]
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- www.cert.org/advisories/CA-1997-21.htmlnvdUS Government Resource
- www.kb.cert.org/vuls/id/20851nvdUS Government Resource
- www.securityfocus.com/bid/346nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/440nvd
News mentions
0No linked articles in our index yet.