CVE-2000-0013
Description
IRIX soundplayer allows local privilege escalation via shell metacharacters in .wav filenames when executed by midikeys.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
IRIX soundplayer allows local privilege escalation via shell metacharacters in .wav filenames when executed by midikeys.
Vulnerability
The soundplayer program on SGI IRIX systems is vulnerable to an input validation issue. When soundplayer is executed by midikeys (which may be setuid root on older IRIX systems), a local user can include shell metacharacters, specifically a semicolon followed by a command, in a .wav filename. This allows for arbitrary command execution with the privileges of soundplayer [1].
Exploitation
A local attacker must first execute midikeys, which may be a setuid root program on vulnerable IRIX systems. The attacker then uses the soundplayer application to save a .wav file. By providing a filename ending in a semicolon followed by a command (e.g., foo;/tmp/command), the appended command will be executed with the privileges of soundplayer [1].
Impact
Successful exploitation allows a local user to execute arbitrary commands with the privileges of the soundplayer program. If soundplayer is invoked via midikeys on a system where midikeys is setuid root, this can lead to a full root compromise on the affected IRIX system [1].
Mitigation
No specific patched version or release date is disclosed in the available references. Users are advised to avoid executing soundplayer or midikeys if possible, or to restrict access to these programs. The vulnerability is related to older versions of IRIX, and upgrading to a supported and patched operating system is recommended if available [1].
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The soundplayer program does not properly sanitize shell metacharacters in filenames, allowing command injection."
Attack vector
A local user can exploit this vulnerability by crafting a malicious .wav file. When this file is saved using the soundplayer program, the user can append shell metacharacters and a command to the filename. If soundplayer is executed with elevated privileges, such as when called by the setuid program midikeys, the injected command will be executed with those privileges [ref_id=1]. This allows a local user to gain root access.
Affected code
The vulnerability lies within the soundplayer program, specifically in how it handles filenames when saving files. The midikeys program can also be involved if it is setuid root and calls soundplayer, thereby elevating the privileges of the exploited process [ref_id=1].
What the fix does
The advisory does not specify a patch or provide details on how the vulnerability is fixed. Remediation guidance suggests that users should upgrade to a secure version of the software, but specific details on the fix are not available in the provided information.
Preconditions
- authThe attacker must have local access to the affected system.
- inputThe attacker must be able to create or modify .wav files.
- configThe midikeys program must be setuid root on the affected system for privilege escalation to root.
Reproduction
cc -o /tmp/kungfoo crazymonkey.c /usr/sbin/midikeys & Save the wav as 'foo;/tmp/kungfoo' and go find a rewt shell in tmp
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.