Date: Wed, 22 Jan 2003 10:50:30 -0800
From: Entercept Ricochet Team <[email protected]>
To: [email protected],
Subject: Entercept Ricochet Advisory: Sun Solaris KCMS Library Service Daemon Arbitrary File Retrieval Vulnerability
*******ENTERCEPT RICOCHET ADVISORY*******=20
=20
Date: Wednesday, January 22, 2003=20
Issue: KCMS Library Service Daemon Arbitrary File Retrieval =
Vulnerability
http://www.entercept.com/news/uspr/01-22-03.asp
=20
Vulnerability Description:
Kodak Color Management System (KCMS) is an API that provides color =
management
functions for different devices and color spaces. The kcms_server is a =
daemon
that allows the KCMS library functions to access profiles on remote =
machines.
The profiles can be remotely read and are located under the directories=20
/etc/openwin/devdata/profiles and /usr/openwin/etc/devdata/profiles.
There exists a directory traversal condition within the KCS_OPEN_PROFILE =
procedure that can lead to remote retrieval of any file on the operating =
system since the kcms_server runs with root privileges. Although certain
checks to prevent directory traversal attempts are present in the open
profile procedure call, they are inadequate and can be bypassed by =
utilizing=20
the ToolTalk Database Server's TT_ISBUILD procedure call.
=20
Vendors Affected: =20
- Sun Microsystems Inc.
Vulnerable Platforms:
- Sun Solaris/Sparc 2.5, 2.6, 7, 8, 9=20
- Sun Solaris/x86 2.5, 2.6, 7, 8, 9
Vendor Information/CERT Information:
=20
Entercept worked directly with Sun Microsystems Inc. and CERT (Computer=20
Emergency Response Team), providing the technical details necessary to =
develop
patches and coordinate security advisories. The CERT advisory will be =
available
at: http://www.kb.cert.org/vuls/id/850785
=20
Acknowledgement/Information Resources:
=20
This vulnerability was discovered and researched by Sinan Eren of the =
Entercept=20
Ricochet Team. =20
=20
ABOUT ENTERCEPT RICOCHET: =20
Entercept's Ricochet team is a specialized group of security researchers =
dedicated to identifying, assessing, and evaluating intelligence =
regarding=20
server threats.
The Ricochet team researches current and future avenues of attack and =
builds=20
this knowledge into Entercept's intrusion prevention solution. Ricochet =
is=20
dedicated to providing critical, viable security content via security=20
advisories and technical briefs. This content is designed to educate=20
organizations and security professionals about the nature and severity =
of=20
Internet security threats, vulnerabilities and exploits. Copyright =
Entercept=20
Security Technologies. All rights reserved. Entercept and the Entercept =
logo
are trademarks of Entercept Security Technologies. All other trademarks, =
trade=20
names or service marks are the property of their respective owners.=20
DISCLAIMER STATEMENT: =20
The information in this bulletin is provided by Entercept Security =
Technologies,=20
Inc. ("Entercept") and is intended to provide information on a =
particular=20
security issue or incident. Given that each exploitation technique is =
unique,=20
Entercept makes no claim to prevent any specific exploit related to the=20
vulnerability discussed in this bulletin. Entercept expressly disclaims =
any and=20
all warranties with respect to the information provided in this =
bulletin,
express or implied or otherwise, including, but not limited to, warranty =
of=20
fitness for a particular purpose. Under no circumstances may this =
information
be used to exploit vulnerabilities in any other environment.
http://www.entercept.com/news/uspr/01-22-03.asp
### =20
=20