Entercept Ricochet Advisory: Sun Solaris KCMS Library Service Daemon Arbitrary File Retrieval Vulnerability

From: Entercept Ricochet Team (Ricochet@entercept.com)
Date: 01/22/03

  • Next message: iDEFENSE Labs: "iDEFENSE Security Advisory 01.21.03: Buffer Overflows in Mandrake Linux printer-drivers Package"
    Date: Wed, 22 Jan 2003 10:50:30 -0800
    From: "Entercept Ricochet Team" <Ricochet@entercept.com>
    To: <bugtraq@securityfocus.com>, "Entercept Ricochet Team" <Ricochet@entercept.com>

    Date: Wednesday, January 22, 2003
    Issue: KCMS Library Service Daemon Arbitrary File Retrieval Vulnerability
    Vulnerability Description:

    Kodak Color Management System (KCMS) is an API that provides color management
    functions for different devices and color spaces. The kcms_server is a daemon
    that allows the KCMS library functions to access profiles on remote machines.
    The profiles can be remotely read and are located under the directories
    /etc/openwin/devdata/profiles and /usr/openwin/etc/devdata/profiles.

    There exists a directory traversal condition within the KCS_OPEN_PROFILE
    procedure that can lead to remote retrieval of any file on the operating
    system since the kcms_server runs with root privileges. Although certain
    checks to prevent directory traversal attempts are present in the open
    profile procedure call, they are inadequate and can be bypassed by utilizing
    the ToolTalk Database Server's TT_ISBUILD procedure call.
    Vendors Affected:
    - Sun Microsystems Inc.

    Vulnerable Platforms:
    - Sun Solaris/Sparc 2.5, 2.6, 7, 8, 9
    - Sun Solaris/x86 2.5, 2.6, 7, 8, 9

    Vendor Information/CERT Information:
    Entercept worked directly with Sun Microsystems Inc. and CERT (Computer
    Emergency Response Team), providing the technical details necessary to develop
    patches and coordinate security advisories. The CERT advisory will be available
    at: http://www.kb.cert.org/vuls/id/850785

    Acknowledgement/Information Resources:
    This vulnerability was discovered and researched by Sinan Eren of the Entercept
    Ricochet Team.
    Entercept's Ricochet team is a specialized group of security researchers
    dedicated to identifying, assessing, and evaluating intelligence regarding
    server threats.
    The Ricochet team researches current and future avenues of attack and builds
    this knowledge into Entercept's intrusion prevention solution. Ricochet is
    dedicated to providing critical, viable security content via security
    advisories and technical briefs. This content is designed to educate
    organizations and security professionals about the nature and severity of
    Internet security threats, vulnerabilities and exploits. Copyright Entercept
    Security Technologies. All rights reserved. Entercept and the Entercept logo
    are trademarks of Entercept Security Technologies. All other trademarks, trade
    names or service marks are the property of their respective owners.

    The information in this bulletin is provided by Entercept Security Technologies,
    Inc. ("Entercept") and is intended to provide information on a particular
    security issue or incident. Given that each exploitation technique is unique,
    Entercept makes no claim to prevent any specific exploit related to the
    vulnerability discussed in this bulletin. Entercept expressly disclaims any and
    all warranties with respect to the information provided in this bulletin,
    express or implied or otherwise, including, but not limited to, warranty of
    fitness for a particular purpose. Under no circumstances may this information
    be used to exploit vulnerabilities in any other environment.

    Relevant Pages

    • SecurityFocus Microsoft Newsletter #165
      ... Tenable Security ... distribute, manage, and communicate vulnerability and intrusion detection ... Microsoft Internet Explorer MHTML Forced File Execution Vuln... ...
    • SecurityFocus Microsoft Newsletter #174
      ... This issue sponsored by: Tenable Network Security ... the worlds only 100% passive vulnerability ... MICROSOFT VULNERABILITY SUMMARY ... Novell Netware Enterprise Web Server Multiple Vulnerabilitie... ...
    • [NT] Cumulative Security Update for Internet Explorer (MS04-038)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... CSS Heap Memory Corruption Vulnerability, ... Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 ...
    • SecurityFocus Microsoft Newsletter #171
      ... Better Management for Network Security ... GoodTech Telnet Server Remote Denial Of Service Vulnerabilit... ... ASPApp PortalAPP Remote User Database Access Vulnerability ...
    • SecurityFocus Microsoft Newsletter #160
      ... MICROSOFT VULNERABILITY SUMMARY ... Geeklog Forgot Password SQL Injection Vulnerability ... Atrium Software Mercur Mailserver IMAP AUTH Remote Buffer Ov... ... Sun Java Virtual Machine Slash Path Security Model Circumven... ...