Entercept Ricochet Advisory: Sun Solaris KCMS Library Service Daemon Arbitrary File Retrieval Vulnerability
From: Entercept Ricochet Team (Ricochet@entercept.com)
- Previous message: Pedram Amini: "Blackboard 5.x Password Retrieval"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 22 Jan 2003 10:50:30 -0800 From: "Entercept Ricochet Team" <Ricochet@entercept.com> To: <firstname.lastname@example.org>, "Entercept Ricochet Team" <Ricochet@entercept.com>
*******ENTERCEPT RICOCHET ADVISORY*******
Date: Wednesday, January 22, 2003
Issue: KCMS Library Service Daemon Arbitrary File Retrieval Vulnerability
Kodak Color Management System (KCMS) is an API that provides color management
functions for different devices and color spaces. The kcms_server is a daemon
that allows the KCMS library functions to access profiles on remote machines.
The profiles can be remotely read and are located under the directories
/etc/openwin/devdata/profiles and /usr/openwin/etc/devdata/profiles.
There exists a directory traversal condition within the KCS_OPEN_PROFILE
procedure that can lead to remote retrieval of any file on the operating
system since the kcms_server runs with root privileges. Although certain
checks to prevent directory traversal attempts are present in the open
profile procedure call, they are inadequate and can be bypassed by utilizing
the ToolTalk Database Server's TT_ISBUILD procedure call.
- Sun Microsystems Inc.
- Sun Solaris/Sparc 2.5, 2.6, 7, 8, 9
- Sun Solaris/x86 2.5, 2.6, 7, 8, 9
Vendor Information/CERT Information:
Entercept worked directly with Sun Microsystems Inc. and CERT (Computer
Emergency Response Team), providing the technical details necessary to develop
patches and coordinate security advisories. The CERT advisory will be available
This vulnerability was discovered and researched by Sinan Eren of the Entercept
ABOUT ENTERCEPT RICOCHET:
Entercept's Ricochet team is a specialized group of security researchers
dedicated to identifying, assessing, and evaluating intelligence regarding
The Ricochet team researches current and future avenues of attack and builds
this knowledge into Entercept's intrusion prevention solution. Ricochet is
dedicated to providing critical, viable security content via security
advisories and technical briefs. This content is designed to educate
organizations and security professionals about the nature and severity of
Internet security threats, vulnerabilities and exploits. Copyright Entercept
Security Technologies. All rights reserved. Entercept and the Entercept logo
are trademarks of Entercept Security Technologies. All other trademarks, trade
names or service marks are the property of their respective owners.
The information in this bulletin is provided by Entercept Security Technologies,
Inc. ("Entercept") and is intended to provide information on a particular
security issue or incident. Given that each exploitation technique is unique,
Entercept makes no claim to prevent any specific exploit related to the
vulnerability discussed in this bulletin. Entercept expressly disclaims any and
all warranties with respect to the information provided in this bulletin,
express or implied or otherwise, including, but not limited to, warranty of
fitness for a particular purpose. Under no circumstances may this information
be used to exploit vulnerabilities in any other environment.