Entercept Ricochet Advisory: Sun Solaris KCMS Library Service Daemon Arbitrary File Retrieval Vulnerability

["Entercept Ricochet Team" <Ricochet () entercept com>]

*******ENTERCEPT RICOCHET ADVISORY******* 
 
Date: Wednesday, January 22, 2003 
Issue: KCMS Library Service Daemon Arbitrary File Retrieval Vulnerability
http://www.entercept.com/news/uspr/01-22-03.asp
 
Vulnerability Description:

Kodak Color Management System (KCMS) is an API that provides color management
functions for different devices and color spaces. The kcms_server is a daemon
that allows the KCMS library functions to access profiles on remote machines.
The profiles can be remotely read and are located under the directories 
/etc/openwin/devdata/profiles and /usr/openwin/etc/devdata/profiles.

There exists a directory traversal condition within the KCS_OPEN_PROFILE 
procedure that can lead to remote retrieval of any file on the operating 
system since the kcms_server runs with root privileges. Although certain
checks to prevent directory traversal attempts are present in the open
profile procedure call, they are inadequate and can be bypassed by utilizing 
the ToolTalk Database Server's TT_ISBUILD procedure call.
 
Vendors Affected:  
- Sun Microsystems Inc.

Vulnerable Platforms:
- Sun Solaris/Sparc 2.5, 2.6, 7, 8, 9 
- Sun Solaris/x86 2.5, 2.6, 7, 8, 9

Vendor Information/CERT Information:
 
Entercept worked directly with Sun Microsystems Inc. and CERT (Computer 
Emergency Response Team), providing the technical details necessary to develop
patches and coordinate security advisories. The CERT advisory will be available
at: http://www.kb.cert.org/vuls/id/850785

   
Acknowledgement/Information Resources:
 
This vulnerability was discovered and researched by Sinan Eren of the Entercept 
Ricochet Team.  
   
ABOUT ENTERCEPT RICOCHET:  
Entercept's Ricochet team is a specialized group of security researchers 
dedicated to identifying, assessing, and evaluating intelligence regarding 
server threats.
The Ricochet team researches current and future avenues of attack and builds 
this knowledge into Entercept's intrusion prevention solution. Ricochet is 
dedicated to providing critical, viable security content via security 
advisories and technical briefs. This content is designed to educate 
organizations and security professionals about the nature and severity of 
Internet security threats, vulnerabilities and exploits. Copyright Entercept 
Security Technologies. All rights reserved. Entercept and the Entercept logo
are trademarks of Entercept Security Technologies. All other trademarks, trade 
names or service marks are the property of their respective owners. 

DISCLAIMER STATEMENT:  
The information in this bulletin is provided by Entercept Security Technologies, 
Inc. ("Entercept") and is intended to provide information on a particular 
security issue or incident. Given that each exploitation technique is unique, 
Entercept makes no claim to prevent any specific exploit related to the 
vulnerability discussed in this bulletin. Entercept expressly disclaims any and 
all warranties with respect to the information provided in this bulletin,
express or implied or otherwise, including, but not limited to, warranty of 
fitness for a particular purpose. Under no circumstances may this information
be used to exploit vulnerabilities in any other environment.
http://www.entercept.com/news/uspr/01-22-03.asp
###