KCMS server vulnerabilities
Created 1/29/03
CAN 2003-0027
Impact
A remote attacker could view any file on the system with
root privileges.
Background
The Kodak Color Management System (KCMS) service, which
is enabled by default in Solaris operating systems, allows
KCMS library functions to access profiles on remote systems.
The only files which are intended to be served are located
in the /etc/openwin/devdata/profiles and
/usr/openwin/etc/devdata/profiles
directories.
The Problem
A dot-dot-slash (../) sequence within the
requested path name can be used
to request files outside the intended directories. Although
KCMS server includes checks to filter such attacks, they can
be bypassed using the ToolTalk Database Server's
TT_ISBUILD procedure call.
Solaris versions 9 and earlier are affected by this
vulnerability.
Resolution
Disable the KCMS server if it is not being used. To disable
the service, place a pound sign (#) before
the appropriate line in /etc/inetd.conf:
#100221/1 tli rpc/tcp wait root /usr/openwin/bin/kcms_server kcms_server
If the KCMS service is needed on the system, then apply a
patch when one becomes available. Check
Sun Security Alert 50104 for patch
information.
Where can I read more about this?
This vulnerability was reported in
Sun Security Alert 50104 and an
Entercept Security Alert.