CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
EPSS
Percentile
97.7%
The Sun KCMS library service daemon, kcms_server
, does not adequately validate the location of KCMS profile files. This could allow a remote attacker to read arbitrary files on a vulnerable system.
Sun Solaris contains support for the Kodak Color Management System (KCMS), an application programming interface (API) that provides color management functions for different devices and color spaces. From the KCMS Application Developer’s Guide: “The KCMS framework enables the accurate reproduction, and improves the appearance of, digital color images on desktop computers and associated peripherals.” KCMS profiles contain information that “tell[s] the KCMS framework how to convert input color data to the appropriate color-corrected output color data.” The KCMS framework “loads and saves profiles, gets and sets KCMS profile attributes, and directs requests for color management to the right CMM at the right time.”
From the man
page for kcms_server(1)
:
DESCRIPTION The kcms_server is a daemon that allows the KCMS library to access profiles on remote machines. The KCMS library is its only client. Profiles can be accessed read only and must be located in the following directories. This is for security reasons. /usr/openwin/etc/devdata/profiles /etc/openwin/devdata/profiles kcms_server will be automatically started by inetd(1M) when a request to use the server is generated by a remote host. An entry has been added to /etc/inet/inetd.conf correspond- ing to kcms_server that makes this possible.
As part of the KCMS framework, the KCMS library service daemon (kcms_server
) provides a way to serve KCMS profiles to remote clients. The daemon is implemented as a Sun remote procedure call (RPC) service that is managed by the Internet services daemon (inetd(1M))
and the RPC portmapper service (rpcbind(1M)
). The KCMS library service daemon listens for network requests and serves read-only KCMS profiles from /etc/openwin/devdata/profiles
and /usr/openwin/etc/devdata/profiles
. A typical request for a KCMS profile specifies the name of the file (fileName
) and optionally, its location (hostName
).
When opening a profile, the KCMS library service daemon does not adequately validate the fileName
argument. According to a report published by Entercept, the checks performed by the KCS_OPEN_PROFILE procedure are not complete in that they do not account for the case of a sub-directory within the KCMS profile directories. If an attacker is able to create a sub-directory within either of the directories searched by the KCMS library service daemon, the attacker could use a specially crafted fileName
argument that would bypass the directory traversal checks and allow the attacker to read any file on a vulnerable system. As noted by Entercept, the ToolTalk database server (rpc.ttdbserverd``(1M)
) procedure _TT_ISBUILD()
can be used to create a directory named TT_DB
in an arbitrary location on a remote system.
The KCMS library service daemon runs with root privileges, and both it and the ToolTalk database server are typically installed and enabled by default on Solaris systems.
A remote attacker could read any file on a vulnerable system. In the example described by Entercept, an attacker would first need to create a directory under /etc/openwin/devdata/profiles
or /usr/openwin/etc/devdata/profiles
.
Apply Patch
When available, apply the appropriate patch as referenced by Sun.
Disable kcms_server
Until patches are available and can be applied, disable the KCMS library service daemon by commenting out the appropriate entry in /etc/inetd.conf
, terminating any currently running kcms_server
processes, and restarting the Internet services daemon inetd(1M)
. The rpcinfo(1M)
, netstat(1M)
, and ps(1)
commands may be useful in determining if the KCMS library service daemon is enabled.
The following examples are from a SunOS 5.8 (Solaris 8) system:
[/etc/inetd.conf
]
#
# Sun KCMS Profile Server
#
100221/1 tli rpc/tcp wait root /usr/openwin/bin/kcms_server kcms_server
The KCMS library service is assigned RPC program number 100221.
$ rpcinfo -p |grep 100221
100221 1 tcp 32781
$ netstat -a |grep 32781
*.32781 Idle
*.32781 *.* 0 0 24576 0 LISTEN
$ ps -ef |grep kcms_server
root 484 156 0 15:12:01 ? 0:00 kcms_server
As a general best practice, the CERT/CC recommends disabling any services that are not explicitly required.
Block or Restrict Access
Until patches are available and can be applied, block or restrict access to the RPC portmapper service and the KCMS library service daemon from untrusted networks such as the Internet. The RPC portmapper service typically runs on ports 111/tcp and 111/udp. In the above example, the KCMS library service daemon is configured to run on 32781/tcp, however, this port number may vary. Also, consider blocking or restricting access to the ToolTalk database server (RPC program number 100083). Keep in mind that blocking ports at a network perimeter does not protect the vulnerable service from the internal network. It is important to understand your network configuration and service requirements before deciding what changes are appropriate.
850785
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: November 04, 2002 Updated: January 17, 2003
Affected
Sun confirms that this kcms_server(1) vulnerability does affect all currently supported versions of Solaris:
Solaris 2.6, 7, 8, and 9
Sun will be releasing a Sun Alert which describes two possible workarounds until a final resolution is reached which will be available from the following location shortly:
<http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/50104>
The Sun Alert will be updated once a final resolution is available.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23850785 Feedback>).
Notified: December 19, 2002 Updated: January 20, 2003
Not Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Based in information from Sun and Kodak, this vulnerability exists only in the Solaris KCMS implementation (kcms_server
). No other KCMS implementation is affected.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23850785 Feedback>).
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
This vulnerability was reported by Sinan Eren of Entercept.
This document was written by Art Manion.
CVE IDs: | CVE-2003-0027 |
---|---|
Severity Metric: | 2.05 Date Public: |