*******ENTERCEPT RICOCHET ADVISORY******* Date: Wednesday, January 22, 2003 Issue: KCMS Library Service Daemon Arbitrary File Retrieval Vulnerability http://www.entercept.com/news/uspr/01-22-03.asp Vulnerability Description: Kodak Color Management System (KCMS) is an API that provides color management functions for different devices and color spaces. The kcms_server is a daemon that allows the KCMS library functions to access profiles on remote machines. The profiles can be remotely read and are located under the directories /etc/openwin/devdata/profiles and /usr/openwin/etc/devdata/profiles. There exists a directory traversal condition within the KCS_OPEN_PROFILE procedure that can lead to remote retrieval of any file on the operating system since the kcms_server runs with root privileges. Although certain checks to prevent directory traversal attempts are present in the open profile procedure call, they are inadequate and can be bypassed by utilizing the ToolTalk Database Server's TT_ISBUILD procedure call. Vendors Affected: - Sun Microsystems Inc. Vulnerable Platforms: - Sun Solaris/Sparc 2.5, 2.6, 7, 8, 9 - Sun Solaris/x86 2.5, 2.6, 7, 8, 9 Vendor Information/CERT Information: Entercept worked directly with Sun Microsystems Inc. and CERT (Computer Emergency Response Team), providing the technical details necessary to develop patches and coordinate security advisories. The CERT advisory will be available at: http://www.kb.cert.org/vuls/id/850785 Acknowledgement/Information Resources: This vulnerability was discovered and researched by Sinan Eren of the Entercept Ricochet Team. ABOUT ENTERCEPT RICOCHET: Entercept's Ricochet team is a specialized group of security researchers dedicated to identifying, assessing, and evaluating intelligence regarding server threats. The Ricochet team researches current and future avenues of attack and builds this knowledge into Entercept's intrusion prevention solution. Ricochet is dedicated to providing critical, viable security content via security advisories and technical briefs. This content is designed to educate organizations and security professionals about the nature and severity of Internet security threats, vulnerabilities and exploits. Copyright Entercept Security Technologies. All rights reserved. Entercept and the Entercept logo are trademarks of Entercept Security Technologies. All other trademarks, trade names or service marks are the property of their respective owners. DISCLAIMER STATEMENT: The information in this bulletin is provided by Entercept Security Technologies, Inc. ("Entercept") and is intended to provide information on a particular security issue or incident. Given that each exploitation technique is unique, Entercept makes no claim to prevent any specific exploit related to the vulnerability discussed in this bulletin. Entercept expressly disclaims any and all warranties with respect to the information provided in this bulletin, express or implied or otherwise, including, but not limited to, warranty of fitness for a particular purpose. Under no circumstances may this information be used to exploit vulnerabilities in any other environment. http://www.entercept.com/news/uspr/01-22-03.asp ###
