Sun Solaris kcms_server KCS_OPEN_PROFILE directory traversal

solaris-kcms-directory-traversal (11129) The risk level is classified as MediumMedium Risk

Description:

The Kodak Color Management System (KCMS) Library Service Daemon in Sun Solaris could allow a remote attacker to traverse directories and obtain any file on the system. The KCS_OPEN_PROFILE procedure fails to properly validate the fileName argument when the KCMS library service daemon receives a request for a KCMS profile. If a remote attacker could create a subdirectory in either the /etc/openwin/devdata/profiles or the /usr/openwin/etc/devdata/profiles directory, the attacker could send a specially-crafted profile request to traverse directories and read any file on the system.


Consequences:

Obtain Information

Remedy:

Apply the appropriate patch for your system, as listed below. Refer to Sun Alert ID: 50104 for more information. See References.

SPARC Platform:
Solaris 9 with patch 114636-01 or later

x86 Platform:
Solaris 9 with patch 114637-01 or later

As a workaround, follow the instructions as listed in Sun Alert ID: 50104. See References.

References:

  • CIAC Information Bulletin O-069: Sun kcms_server Daemon Vulnerability.
  • Entercept Security Alert 01/22/2003: KCMS Library Service Daemon Arbitrary File Retrieval Vulnerability.
  • Sun Alert ID: 50104: Security Issue with kcms_server Daemon.
  • BID-6665: Kodak KCMS KCS_OPEN_PROFILE Procedure Arbitrary File Access Vulnerability
  • CVE-2003-0027: Directory traversal vulnerability in Sun Kodak Color Management System (KCMS) library service daemon (kcms_server) allows remote attackers to read arbitrary files via the KCS_OPEN_PROFILE procedure.
  • OSVDB ID: 8201: Sun Kodak Color Management System (KCMS) kcms_server Arbitrary File Access
  • US-CERT VU#850785: Sun KCMS library service daemon does not adequately validate location of KCMS profiles

Platforms Affected:

  • Sun Solaris 2.5.1
  • Sun Solaris 2.6
  • Sun Solaris 7.0
  • Sun Solaris 8
  • Sun Solaris 9

Reported:

Jan 22, 2003

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page