| VID |
17064 |
| Severity |
40 |
| Port |
111 |
| Protocol |
TCP,UDP |
| Class |
RPC |
| Detailed Description |
The RPC kcms_server daemon is vulnerable to a directory traversal vulnerability. This flaw allows a remote attacker to read arbitrary files on a vulnerable system.
Sun Solaris contains support for the Kodak Color Management System (KCMS), an application programming interface (API) that provides color management functions for different devices and color spaces. The KCMS library service daemon (kcms_server) is implemented as a Sun remote procedure call (RPC) service that is managed by inetd daemon and the RPC portmapper service (rpcbind).
The daemon allows the KCMS library functions to access profiles on remote machines. The profiles can be remotely read and are located under the directories /etc/openwin/devdata/profiles and /usr/openwin/etc/devdata/profiles.
A directory traversal condition exists within the KCS_OPEN_PROFILE procedure that can lead to remote retrieval of any file on the remote system. Since the kcms_server runs with root privileges, any file on the system can be accessed. Although certain checks to prevent directory traversal attempts are present in the open profile procedure call, they are inadequate and can be bypassed by utilizing the ToolTalk Database Server (rpc.ttdbserverd)'s TT_ISBUILD procedure call. The procedure _TT_ISBUILD() can be used to create a directory named TT_DB in an arbitrary location on a remote system.
* References:
http://www.kb.cert.org/vuls/id/850785
http://www.entercept.com/news/uspr/01-22-03.asp
* Platforms Affected:
Sun Solaris 2.5.1 (Sparc/Intel)
Sun Solaris 2.6 (Sparc/Intel)
Sun Solaris 7 (Sparc/Intel)
Sun Solaris 8 (Sparc/Intel)
Sun Solaris 9 (Sparc/Intel) |
| Recommendation |
Apply the appropriate patch for your system, as listed in Sun Alert Notification 50104 at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50104&zone_32=category%3Asecurity
As a temporary workaround, comment out the following lines from file /etc/inetd.conf, and revoke inetd daemon:
100221/1 tli rpc/tcp wait root /usr/openwin/bin/kcms_server kcms_server
100083/1 tli rpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd rpc.ttdbserverd |
| Related URL |
CVE-2003-0027 (CVE) |
| Related URL |
6665 (SecurityFocus) |
| Related URL |
11129 (ISS) |
|
