Vulnerability Note VU#850785

Sun KCMS library service daemon does not adequately validate location of KCMS profiles

Original Release date: 22 Jan 2003 | Last revised: 14 Apr 2003

Overview

The Sun KCMS library service daemon, kcms_server, does not adequately validate the location of KCMS profile files. This could allow a remote attacker to read arbitrary files on a vulnerable system.

Description

Sun Solaris contains support for the Kodak Color Management System (KCMS), an application programming interface (API) that provides color management functions for different devices and color spaces. From the KCMS Application Developer's Guide: "The KCMS framework enables the accurate reproduction, and improves the appearance of, digital color images on desktop computers and associated peripherals." KCMS profiles contain information that "tell[s] the KCMS framework how to convert input color data to the appropriate color-corrected output color data." The KCMS framework "loads and saves profiles, gets and sets KCMS profile attributes, and directs requests for color management to the right CMM at the right time."

From the man page for kcms_server(1):

DESCRIPTION
     The kcms_server is a daemon that allows the KCMS library  to
     access  profiles on remote machines. The KCMS library is its
     only client. Profiles can be accessed read only and must  be
     located  in  the following directories. This is for security
     reasons.
        /usr/openwin/etc/devdata/profiles
        /etc/openwin/devdata/profiles

     kcms_server will be automatically started by inetd(1M)  when
     a  request  to use the server is generated by a remote host.
     An entry has been added to /etc/inet/inetd.conf  correspond-
     ing to kcms_server that makes this possible.

As part of the KCMS framework, the KCMS library service daemon (kcms_server) provides a way to serve KCMS profiles to remote clients. The daemon is implemented as a Sun remote procedure call (RPC) service that is managed by the Internet services daemon (inetd(1M)) and the RPC portmapper service (rpcbind(1M)). The KCMS library service daemon listens for network requests and serves read-only KCMS profiles from /etc/openwin/devdata/profiles and /usr/openwin/etc/devdata/profiles. A typical request for a KCMS profile specifies the name of the file (fileName) and optionally, its location (hostName).

When opening a profile, the KCMS library service daemon does not adequately validate the fileName argument. According to a report published by Entercept, the checks performed by the KCS_OPEN_PROFILE procedure are not complete in that they do not account for the case of a sub-directory within the KCMS profile directories. If an attacker is able to create a sub-directory within either of the directories searched by the KCMS library service daemon, the attacker could use a specially crafted fileName argument that would bypass the directory traversal checks and allow the attacker to read any file on a vulnerable system. As noted by Entercept, the ToolTalk database server (rpc.ttdbserverd(1M)) procedure _TT_ISBUILD() can be used to create a directory named TT_DB in an arbitrary location on a remote system.

The KCMS library service daemon runs with root privileges, and both it and the ToolTalk database server are typically installed and enabled by default on Solaris systems.

Impact

A remote attacker could read any file on a vulnerable system. In the example described by Entercept, an attacker would first need to create a directory under /etc/openwin/devdata/profiles or /usr/openwin/etc/devdata/profiles.

Solution


Apply Patch

When available, apply the appropriate patch as referenced by Sun.


Disable kcms_server

Until patches are available and can be applied, disable the KCMS library service daemon by commenting out the appropriate entry in /etc/inetd.conf, terminating any currently running kcms_server processes, and restarting the Internet services daemon inetd(1M). The rpcinfo(1M), netstat(1M), and ps(1) commands may be useful in determining if the KCMS library service daemon is enabled.

The following examples are from a SunOS 5.8 (Solaris 8) system:

[/etc/inetd.conf]
#
# Sun KCMS Profile Server
#
100221/1        tli     rpc/tcp wait root /usr/openwin/bin/kcms_server  kcms_server

The KCMS library service is assigned RPC program number 100221.

$ rpcinfo -p |grep 100221
    100221    1   tcp  32781

$ netstat -a |grep 32781

      *.32781                               Idle
      *.32781              *.*                0      0 24576      0 LISTEN

$ ps -ef |grep kcms_server

    root   484   156  0 15:12:01 ?        0:00 kcms_server

As a general best practice, the CERT/CC recommends disabling any services that are not explicitly required.

Block or Restrict Access

Until patches are available and can be applied, block or restrict access to the RPC portmapper service and the KCMS library service daemon from untrusted networks such as the Internet. The RPC portmapper service typically runs on ports 111/tcp and 111/udp. In the above example, the KCMS library service daemon is configured to run on 32781/tcp, however, this port number may vary. Also, consider blocking or restricting access to the ToolTalk database server (RPC program number 100083). Keep in mind that blocking ports at a network perimeter does not protect the vulnerable service from the internal network. It is important to understand your network configuration and service requirements before deciding what changes are appropriate.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Sun Microsystems Inc.Affected04 Nov 200217 Jan 2003
KodakNot Affected19 Dec 200220 Jan 2003
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was reported by Sinan Eren of Entercept.

This document was written by Art Manion.

Other Information

  • CVE IDs: CAN-2003-0027
  • Date Public: 22 Jan 2003
  • Date First Published: 22 Jan 2003
  • Date Last Updated: 14 Apr 2003
  • Severity Metric: 2.05
  • Document Revision: 56

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.