The Sun KCMS library service daemon, kcms_server, does not adequately validate the location of KCMS profile files. This could allow a remote attacker to read arbitrary files on a vulnerable system.
Sun Solaris contains support for the Kodak Color Management System (KCMS), an application programming interface (API) that provides color management functions for different devices and color spaces. From the KCMS Application Developer's Guide: "The KCMS framework enables the accurate reproduction, and improves the appearance of, digital color images on desktop computers and associated peripherals." KCMS profiles contain information that "tell[s] the KCMS framework how to convert input color data to the appropriate color-corrected output color data." The KCMS framework "loads and saves profiles, gets and sets KCMS profile attributes, and directs requests for color management to the right CMM at the right time."
From the man page for kcms_server(1):
DESCRIPTION The kcms_server is a daemon that allows the KCMS library to access profiles on remote machines. The KCMS library is its only client. Profiles can be accessed read only and must be located in the following directories. This is for security reasons. /usr/openwin/etc/devdata/profiles /etc/openwin/devdata/profiles kcms_server will be automatically started by inetd(1M) when a request to use the server is generated by a remote host. An entry has been added to /etc/inet/inetd.conf correspond- ing to kcms_server that makes this possible.
As part of the KCMS framework, the KCMS library service daemon (kcms_server) provides a way to serve KCMS profiles to remote clients. The daemon is implemented as a Sun remote procedure call (RPC) service that is managed by the Internet services daemon (inetd(1M)) and the RPC portmapper service (rpcbind(1M)). The KCMS library service daemon listens for network requests and serves read-only KCMS profiles from /etc/openwin/devdata/profiles and /usr/openwin/etc/devdata/profiles. A typical request for a KCMS profile specifies the name of the file (fileName) and optionally, its location (hostName).
A remote attacker could read any file on a vulnerable system. In the example described by Entercept, an attacker would first need to create a directory under /etc/openwin/devdata/profiles or /usr/openwin/etc/devdata/profiles.
This vulnerability was reported by Sinan Eren of Entercept.
This document was written by Art Manion.
|Date First Published:||2003-01-22|
|Date Last Updated:||2003-04-14 16:04 UTC|