TUCoPS :: SunOS/Solaris :: cert0120.txt

Solaris KCMS vulnerability 


-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
CERT(sm) Advisory CA-96.15
Original issue date: July 31, 1996
Last revised: February 25, 1997  
                Introduction - added information that CERT/CC has received
                reports of this vulnerability being exploited.
                Added copyright information.

              A complete revision history is at the end of this file.

Topic: Vulnerability in Solaris 2.5 KCMS programs
- -----------------------------------------------------------------------------

   The text of this advisory was originally released on July 26, 1996, as
   AUSCERT Advisory AL-96.02, developed by the Australian Computer Emergency
   Response Team. Because of the seriousness of the problem, we are reprinting
   the AUSCERT advisory here with their permission. Only the contact
   information at the end has changed: AUSCERT contact information has been
   replaced with CERT/CC contact information.

   Note that this vulnerability also affects Solaris 2.5.1.

   The CERT/CC has received reports that this vulnerability has
   been exploited.

   We will update this advisory as we receive additional information.
   Please check advisory files regularly for updates that relate to your site.

=============================================================================

AUSCERT have received a report of a vulnerability in the Sun Microsystems
Solaris 2.5 distribution involving the programs kcms_calibrate and
kcms_configure.  These programs are part of the Kodak Color Management
System (KCMS) packages.

This vulnerability may allow any local user to gain root privileges.

Exploit details involving this vulnerability have been made publicly
available.

At this stage, AUSCERT is not aware of any official patches.  AUSCERT
recommends that sites take the actions suggested in Section 3 until official
patches are available.

Depending on the local sites' requirements, the Solaris 2.5 KCMS packages
may or may not have been installed.  AUSCERT recommends that individual
sites should determine whether the programs are installed and take
appropriate action.

This Alert will be updated as more information becomes available.

- -----------------------------------------------------------------------------

1.  Description

    Solaris 2.5 contains support for the Kodak Color Management System (KCMS),
    a set of Openwindows compliant API's and libraries to create and manage
    profiles that can describe and control the colour performance of monitors,
    scanners, printers and film recorders.

    KCMS includes the programs kcms_configure and kcms_calibrate which are
    used for the configuration and calibration of an X11 window system for
    use with the KCMS library.  When installed, these programs have
    set-user-id root and set-group-id bin privileges.

    A vulnerability involving these programs has been reported.  Exploit
    details involving this vulnerability have been made publicly available.

    Depending on the local sites' requirements, the Solaris 2.5 KCMS packages
    may or may not have been installed.

2.  Impact

    A local user may be able to create and then write to arbitrary files on the
    system.  This can be leveraged to gain root privileges.

3.  Workarounds/Solution

    Currently, there are no official patches available.  When patches are
    made available it is suggested the sites install the official patches.

    Until official patches are available sites are encouraged to remove
    the setuid and setgid permissions on the kcms_calibrate and kcms_configure
    programs.  These are typically located in /usr/openwin/bin.

        # chmod 400 /usr/openwin/bin/kcms_calibrate
        # chmod 400 /usr/openwin/bin/kcms_configure

    Note that this will remove the ability for users to run these programs.

- -----------------------------------------------------------------------------
AUSCERT wishes to thanks Marek Krawus of the University of Queensland for
his assistance in this matter.
- -----------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident
Response and Security Teams (FIRST).

We strongly urge you to encrypt any sensitive information you send by email.
The CERT Coordination Center can support a shared DES key and PGP. Contact
the CERT staff for more information.

Location of CERT PGP key
         ftp://info.cert.org/pub/CERT_PGP.key

CERT Contact Information
- ------------------------
Email    cert@cert.org

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST
                (GMT-5)/EDT(GMT-4), and are on call for
                emergencies during other hours.

Fax      +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890
        USA

CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
        http://www.cert.org/
        ftp://info.cert.org/pub/

CERT advisories and bulletins are also posted on the USENET newsgroup
        comp.security.announce

To be added to our mailing list for CERT advisories and bulletins, send your
email address to
        cert-advisory-request@cert.org
- ---------------------------------------------------------------------------
Copyright 1997 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and the copyright statement is
included.

CERT is a service mark of Carnegie Mellon University.
- ---------------------------------------------------------------------------

This file: ftp://info.cert.org/pub/cert_advisories/CA-96.15_Solaris_KCMS_vul
           http://www.cert.org
               click on "CERT Advisories"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision history

Feb. 25, 1997  Introduction - added information that CERT/CC has received
                 reports of this vulnerability being exploited.
                 Added copyright information.
Aug. 30, 1996  Information previously in the README was inserted into the
                 advisory.
               Beginning of the AUSCERT text - removed AUSCERT advisory
                 header to avoid confusion.
Aug. 02, 1996  Introduction - added information about Solaris 2.5.1.



-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMxL87HVP+x0t4w7BAQFt1gP/XTdiJd3hyKLaNJ3c2uvTNCy4cnSXQIiH
nRulpb+NbVAx0sD1PjoUB4RlmTbLNUhZt29qGO+pYX5NXvTE2EAwfMYiqcVRIAyD
MYFE1+l1xiN6vhXYyId1ZpTDM2dtwZ9ZDO6kcsV2MLgaaaP9+kzYNQcNu9beI5jP
YaduHNZI5UQ=
=J9LA
-----END PGP SIGNATURE-----

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH