Thanks to all and especially to Claus Assmann
(ca@mine.informatik.uni-kiel.de) (Danke!) for forwarding me the AUSCERT
advisory on it (which I append at the end).
/Nikos
=============================================================================
AL-96.02 AUSCERT Alert
Vulnerability in Solaris 2.5 KCMS programs
26 July 1996
- - -----------------------------------------------------------------------------
AUSCERT have received a report of a vulnerability in the Sun Microsystems
Solaris 2.5 distribution involving the programs kcms_calibrate and
kcms_configure. These programs are part of the Kodak Color Management
System (KCMS) packages.
This vulnerability may allow any local user to gain root privileges.
Exploit details involving this vulnerability have been made publicly
available.
At this stage, AUSCERT is not aware of any official patches. AUSCERT
recommends that sites take the actions suggested in Section 3 until official
patches are available.
Depending on the local sites' requirements, the Solaris 2.5 KCMS packages
may or may not have been installed. AUSCERT recommends that individual
sites should determine whether the programs are installed and take
appropriate action.
This Alert will be updated as more information becomes available.
- - -----------------------------------------------------------------------------
1. Description
Solaris 2.5 contains support for the Kodak Color Management System (KCMS),
a set of Openwindows compliant API's and libraries to create and manage
profiles that can describe and control the colour performance of monitors,
scanners, printers and film recorders.
KCMS includes the programs kcms_configure and kcms_calibrate which are
used for the configuration and calibration of an X11 window system for
use with the KCMS library. When installed, these programs have
set-user-id root and set-group-id bin privileges.
A vulnerability involving these programs has been reported. Exploit
details involving this vulnerability have been made publicly available.
Depending on the local sites' requirements, the Solaris 2.5 KCMS packages
may or may not have been installed.
2. Impact
A local user may be able to create and then write to arbitrary files on the
system. This can be leveraged to gain root privileges.
3. Workarounds/Solution
Currently, there are no official patches available. When patches are
made available it is suggested the sites install the official patches.
Until official patches are available sites are encouraged to remove
the setuid and setgid permissions on the kcms_calibrate and kcms_configure
programs. These are typically located in /usr/openwin/bin.
# chmod 400 /usr/openwin/bin/kcms_calibrate
# chmod 400 /usr/openwin/bin/kcms_configure
Note that this will remove the ability for users to run these programs.
- - -----------------------------------------------------------------------------
AUSCERT wishes to thanks Marek Krawus of the University of Queensland for
his assistance in this matter.
- - -----------------------------------------------------------------------------
The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate. However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual system
should be considered before application in conjunction with local policies
and procedures. AUSCERT takes no responsibility for the consequences of
applying the contents of this document.
If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).
AUSCERT is located at The University of Queensland within the Prentice Centre.
AUSCERT is a full member of the Forum of Incident Response and Security Teams
(FIRST).
AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT
Advisories, and other computer security information.
AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 4477
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Brisbane
Qld. 4072.
AUSTRALIA
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:06 CDT