CVE-2003-0027
CVSS5.0
发布时间 :2003-02-07 00:00:00
修订时间 :2016-10-17 22:28:32
NMCOS    

[原文]Directory traversal vulnerability in Sun Kodak Color Management System (KCMS) library service daemon (kcms_server) allows remote attackers to read arbitrary files via the KCS_OPEN_PROFILE procedure.


[CNNVD]Sun Solaris kcms_server远程读取任意文件漏洞(CNNVD-200302-009)

        
        Kodak Color Management System (KCMS)是一组为不同设备和色彩空间提供色彩管理的API。kcms_server是一个守护进程,允许KCMS库函数访问远程主机的上的资料文件(profile)。
        kcms_server提供的一个远程过程KCS_OPEN_PROFILE用来打开上述文件,但其实现中存在一个目录遍历漏洞,由于kcms_server是以root身份运行的,攻击者就可以远程读取任意文件。这些文件缺省位于/etc/openwin/devdata/profiles和/usr/openwin/etc/devdata/profiles 目录下。尽管kcms_server已经对profile文件名做了一些检查以确保不会发生目录遍历漏洞,但这些检查并不全面,因此利用ToolTalk数据库服务器的TT_ISBUILD过程调用在上述目录下创建子目录就可以绕过这些检查。
        通过获取敏感文件,例如/etc/passwd或/etc/shadow,攻击者可能获取对系统的普通用户甚至root用户的访问权限。
        要利用这个漏洞需要要求目标主机同时正在运行rpc.ttdbserverd服务。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:sun:solaris:2.5.1
cpe:/o:sun:solaris:7.0
cpe:/o:sun:solaris:2.6::x86
cpe:/o:sun:solaris:8.0::x86
cpe:/o:sun:solaris:7.0::x86
cpe:/o:sun:solaris:2.6
cpe:/o:sun:solaris:8.0
cpe:/o:sun:solaris:2.5.1::x86
cpe:/o:sun:solaris:9.0::sparc
cpe:/o:sun:solaris:9.0:x86_update_2

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:2592KCMS KCS_OPEN_PROFILE File Disclosure Vulnerability
oval:org.mitre.oval:def:195Solaris 8 KCMS Arbitrary File Access Vulnerability
oval:org.mitre.oval:def:120Solaris 7 KCMS Arbitrary File Access Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0027
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0027
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200302-009
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=104326556329850&w=2
(UNKNOWN)  BUGTRAQ  20030122 Entercept Ricochet Advisory: Sun Solaris KCMS Library Service Daemon Arbitrary File Retrieval Vulner
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/50104
(UNKNOWN)  SUNALERT  50104
http://www.entercept.com/news/uspr/01-22-03.asp
(VENDOR_ADVISORY)  MISC  http://www.entercept.com/news/uspr/01-22-03.asp
http://www.kb.cert.org/vuls/id/850785
(VENDOR_ADVISORY)  CERT-VN  VU#850785
http://www.securityfocus.com/bid/6665
(UNKNOWN)  BID  6665
http://xforce.iss.net/xforce/xfdb/11129
(UNKNOWN)  XF  solaris-kcms-directory-traversal(11129)

- 漏洞信息

Sun Solaris kcms_server远程读取任意文件漏洞
中危 输入验证
2003-02-07 00:00:00 2005-05-13 00:00:00
远程  
        
        Kodak Color Management System (KCMS)是一组为不同设备和色彩空间提供色彩管理的API。kcms_server是一个守护进程,允许KCMS库函数访问远程主机的上的资料文件(profile)。
        kcms_server提供的一个远程过程KCS_OPEN_PROFILE用来打开上述文件,但其实现中存在一个目录遍历漏洞,由于kcms_server是以root身份运行的,攻击者就可以远程读取任意文件。这些文件缺省位于/etc/openwin/devdata/profiles和/usr/openwin/etc/devdata/profiles 目录下。尽管kcms_server已经对profile文件名做了一些检查以确保不会发生目录遍历漏洞,但这些检查并不全面,因此利用ToolTalk数据库服务器的TT_ISBUILD过程调用在上述目录下创建子目录就可以绕过这些检查。
        通过获取敏感文件,例如/etc/passwd或/etc/shadow,攻击者可能获取对系统的普通用户甚至root用户的访问权限。
        要利用这个漏洞需要要求目标主机同时正在运行rpc.ttdbserverd服务。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 禁止'kcms_server'服务。以Solaris 8系统为例:
         1. 转变成root用户
         $ su -
         #
         2. 禁止kcms_server的执行权限
         # chmod 000 /usr/openwin/bin/kcms_server
         3. 杀掉正在运行的kcms_server进程
         # ps -ef|grep kcms_server
         root 1485 157 0 15:57:02 ? 0:00 kcms_server
         # kill -9 1485 (上面的例子中,1485是kcms_server的pid)
         4. 编辑/etc/inetd.conf, 注释掉其中包含kcms_server的行:
         100221/1 tli rpc/tcp wait root /usr/openwin/bin/kcms_server kcms_server
         将上面行变成:
         #100221/1 tli rpc/tcp wait root /usr/openwin/bin/kcms_server kcms_server
         5. 重新启动inetd
         # ps -ef|grep inetd
         root 157 1 0 1月 14 ? 0:00 /usr/sbin/inetd -s
         # kill -HUP 157
        厂商补丁:
        Sun
        ---
        Sun已经为此发布了一个安全公告(Sun-Alert-50104)以及相应补丁:
        Sun-Alert-50104:Security Issue with kcms_server Daemon
        链接:
        http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert%2F50104

        补丁下载:
         SPARC Platform
         * Solaris 2.6 107336-02
         * Solaris 7 107337-03
         * Solaris 8 111400-02
         * Solaris 9 114636-01
        x86 Platform
         * Solaris 2.6 107338-02
         * Solaris 8 111401-02
         * Solaris 7 107339-03
         * Solaris 9 114637-01

- 漏洞信息

8201
Sun Kodak Color Management System (KCMS) kcms_server Arbitrary File Access
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality Patch / RCS
Exploit Public Vendor Verified

- 漏洞描述

Sun Kodak Color Management System contains a flaw that allows a remote attacker to traverse outside of a restricted path. The issue is due to the KCS_OPEN_PROFILE not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via the KCMS profile. This directory traversal attack would allow the attacker to access arbitrary files.

- 时间线

2003-01-22 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Sun has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Kodak KCMS KCS_OPEN_PROFILE Procedure Arbitrary File Access Vulnerability
Input Validation Error 6665
Yes No
2003-01-22 12:00:00 2009-07-11 08:06:00
Vulnerability discovery credited to Entercept Security Techonologies.

- 受影响的程序版本

Sun Solaris 2.5.1 _x86
Sun Solaris 2.5.1
Sun Solaris 9_x86 Update 2
Sun Solaris 9_x86
Sun Solaris 9
Sun Solaris 8_x86
Sun Solaris 8_sparc
Sun Solaris 7.0_x86
Sun Solaris 7.0
Sun Solaris 2.6_x86
Sun Solaris 2.6

- 漏洞讨论

It has been reported that a problem exists in the Kodak Color Management System (KCMS) due to the insecure handling of input. It may be possible for a remote user to gain access to arbitrary files on a vulnerable host. This could allow remote information gathering, leakage of sensitive information, and potentially privilege elevation.

- 漏洞利用

An exploit is available for the Metasploit Framework.

- 解决方案

Sun has released fixes for this issue:


Sun Solaris 2.6

Sun Solaris 7.0

Sun Solaris 8_x86

Sun Solaris 2.6_x86

Sun Solaris 8_sparc

Sun Solaris 9

Sun Solaris 9_x86

Sun Solaris 7.0_x86

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站