SUMMARY : /usr/openwin/bin/kcms* on Solaris2.5

From: Nikos George (ngeorge@husc.HARVARD.EDU)
Date: Fri Jul 26 1996 - 12:22:39 CDT

Thanks to all and especially to Claus Assmann
( (Danke!) for forwarding me the AUSCERT
advisory on it (which I append at the end).


 AL-96.02 AUSCERT Alert
                 Vulnerability in Solaris 2.5 KCMS programs
                                  26 July 1996
 - - -----------------------------------------------------------------------------
 AUSCERT have received a report of a vulnerability in the Sun Microsystems
 Solaris 2.5 distribution involving the programs kcms_calibrate and
 kcms_configure. These programs are part of the Kodak Color Management
 System (KCMS) packages.
 This vulnerability may allow any local user to gain root privileges.
 Exploit details involving this vulnerability have been made publicly
 At this stage, AUSCERT is not aware of any official patches. AUSCERT
 recommends that sites take the actions suggested in Section 3 until official
 patches are available.
 Depending on the local sites' requirements, the Solaris 2.5 KCMS packages
 may or may not have been installed. AUSCERT recommends that individual
 sites should determine whether the programs are installed and take
 appropriate action.
 This Alert will be updated as more information becomes available.
 - - -----------------------------------------------------------------------------
 1. Description
     Solaris 2.5 contains support for the Kodak Color Management System (KCMS),
     a set of Openwindows compliant API's and libraries to create and manage
     profiles that can describe and control the colour performance of monitors,
     scanners, printers and film recorders.
     KCMS includes the programs kcms_configure and kcms_calibrate which are
     used for the configuration and calibration of an X11 window system for
     use with the KCMS library. When installed, these programs have
     set-user-id root and set-group-id bin privileges.
     A vulnerability involving these programs has been reported. Exploit
     details involving this vulnerability have been made publicly available.
     Depending on the local sites' requirements, the Solaris 2.5 KCMS packages
     may or may not have been installed.
 2. Impact
     A local user may be able to create and then write to arbitrary files on the
     system. This can be leveraged to gain root privileges.
 3. Workarounds/Solution
     Currently, there are no official patches available. When patches are
     made available it is suggested the sites install the official patches.
     Until official patches are available sites are encouraged to remove
     the setuid and setgid permissions on the kcms_calibrate and kcms_configure
     programs. These are typically located in /usr/openwin/bin.
         # chmod 400 /usr/openwin/bin/kcms_calibrate
         # chmod 400 /usr/openwin/bin/kcms_configure
     Note that this will remove the ability for users to run these programs.
 - - -----------------------------------------------------------------------------
 AUSCERT wishes to thanks Marek Krawus of the University of Queensland for
 his assistance in this matter.
 - - -----------------------------------------------------------------------------
 The AUSCERT team have made every effort to ensure that the information
 contained in this document is accurate. However, the decision to use the
 information described is the responsibility of each user or organisation.
 The appropriateness of this document for an organisation or individual system
 should be considered before application in conjunction with local policies
 and procedures. AUSCERT takes no responsibility for the consequences of
 applying the contents of this document.
 If you believe that your system has been compromised, contact AUSCERT or your
 representative in FIRST (Forum of Incident Response and Security Teams).
 AUSCERT is located at The University of Queensland within the Prentice Centre.
 AUSCERT is a full member of the Forum of Incident Response and Security Teams
 AUSCERT maintains an anonymous FTP service which is found on: This archive contains past SERT and AUSCERT
 Advisories, and other computer security information.
 AUSCERT also maintains a World Wide Web service which is found on:
 Internet Email:
 Facsimile: (07) 3365 4477
 Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
                 AUSCERT personnel answer during Queensland business hours
                 which are GMT+10:00 (AEST).
                 On call after hours for emergencies.
 Australian Computer Emergency Response Team
 c/- Prentice Centre
 The University of Queensland
 Qld. 4072.

This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:06 CDT