From labs-no-reply@idefense.com Thu Feb 24 12:45:38 2005 From: iDEFENSE Labs To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org Date: Wed, 23 Feb 2005 17:59:51 -0500 Subject: iDEFENSE Security Advisory 02.23.05: Sun Solaris kcms_configure Arbitrary File Corruption Vulnerability Sun Solaris kcms_configure Arbitrary File Corruption Vulnerability iDEFENSE Security Advisory 02.23.05 www.idefense.com/application/poi/display?id=206&type=vulnerabilities February 23, 2005 I. BACKGROUND The kcms_configure utility is part of the Kodak Color Management System (KCMS) package that is included with Solaris. It is installed setuid root by default. II. DESCRIPTION Local exploitation of a race condition in the Kodak Color Management System's kcms_configure script packaged with Sun Microsystems Inc. Solaris operating system can allow for the corruption of arbitrary files on the system. The problem specifically exists due to logging errors within kcms_configure, a set user id (setuid) root script. The file KCS_ClogFile will be written to if it exists in the current directory. Due to a lack of sanity checking a local attacker can redirect log file output to an arbitrary file on the system through the usage of symbolic links. By specifying an invalid monitor profile argument the attacker can force an error log entry to be written. III. ANALYSIS Successful exploitation allows local attackers to corrupt arbitrary files on the system. Attackers can use this ability to append to important system files, possibly resulting in a denial of service or local privilege elevation. IV. DETECTION iDEFENSE has confirmed the existence of this vulnerability in Sun Solaris versions 8 and 9. It is suspected that previous versions are also vulnerable. It has been reported that Solaris 10 pre-release is also vulnerable. V. WORKAROUND Remove the setuid bit from kcms_configure: # chmod -s /usr/openwin/bin/kcms_configure VI. VENDOR RESPONSE This issue is addressed in Sun Alert ID #57706 available at: http://www.sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-57706- 1 VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the names CAN-2004-0481 to these issues. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 04/27/2004 Initial vendor notification 04/27/2004 Initial vendor response 02/23/2005 Public disclosure IX. CREDIT iDEFENSE Labs is credited with this discovery. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright (c) 2005 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.