-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
AL-96.02                        AUSCERT Alert
		Vulnerability in Solaris 2.5 KCMS programs
                                 26 July 1996

Last Revised:	1 May 1997
		Added Solaris 2.5.1 to list of affected systems.
		Added Sun patch information.

                A complete revision history is at the end of this file.

- -----------------------------------------------------------------------------

AUSCERT have received a report of a vulnerability in the Sun Microsystems
Solaris 2.5/2.5.1 distribution involving the programs kcms_calibrate and
kcms_configure.  These programs are part of the Kodak Color Management
System (KCMS) packages.

This vulnerability may allow any local user to gain root privileges.

Exploit details involving this vulnerability have been made publicly
available.

Official vendor patches which address this vulnerability have been
released.  AUSCERT recommends that sites take the actions suggested in
Section 3 as soon as possible.

Depending on the local sites' requirements, the Solaris 2.5/2.5.1 KCMS
packages may or may not have been installed.  AUSCERT recommends that
individual sites should determine whether the programs are installed and
take appropriate action.

This Alert will be updated as more information becomes available.

- -----------------------------------------------------------------------------

1.  Description

    Solaris 2.5/2.5.1 contains support for the Kodak Color Management
    System (KCMS), a set of Openwindows compliant API's and libraries to
    create and manage profiles that can describe and control the colour
    performance of monitors, scanners, printers and film recorders.

    KCMS includes the programs kcms_configure and kcms_calibrate which are
    used for the configuration and calibration of an X11 window system for
    use with the KCMS library.  When installed, these programs have
    set-user-id root and set-group-id bin privileges.

    A vulnerability involving these programs has been reported.  Exploit
    details involving this vulnerability have been made publicly available.

    Depending on the local sites' requirements, the Solaris 2.5/2.5.1 KCMS
    packages may or may not have been installed.

2.  Impact

    A local user may be able to create and then write to arbitrary files
    on the system.  This can be leveraged to gain root privileges.

3.  Workarounds/Solution

    Sun Microsystems has released patches addressing the vulnerability
    described in this advisory.  Information regarding these patches can
    be found in Section 3.2.  Until these patches are applied, sites are
    advised to take the necessary steps outlined in Section 3.1.

3.1 Remove all execute permissions

    Until official patches can be applied, sites are encouraged to remove
    the setuid and setgid permissions on the kcms_calibrate and kcms_configure
    programs.  These are typically located in /usr/openwin/bin.

	# chmod 400 /usr/openwin/bin/kcms_calibrate
	# chmod 400 /usr/openwin/bin/kcms_configure

    Note that this will remove the ability for users to run these programs.

3.2 Install vendor patches

    Sun Microsystems has released patches which address the vulnerability
    described in this advisory.  AUSCERT recommends that sites apply these
    patches as soon as possible.

    Patches have been released for:

    Operating System           Patch                MD5 Checksum
    ~~~~~~~~~~~~~~~~           ~~~~~                ~~~~~~~~~~~~
   Solaris 2.5 sparc:      103878-04.tar.Z  d3408d799a95b74ccb27062ffd7eb271
   Solaris 2.5 x86:        103880-04.tar.Z  8972053e70a2b1ad3194b543d4e53c47
   Solaris 2.5.1 sparc:    103879-04.tar.Z  eb30a30903d842178fe8bb679a4a461c
   Solaris 2.5.1 x86:      103881-04.tar.Z  4cac031d8f2d379177c0dc0c63642ba9
    
    These patches can be retrieved from:

        ftp://sunsolve1.sun.com.au/pub/patches/
        ftp://ftp.auscert.org.au/pub/mirrors/sunsolve1.sun.com/


- -----------------------------------------------------------------------------
AUSCERT wishes to thanks Marek Krawus of the University of Queensland,
Marko Laakso (University of Oulu) and Sun Microsystems for their assistance
in this matter.
- -----------------------------------------------------------------------------

The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate.  However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual system
should be considered before application in conjunction with local policies
and procedures.  AUSCERT takes no responsibility for the consequences of
applying the contents of this document.

If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).

AUSCERT is located at The University of Queensland within the Prentice Centre.
AUSCERT is a full member of the Forum of Incident Response and Security Teams
(FIRST).

AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT and AUSCERT
Advisories, and other computer security information.

AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 4477
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AUSCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Brisbane
Qld.  4072.
AUSTRALIA

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History

1 May 1997      Sun Microsystems has released patches addressing the	
		vulnerability described in this advisory.  Information
		regarding these patches was added to Section 3.

		Solaris 2.5.1 is also affected by this vulnerability.
		Information stating this was added to the description.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCUAwUBM2haVCh9+71yA2DNAQEDgwP4wjMsbq7o8lRVgFslR+O6x7riv6vpeQOt
vFqRzOXNOsSfOmLT0x+/gEiKTfPYYkFIQ0ie5h6ZMuoyNNb5zZhmtZoLPuwfLfS5
f9A2QZ98zqrfMDJN5KUT0Pne1gHdz59VQtB1WkfhyFmWxM2ccKhNF5WhxitSRjn0
DttBhVVBQQ==
=ubYk
-----END PGP SIGNATURE-----