-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
AL-96.02                        AUSCERT Alert
		Vulnerability in Solaris 2.5 KCMS programs
                                 26 July 1996
- -----------------------------------------------------------------------------

AUSCERT have received a report of a vulnerability in the Sun Microsystems
Solaris 2.5 distribution involving the programs kcms_calibrate and
kcms_configure.  These programs are part of the Kodak Color Management
System (KCMS) packages.

This vulnerability may allow any local user to gain root privileges.

Exploit details involving this vulnerability have been made publicly
available.

At this stage, AUSCERT is not aware of any official patches.  AUSCERT
recommends that sites take the actions suggested in Section 3 until official
patches are available.

Depending on the local sites' requirements, the Solaris 2.5 KCMS packages
may or may not have been installed.  AUSCERT recommends that individual
sites should determine whether the programs are installed and take
appropriate action.

This Alert will be updated as more information becomes available.

- -----------------------------------------------------------------------------

1.  Description

    Solaris 2.5 contains support for the Kodak Color Management System (KCMS),
    a set of Openwindows compliant API's and libraries to create and manage
    profiles that can describe and control the colour performance of monitors,
    scanners, printers and film recorders.

    KCMS includes the programs kcms_configure and kcms_calibrate which are
    used for the configuration and calibration of an X11 window system for
    use with the KCMS library.  When installed, these programs have
    set-user-id root and set-group-id bin privileges.

    A vulnerability involving these programs has been reported.  Exploit
    details involving this vulnerability have been made publicly available.
    
    Depending on the local sites' requirements, the Solaris 2.5 KCMS packages 
    may or may not have been installed.

2.  Impact

    A local user may be able to create and then write to arbitrary files on the
    system.  This can be leveraged to gain root privileges.

3.  Workarounds/Solution

    Currently, there are no official patches available.  When patches are
    made available it is suggested the sites install the official patches.

    Until official patches are available sites are encouraged to remove
    the setuid and setgid permissions on the kcms_calibrate and kcms_configure
    programs.  These are typically located in /usr/openwin/bin.

	# chmod 400 /usr/openwin/bin/kcms_calibrate
	# chmod 400 /usr/openwin/bin/kcms_configure

    Note that this will remove the ability for users to run these programs.


- -----------------------------------------------------------------------------
AUSCERT wishes to thanks Marek Krawus of the University of Queensland for
his assistance in this matter.
- -----------------------------------------------------------------------------

The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate.  However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual system
should be considered before application in conjunction with local policies
and procedures.  AUSCERT takes no responsibility for the consequences of
applying the contents of this document.

If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).

AUSCERT is located at The University of Queensland within the Prentice Centre.
AUSCERT is a full member of the Forum of Incident Response and Security Teams
(FIRST).

AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT and AUSCERT
Advisories, and other computer security information.

AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 4477
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AUSCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Brisbane
Qld.  4072.
AUSTRALIA

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
Comment: Finger pgp@ftp.auscert.org.au to retrieve AUSCERT's public key

iQCVAwUBMfjEwCh9+71yA2DNAQG+0QP9EE3B7ktcRgUe1Ys495aiklWL7cFPOfmC
/WaGKPaIwHUXfIx1ZwfOFV9R8F9a8VcvEjleeeyuWoQePPbrCWlK0Rprk4pVoup7
b8GHycP2bbZ0CMyEyxl9sVmvBONRio/H6pO1hzQSucEQU9g1T9ZF/ES8quEtpQEk
r2078G9b/pE=
=IbLz
-----END PGP SIGNATURE-----