-----BEGIN PGP SIGNED MESSAGE-----

- ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---

                  =======  ============    ======       ======
                  =======  ==============  =======     =======
                    ===      ===     ====    ======   ======
                    ===      ===========     ======= =======
                    ===      ===========     === ======= ===
                    ===      ===     ====    ===  =====  ===
                  =======  ==============  =====   ===   =====
                  =======  ============    =====    =    =====

                           EMERGENCY RESPONSE SERVICE
			OUTSIDE ADVISORY REDISTRIBUTION

26 July 1996 12:00 GMT                           Number: ERS-OAR-E01-1996:009.1
===============================================================================

The IBM-ERS Outside Advisory Redistribution is designed to provide customers
of the IBM Emergency Response Service with access to the security advisories
sent out by other computer security incident response teams, vendors, and
other groups concerned about security.

IBM makes no representations and assumes no responsibility for the contents or
accuracy of the advisories themselves.

IBM-ERS is forwarding the following information from AUSCERT.  Contact
information for AUSCERT is included in the forwarded text below; please
contact them if you have any questions or need further information.

===============================================================================

********************** FORWARDED INFORMATION STARTS HERE **********************

=============================================================================
AL-96.02                        AUSCERT Alert
		Vulnerability in Solaris 2.5 KCMS programs
                                 26 July 1996
- -----------------------------------------------------------------------------

AUSCERT have received a report of a vulnerability in the Sun Microsystems
Solaris 2.5 distribution involving the programs kcms_calibrate and
kcms_configure.  These programs are part of the Kodak Color Management
System (KCMS) packages.

This vulnerability may allow any local user to gain root privileges.

Exploit details involving this vulnerability have been made publicly
available.

At this stage, AUSCERT is not aware of any official patches.  AUSCERT
recommends that sites take the actions suggested in Section 3 until official
patches are available.

Depending on the local sites' requirements, the Solaris 2.5 KCMS packages
may or may not have been installed.  AUSCERT recommends that individual
sites should determine whether the programs are installed and take
appropriate action.

This Alert will be updated as more information becomes available.

- -----------------------------------------------------------------------------

1.  Description

    Solaris 2.5 contains support for the Kodak Color Management System (KCMS),
    a set of Openwindows compliant API's and libraries to create and manage
    profiles that can describe and control the colour performance of monitors,
    scanners, printers and film recorders.

    KCMS includes the programs kcms_configure and kcms_calibrate which are
    used for the configuration and calibration of an X11 window system for
    use with the KCMS library.  When installed, these programs have
    set-user-id root and set-group-id bin privileges.

    A vulnerability involving these programs has been reported.  Exploit
    details involving this vulnerability have been made publicly available.

    Depending on the local sites' requirements, the Solaris 2.5 KCMS packages 
    may or may not have been installed.

2.  Impact

    A local user may be able to create and then write to arbitrary files on the
    system.  This can be leveraged to gain root privileges.

3.  Workarounds/Solution

    Currently, there are no official patches available.  When patches are
    made available it is suggested the sites install the official patches.

    Until official patches are available sites are encouraged to remove
    the setuid and setgid permissions on the kcms_calibrate and kcms_configure
    programs.  These are typically located in /usr/openwin/bin.

	# chmod 400 /usr/openwin/bin/kcms_calibrate
	# chmod 400 /usr/openwin/bin/kcms_configure

    Note that this will remove the ability for users to run these programs.


- -----------------------------------------------------------------------------
AUSCERT wishes to thanks Marek Krawus of the University of Queensland for
his assistance in this matter.
- -----------------------------------------------------------------------------

The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate.  However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual system
should be considered before application in conjunction with local policies
and procedures.  AUSCERT takes no responsibility for the consequences of
applying the contents of this document.

If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).

AUSCERT is located at The University of Queensland within the Prentice Centre.
AUSCERT is a full member of the Forum of Incident Response and Security Teams
(FIRST).

AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT and AUSCERT
Advisories, and other computer security information.

AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 4477
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AUSCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Brisbane
Qld.  4072.
AUSTRALIA

*********************** FORWARDED INFORMATION ENDS HERE ***********************

===============================================================================

IBM's Internet Emergency Response Service (IBM-ERS) is a subscription-based
Internet security response service that includes computer security incident
response and management, regular electronic verification of your Internet
gateway(s), and security vulnerability alerts similar to this one that are
tailored to your specific computing environment.  By acting as an extension
of your own internal security staff, IBM-ERS's team of Internet security
experts helps you quickly detect and respond to attacks and exposures across
your Internet connection(s).

As a part of IBM's Business Recovery Services organization, the IBM Internet
Emergency Response Service is a component of IBM's SecureWay(tm) line of
security products and services.  From hardware to software to consulting,
SecureWay solutions can give you the assurance and expertise you need to
protect your valuable business resources.  To find out more about the IBM
Internet Emergency Response Service, send an electronic mail message to
ers-sales@vnet.ibm.com, or call 1-800-742-2493 (Prompt 4).

IBM-ERS maintains a site on the World Wide Web at http://www.ers.ibm.com/.
Visit the site for information about the service, copies of security alerts,
team contact information, and other items.

IBM-ERS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism for
security vulnerability alerts and other distributed information.  The IBM-ERS
PGP* public key is available from http://www.ers.ibm.com/team-info/pgpkey.html.
"Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmerman.

IBM-ERS is a Member Team of the Forum of Incident Response and Security Teams
(FIRST), a global organization established to foster cooperation and response
coordination among computer security teams worldwide.

The information in this document is provided as a service to customers of
the IBM Emergency Response Service.  Neither International Business Machines
Corporation, Integrated Systems Solutions Corporation, nor any of their
employees, makes any warranty, express or implied, or assumes any legal
liability or responsibility for the accuracy, completeness, or usefulness of
any information, apparatus, product, or process contained herein, or
represents that its use would not infringe any privately owned rights.
Reference herein to any specific commercial products, process, or service by
trade name, trademark, manufacturer, or otherwise, does not necessarily
constitute or imply its endorsement, recommendation or favoring by IBM or
its subsidiaries.  The views and opinions of authors expressed herein do not
necessarily state or reflect those of IBM or its subsidiaries, and may not be
used for advertising or product endorsement purposes.

- ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---

-----BEGIN PGP SIGNATURE-----
Version: 2.7.1

iQCVAwUBMfi1I/WDLGpfj4rlAQHoRwQA1ebSScT3c6qDZjvlGbK0s6lat8fJu+x6
30dNAiuixxNar3HBSA4g+nyF7BG9NTEF2fXxZMuH92RMZ4Ex9yLPVGSsOxehyRVj
+8BpxgaNWpd6/EodvvQyFjISiHxk9PtgOXcV7TRI0cUFGPbw9ynTWQ6vUxlQ6Ztn
xfK+YkQU1eg=
=C+7E
-----END PGP SIGNATURE-----