CVE-2003-0027
published 2003-02-07CVE-2003-0027: Directory traversal vulnerability in Sun Kodak Color Management System (KCMS) library service daemon (kcms_server) allows remote attackers to read arbitrary…
PriorityP336medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
25.72%
97.7th percentile
Directory traversal vulnerability in Sun Kodak Color Management System (KCMS) library service daemon (kcms_server) allows remote attackers to read arbitrary files via the KCS_OPEN_PROFILE procedure.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sun | solaris | — | — |
| sun | solaris | — | — |
| sun | solaris | — | — |
| sun | solaris | — | — |
| sun | solaris | — | — |
| sun | sunos | — | — |
| sun | sunos | — | — |
| sun | sunos | — | — |
Detection & IOCsextracted from sources · hover to see the quote
port111
port32771-34000
path/../
bytes
|00 01 87 7D| (RPC program number for kcms_server)
bytes
|00 01 86 A0| (RPC portmap program number)
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"GPL RPC kcms_server directory traversal attempt"; flow:established,to_server; content:"|00 01 87|}"; depth:4; offset:16; byte_jump:4,20,relative,align; byte_jump:4,4,relative,align; content:"/../"; distance:0; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:misc-attack; sid:2102007; rev:13;)
snort
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap kcms_server request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,6665; reference:cve,2003-0027; classtype:rpc-portmap-decode; sid:2102005; rev:11;)
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap kcms_server request TCP"; flow:established,to_server; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,6665; reference:cve,2003-0027; classtype:rpc-portmap-decode; sid:2102006; rev:12;)
- →The exploit abuses the KCS_OPEN_PROFILE RPC procedure on kcms_server to perform directory traversal; look for RPC calls containing '/../' path sequences destined for the kcms_server dynamic port range (32771–34000/tcp). ↗
- →Portmap (port 111) queries for RPC program |00 01 87 7D| (kcms_server) are a reliable pre-exploitation indicator; alert on both TCP and UDP variants (SIDs 2102005, 2102006).
- →The traversal payload '/../' appears in the RPC request body after the kcms_server program number bytes; use the byte_jump offsets in SID 2102007 to anchor detection past the RPC header before matching the traversal string.
- →Affected platforms are Solaris 2.5–9 (SPARC and x86); scope detection to those asset types to reduce false positives. ↗
- ·kcms_server registers dynamically via portmap; the actual service port is in the range 32771–34000/tcp, not a fixed port. Detection rules must cover this full range rather than a single port.
- ·Exploitation requires BOTH kcms_server and rpc.ttdbserverd to be running; if either service is absent the bypass technique fails. Verify both daemons are disabled as part of hardening. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
GPL RPC kcms_server directory traversal attempt
suricata·2010-09-23
CVE-2003-0027 GPL RPC kcms_server directory traversal attempt
GPL RPC kcms_server directory traversal attempt
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"GPL RPC kcms_server directory traversal attempt"; flow:established,to_server; content:"|00 01 87|}"; depth:4; offset:16; byte_jump:4,20,relative,align; byte_jump:4,4,relative,align; content:"/../"; distance:0; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:misc-attack; sid:2102007; rev:13; metadata:created_at 2010_09_23, cve CVE_2003_0027, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, updated_at 2024_11_26, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; tar
Suricata
GPL RPC portmap kcms_server request UDP
suricata·2010-09-23
CVE-2003-0027 GPL RPC portmap kcms_server request UDP
GPL RPC portmap kcms_server request UDP
Rule: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap kcms_server request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2102005; rev:11; metadata:created_at 2010_09_23, cve CVE_2003_0027, signature_severity Informational, updated_at 2019_07_26;)
Suricata
GPL RPC portmap kcms_server request TCP
suricata·2010-09-23
CVE-2003-0027 GPL RPC portmap kcms_server request TCP
GPL RPC portmap kcms_server request TCP
Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap kcms_server request TCP"; flow:established,to_server; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2102006; rev:12; metadata:created_at 2010_09_23, cve CVE_2003_0027, signature_severity Informational, updated_at 2024_03_08;)
Exploit-DB
IkonBoard 3.1 - Lang Cookie Arbitrary Command Execution (2)
exploitdb·2003-05-05
CVE-2003-0770 IkonBoard 3.1 - Lang Cookie Arbitrary Command Execution (2)
IkonBoard 3.1 - Lang Cookie Arbitrary Command Execution (2)
---
source: https://www.securityfocus.com/bid/7361/info
It has been reported that IkonBoard is prone to an arbitrary command execution vulnerability. The vulnerability is due to insufficient sanitization performed on user supplied cookie data.
An attacker may exploit this issue to execute arbitrary commands in the security context of the web server hosting the vulnerable IkonBoard.
#!/usr/bin/perl
#
# Date: 5 May 2003
# Author: snooq [http://www.angelfire.com/linux/snooq/]
#
# Ikonboard 3.1.1 Remote Command Execution PoC
# ============================================
# This bug was found by Nick Cleaton.
#
# For more info and patch, go to:
# http://archives.neohapsis.com/archives/bugtraq/2003-04/0027.html
#
# Use at your very
Metasploit
Solaris KCMS + TTDB Arbitrary File Read
metasploit
Solaris KCMS + TTDB Arbitrary File Read
Solaris KCMS + TTDB Arbitrary File Read
This module targets a directory traversal vulnerability in the kcms_server component from the Kodak Color Management System. By utilizing the ToolTalk Database Server\'s TT_ISBUILD procedure, an attacker can bypass existing directory traversal validation and read arbitrary files. Vulnerable systems include Solaris 2.5 - 9 SPARC and x86. Both kcms_server and rpc.ttdbserverd must be running on the target host.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=104326556329850&w=2http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/50104http://www.entercept.com/news/uspr/01-22-03.asphttp://www.kb.cert.org/vuls/id/850785http://www.securityfocus.com/bid/6665https://exchange.xforce.ibmcloud.com/vulnerabilities/11129https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A120https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A195https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2592http://marc.info/?l=bugtraq&m=104326556329850&w=2http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/50104http://www.entercept.com/news/uspr/01-22-03.asphttp://www.kb.cert.org/vuls/id/850785http://www.securityfocus.com/bid/6665https://exchange.xforce.ibmcloud.com/vulnerabilities/11129https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A120https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A195https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A2592
2003-02-07
Published