cbcvebase.
CVE-2003-0027
published 2003-02-07

CVE-2003-0027: Directory traversal vulnerability in Sun Kodak Color Management System (KCMS) library service daemon (kcms_server) allows remote attackers to read arbitrary…

PriorityP336medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
25.72%
97.7th percentile
Directory traversal vulnerability in Sun Kodak Color Management System (KCMS) library service daemon (kcms_server) allows remote attackers to read arbitrary files via the KCS_OPEN_PROFILE procedure.

Affected

8 ranges
VendorProductVersion rangeFixed in
sunsolaris
sunsolaris
sunsolaris
sunsolaris
sunsolaris
sunsunos
sunsunos
sunsunos

Detection & IOCsextracted from sources · hover to see the quote

port111
port32771-34000
path/../
bytes
|00 01 87 7D| (RPC program number for kcms_server)
bytes
|00 01 86 A0| (RPC portmap program number)
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"GPL RPC kcms_server directory traversal attempt"; flow:established,to_server; content:"|00 01 87|}"; depth:4; offset:16; byte_jump:4,20,relative,align; byte_jump:4,4,relative,align; content:"/../"; distance:0; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:misc-attack; sid:2102007; rev:13;)
snort
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap kcms_server request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,6665; reference:cve,2003-0027; classtype:rpc-portmap-decode; sid:2102005; rev:11;)
snort
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap kcms_server request TCP"; flow:established,to_server; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,6665; reference:cve,2003-0027; classtype:rpc-portmap-decode; sid:2102006; rev:12;)
  • The exploit abuses the KCS_OPEN_PROFILE RPC procedure on kcms_server to perform directory traversal; look for RPC calls containing '/../' path sequences destined for the kcms_server dynamic port range (32771–34000/tcp).
  • Portmap (port 111) queries for RPC program |00 01 87 7D| (kcms_server) are a reliable pre-exploitation indicator; alert on both TCP and UDP variants (SIDs 2102005, 2102006).
  • The traversal payload '/../' appears in the RPC request body after the kcms_server program number bytes; use the byte_jump offsets in SID 2102007 to anchor detection past the RPC header before matching the traversal string.
  • Affected platforms are Solaris 2.5–9 (SPARC and x86); scope detection to those asset types to reduce false positives.
  • ·kcms_server registers dynamically via portmap; the actual service port is in the range 32771–34000/tcp, not a fixed port. Detection rules must cover this full range rather than a single port.
  • ·Exploitation requires BOTH kcms_server and rpc.ttdbserverd to be running; if either service is absent the bypass technique fails. Verify both daemons are disabled as part of hardening.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.