Solaris KCMS + TTDB Arbitrary File Read

This module targets a directory traversal vulnerability in the kcms_server component from the Kodak Color Management System. By utilizing the ToolTalk Database Server\'s TT_ISBUILD procedure, an attacker can bypass existing directory traversal validation and read arbitrary files. Vulnerable systems include Solaris 2.5 - 9 SPARC and x86. Both kcms_server and rpc.ttdbserverd must be running on the target host.

Search Other Modules

Rank

Normal

Authors

vlad902 < vlad902 [at] gmail.com >
jduck < jduck [at] metasploit.com >

Vulnerability References

Development

Similar Modules

Usage Information

$ msfconsole

                ##                          ###           ##    ##
##  ##  #### ###### ####  #####   #####    ##    ####        ######
####### ##  ##  ##  ##         ## ##  ##    ##   ##  ##   ###   ##
####### ######  ##  #####   ####  ##  ##    ##   ##  ##   ##    ##
## # ##     ##  ##  ##  ## ##      #####    ##   ##  ##   ##    ##
##   ##  #### ###   #####   #####     ##   ####   ####   #### ###
                                      ##

msf > use auxiliary/admin/sunrpc/solaris_kcms_readfile
msf auxiliary(solaris_kcms_readfile) > set RHOST [TARGET IP]
msf auxiliary(solaris_kcms_readfile) > run

Module Options

OUTPUTPATH	Local path to save the file contents to
PATH	Path to the file to disclose, releative to the root dir. (default: etc/shadow)
RHOST	The target address
RPORT	The target port (default: 111)
CHOST	The local client address
CPORT	The local client port
ConnectTimeout	Maximum number of seconds to establish a TCP connection
Proxies	Use a proxy chain
SSL	Negotiate SSL for outgoing connections
SSLVersion	Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
VERBOSE	Enable detailed status messages
WORKSPACE	Specify the workspace for this module
ONCRPC::tcp_request_fragmentation	Enable fragmentation of TCP ONC/RPC requests
TCP::max_send_size	Maxiumum tcp segment size. (0 = disable)
TCP::send_delay	Delays inserted before every send. (0 = disable)