Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY LINKS NEWS MAN DOCUMENTATION

<< Previous INDEX Search src / Print Next >>

Date: Thu, 13 Dec 2001 11:36:34 +0100
From: "Tunkelo Heikki (extern)" <Heikki.Tunkelo@erln.gepas.de.>
To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com.>
Subject: IBM WebSphere on UNIX security alert !


IBM Websphere reveals system root password.

Author : Heikki Tunkelo (heikki.tunkelo@erln.gepas.de)
Date   : 13.12.2001


=== Brief description ===

It is possible to attain a root password on a system running WebSphere.


=== Affected Systems === 

IBM WebSphere 3.0.* on AIX, LINUX, SUN
IBM WebSphere 3.5.* on AIX, LINUX, SUN


=== Detailed Description === 

On default installation WebSphere installs itself to run with
root-identity, and stores root password as a clear text to a file
$WASROOT/properties/sas.server.props. The file has permissions 600,
and therefore other users on system cannot access it.

The problem is that by default all java-code at WebSphere
(jsp's, Servlets etc.) are running with root-identity, therefore
able to access all files on servers filesystem readable by root.

It is possible for normal user (who has access to the system)to 
construct a JSP file which reads the content of sas.server.props,
copy it in approriate directory and access the jsp through
web-browser. Thereby getting access to root password.

It might be also possible to construct a JSP file that creates
shell-scripts to server filesystem and executes them with
root-identity.

=== Workaround === 

a) Change websphere to run with non root-identity
(This is preferred)
For Sun solaris:
http://www-1.ibm.com/servlet/support/manager?rs=180&rt=0&org=SW&doc=1005677
For Generic Unix platform
http://www-1.ibm.com/servlet/support/manager?rs=180&rt=0&org=SW&doc=1005677
http://www7b.boulder.ibm.com/wsdd/library/presents/nonrootlogin.html

b) Create application servers on non-root identity
(do this only if you cannot take the (a) step)
http://www-4.ibm.com/software/webservers/appserv/doc/v40/ae/infocenter/was/0
606a01.html



contact author for more details and help for workaround.

Heikki

--
Heikki Tunkelo

<< Previous INDEX Search src / Print Next >>

ПОДПИШИСЬ НА ЖУРНАЛ Linux Format 2012! Журнал "Linux Format" (Линукс Формат)- Единственный в России и странах СНГ журнал на русском языке, посвящённый Linux и свободному ПО. Журнал для IT-директоров, IT-менеджеров, программистов, системных администраторов, учителей школ и преподавателей ВУЗов и всех пользователей ПК. В каждом выпуске: Новости индустрии OpenSource, обзоры новинок свободного ПО, обучающие и методические статьи. Каждый, кто оформит подписку, получает бонусы и подарки- объёмные наклейки на системный блок, диск с архивом номеров за 2005-2011 г.г. и ежемесячно электронную версию журнала в pdf-формате. Оформить подписку на год