Date: Thu, 13 Dec 2001 11:36:34 +0100
From: "Tunkelo Heikki (extern)" <Heikki.Tunkelo@erln.gepas.de.>
To: "[email protected]" <bugtraq@securityfocus.com.>
Subject: IBM WebSphere on UNIX security alert !
IBM Websphere reveals system root password.
Author : Heikki Tunkelo ([email protected])
Date : 13.12.2001
=== Brief description ===
It is possible to attain a root password on a system running WebSphere.
=== Affected Systems ===
IBM WebSphere 3.0.* on AIX, LINUX, SUN
IBM WebSphere 3.5.* on AIX, LINUX, SUN
=== Detailed Description ===
On default installation WebSphere installs itself to run with
root-identity, and stores root password as a clear text to a file
$WASROOT/properties/sas.server.props. The file has permissions 600,
and therefore other users on system cannot access it.
The problem is that by default all java-code at WebSphere
(jsp's, Servlets etc.) are running with root-identity, therefore
able to access all files on servers filesystem readable by root.
It is possible for normal user (who has access to the system)to
construct a JSP file which reads the content of sas.server.props,
copy it in approriate directory and access the jsp through
web-browser. Thereby getting access to root password.
It might be also possible to construct a JSP file that creates
shell-scripts to server filesystem and executes them with
root-identity.
=== Workaround ===
a) Change websphere to run with non root-identity
(This is preferred)
For Sun solaris:
http://www-1.ibm.com/servlet/support/manager?rs=180&rt=0&org=SW&doc=1005677
For Generic Unix platform
http://www-1.ibm.com/servlet/support/manager?rs=180&rt=0&org=SW&doc=1005677
http://www7b.boulder.ibm.com/wsdd/library/presents/nonrootlogin.html
b) Create application servers on non-root identity
(do this only if you cannot take the (a) step)
http://www-4.ibm.com/software/webservers/appserv/doc/v40/ae/infocenter/was/0
606a01.html
contact author for more details and help for workaround.
Heikki
--
Heikki Tunkelo
