IBM WebSphere on UNIX security alert !

From: Tunkelo Heikki (extern) (Heikki.Tunkeloat_private)
Date: Thu Dec 13 2001 - 02:36:34 PST

Next message: Dustin Harriman: "SMC Barricade's dodgy "DMZ" feature"

Previous message: Support Info: "Security Update [CSSA-2001-042.0] Linux - Remote vulnerability in OpenSSH"
Next in thread: Christer Palm: "Re: IBM WebSphere on UNIX security alert !"
Reply: Christer Palm: "Re: IBM WebSphere on UNIX security alert !"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

====================================================================== 
IBM Websphere reveals system root password.

Author : Heikki Tunkelo (heikki.tunkeloat_private)
Date   : 13.12.2001
====================================================================== 

=== Brief description ===

It is possible to attain a root password on a system running WebSphere.


=== Affected Systems === 

IBM WebSphere 3.0.* on AIX, LINUX, SUN
IBM WebSphere 3.5.* on AIX, LINUX, SUN


=== Detailed Description === 

On default installation WebSphere installs itself to run with
root-identity, and stores root password as a clear text to a file
$WASROOT/properties/sas.server.props. The file has permissions 600,
and therefore other users on system cannot access it.

The problem is that by default all java-code at WebSphere
(jsp's, Servlets etc.) are running with root-identity, therefore
able to access all files on servers filesystem readable by root.

It is possible for normal user (who has access to the system)to 
construct a JSP file which reads the content of sas.server.props,
copy it in approriate directory and access the jsp through
web-browser. Thereby getting access to root password.

It might be also possible to construct a JSP file that creates
shell-scripts to server filesystem and executes them with
root-identity.

=== Workaround === 

a) Change websphere to run with non root-identity
(This is preferred)
For Sun solaris:
http://www-1.ibm.com/servlet/support/manager?rs=180&rt=0&org=SW&doc=1005677
For Generic Unix platform
http://www-1.ibm.com/servlet/support/manager?rs=180&rt=0&org=SW&doc=1005677
http://www7b.boulder.ibm.com/wsdd/library/presents/nonrootlogin.html

b) Create application servers on non-root identity
(do this only if you cannot take the (a) step)
http://www-4.ibm.com/software/webservers/appserv/doc/v40/ae/infocenter/was/0
606a01.html

====================================================================== 

contact author for more details and help for workaround.

Heikki

--
Heikki Tunkelo

Next message: Dustin Harriman: "SMC Barricade's dodgy "DMZ" feature"
Previous message: Support Info: "Security Update [CSSA-2001-042.0] Linux - Remote vulnerability in OpenSSH"
Next in thread: Christer Palm: "Re: IBM WebSphere on UNIX security alert !"
Reply: Christer Palm: "Re: IBM WebSphere on UNIX security alert !"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Dec 13 2001 - 11:58:45 PST