OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Tunkelo Heikki (extern) (Heikki.Tunkeloerln.gepas.de)
Date: Thu Dec 13 2001 - 04:36:34 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ======================================================================
    IBM Websphere reveals system root password.

    Author : Heikki Tunkelo (heikki.tunkeloerln.gepas.de)
    Date : 13.12.2001
    ======================================================================

    === Brief description ===

    It is possible to attain a root password on a system running WebSphere.

    === Affected Systems ===

    IBM WebSphere 3.0.* on AIX, LINUX, SUN
    IBM WebSphere 3.5.* on AIX, LINUX, SUN

    === Detailed Description ===

    On default installation WebSphere installs itself to run with
    root-identity, and stores root password as a clear text to a file
    $WASROOT/properties/sas.server.props. The file has permissions 600,
    and therefore other users on system cannot access it.

    The problem is that by default all java-code at WebSphere
    (jsp's, Servlets etc.) are running with root-identity, therefore
    able to access all files on servers filesystem readable by root.

    It is possible for normal user (who has access to the system)to
    construct a JSP file which reads the content of sas.server.props,
    copy it in approriate directory and access the jsp through
    web-browser. Thereby getting access to root password.

    It might be also possible to construct a JSP file that creates
    shell-scripts to server filesystem and executes them with
    root-identity.

    === Workaround ===

    a) Change websphere to run with non root-identity
    (This is preferred)
    For Sun solaris:
    http://www-1.ibm.com/servlet/support/manager?rs=180&rt=0&org=SW&doc=1005677
    For Generic Unix platform
    http://www-1.ibm.com/servlet/support/manager?rs=180&rt=0&org=SW&doc=1005677
    http://www7b.boulder.ibm.com/wsdd/library/presents/nonrootlogin.html

    b) Create application servers on non-root identity
    (do this only if you cannot take the (a) step)
    http://www-4.ibm.com/software/webservers/appserv/doc/v40/ae/infocenter/was/0
    606a01.html

    ======================================================================

    contact author for more details and help for workaround.

    Heikki 

    --
Heikki Tunkelo