IBM ikeyman Java Class Creation Vulnerability
BID:1092
Info
IBM ikeyman Java Class Creation Vulnerability
| Bugtraq ID: | 1092 |
| Class: | Origin Validation Error |
| CVE: |
CVE-2000-1202 |
| Remote: | No |
| Local: | Yes |
| Published: | Apr 06 2000 12:00AM |
| Updated: | Jul 11 2009 01:56AM |
| Credit: | Posted to Bugtraq by Rude Yak <[email protected]> on April 6, 2000. |
| Vulnerable: |
IBM Network Appliance Data ONTAP 7.0 |
| Not Vulnerable: | |
Discussion
IBM ikeyman Java Class Creation Vulnerability
IBM's IBMHSSB package, which ships with Solaris, is used to enable SSL for the IBM webserver. The package includes a shell script, /usr/bin/ikeyman, which is SUID by default and updates the user's CLASSPATH variable before calling another script, /opt/ibm/gsk/bin/ikmgui.
This second script calls com.ibm.gsk.ikeyman.Ikeyman . Since the user's CLASSPATH is read into the new CLASSPATH variable, they could make a replacement /com/ibm/gsk/ikeyman/Ikeyman and put it in a directory included in their original CLASSPATH. This code would then get run as root when /usr/bin/ikeyman was run.
IBM's IBMHSSB package, which ships with Solaris, is used to enable SSL for the IBM webserver. The package includes a shell script, /usr/bin/ikeyman, which is SUID by default and updates the user's CLASSPATH variable before calling another script, /opt/ibm/gsk/bin/ikmgui.
This second script calls com.ibm.gsk.ikeyman.Ikeyman . Since the user's CLASSPATH is read into the new CLASSPATH variable, they could make a replacement /com/ibm/gsk/ikeyman/Ikeyman and put it in a directory included in their original CLASSPATH. This code would then get run as root when /usr/bin/ikeyman was run.
Exploit / POC
IBM ikeyman Java Class Creation Vulnerability
see discussion
see discussion
Solution / Fix
IBM ikeyman Java Class Creation Vulnerability
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].