IBM ikeyman Java Class Creation Vulnerability

IBM's IBMHSSB package, which ships with Solaris, is used to enable SSL for the IBM webserver. The package includes a shell script, /usr/bin/ikeyman, which is SUID by default and updates the user's CLASSPATH variable before calling another script, /opt/ibm/gsk/bin/ikmgui.

This second script calls . Since the user's CLASSPATH is read into the new CLASSPATH variable, they could make a replacement /com/ibm/gsk/ikeyman/Ikeyman and put it in a directory included in their original CLASSPATH. This code would then get run as root when /usr/bin/ikeyman was run.


Privacy Statement
Copyright 2010, SecurityFocus