I want to hunt down and find two files in the IFS. IDK if that IFS is a
symbolic link into /qsys.lib or not, I just want to find these. These
files are rguest.exe and wguest.exe. We're getting dinged on an audit
because of the existence of these files. I'm beginning to question
whether the audit is testing for the actual files, or the function they
perform and then "assume" it's one of those two files. After all, .exe
files aren't really an IBM i kind of thing.
My first foray was querying the output of RTVDIRINF. No luck.
Next I tried qsHell.
find / -name "*guest.*"
find: 001-0023 Error found opening file
/QSYS.LIB/PMEDHUSR.LIB/EDH_H1.DTAQ. Resource busy.
find: 001-0023 Error found opening file
/QSYS.LIB/PMEDHUSR.LIB/EDH_H2.DTAQ. Resource busy.
find: 001-0023 Error found opening file
/QSYS.LIB/PMEDHUSR.LIB/EDH_H3.DTAQ. Resource busy.
find: 001-0023 Error found opening file
/QSYS.LIB/PMEDHUSR.LIB/EDH_H4.DTAQ. Resource busy.
find: 001-0023 Error found opening file /QSYS.LIB/QQFENDSVR.PGM.
Resource busy.
$
Which makes me wonder if this stupid find command is searching contents,
or if it can't figure out if these object types are a directory or not.
Original problem:
Webcom CGI Guestbook File Disclosure Vulnerability
CVE-1999-0467
THREAT:
The programs 'wguest.exe' and 'rguest.exe' are present on the server.
IMPACT:
Unauthorized users can read arbitrary files.
SOLUTION:
Install and use another Guestbook program.
EXPLOITABILITY:
The Exploit-DB
Reference: CVE-1999-0467
Description: WebCom datakommunikation Guestbook 0.1 - 'rguest.exe'
Arbitrary File Access - The Exploit-DB Ref : 20447
Link:
http://www.exploit-db.com/exploits/20447
Reference: CVE-1999-0467
Description: WebCom datakommunikation Guestbook
One big recent change was the addition of some Zend for a bolt on we're
evaluating.
Rob Berendt
midrange.com
