HackDig : Dig high-quality web security articles

IBM(R) Db2(R) Windows client DLL Hijacking Vulnerability(0day)

2021-02-23 07:57
A few months ago I disclosed Cisco Webex Teams Client for Windows DLL
Hijacking Vulnerability I found :


In that post I mentioned "I will add more details 90 days after my report
or a security bulletin available". Here it comes.

NOTICE : This vulnerability seems did not get full patched!

After install IBM Db2 decompile C:Program
FilesIBMSQLLIBBINdb2swtchg.exe and we can find vulnerable code like

It wants to load dll by providing path begins with ".." like
"..lib_isuser.dll" and "..mriEn_USdb2istring_v115.dll" and so on to

For path like "..lib_isuser.dll" windows will treat it as
"C:lib_isuser.dll" instead of "C:Program
FilesIBMSQLLIBlib_isuser.dll" as developer assumes. A non-admin
attacker can create a directory under C: and put a dll to it, so this dll
will be loaded by db2swtchg.exe and attacker can execute any code as admin.

I reported to IBM on hackerone. After noticed they released security
bulletin, I checked IBM® Db2 11.5.5 and found the fix is not complete and
reported immediately.

There is still path like "..msgdb2istring_v115.dll" provided to

put a dll to C:bindb2odbct.dll, double click db2fedsvrcfg.exe and
C:bindb2odbct.dll will be loaded.

put a dll to C:msgdb2istring_v115.dll, double click db2swtchg.exe and
C:msgdb2istring_v115.dll will be loaded.

It is already 90 days and they did not response.


2020-08-24: vulnerability found in IBM Db2 and reported to them on hackerone

2020-08-25: HackerOne staff asked me to provide a link to download IBM Db2
and I provided

2020-08-26: HackerOne staff validated the report and IBM staff received the

2020-09-24: report moved to triaged after initial review

2020-10-20: I asked for update

2020-10-21: IBM staff said they confirmed the vulnerability and asked me
acknowledge information, and I provided

2020-11-17: IBM PSIRT released security bulletin

2020-11-20: found fix incomplete and reported to them on hackerone

2020-11-21: IBM staff:"Thank you for the update. We have shared your
feedback with our product team and will follow up with you when we have
more information."

2021-02-13: I asked for update, no response

2021-02-20: public disclosure

Sent through the Full Disclosure mailing list
Web Archives & RSS: http://seclists.org/fulldisclosure/

Source: 37/beF/1202/erusolcsidlluf/gro.stsilces

Read:161305 | Comments:0 | Tags: Vulnerability

“IBM(R) Db2(R) Windows client DLL Hijacking Vulnerability(0day)”0 Comments

Submit A Comment



Blog :

Verification Code:


Share high-quality web security related articles with you:)
Tell me why you support me <3

Tag Cloud