HackDig : Dig high-quality web security articles for hackers

IBM(R) Db2(R) Windows client DLL Hijacking Vulnerability(0day)

2021-02-23 07:57
A few months ago I disclosed Cisco Webex Teams Client for Windows DLL
Hijacking Vulnerability I found :

https://seclists.org/fulldisclosure/2020/Oct/16

In that post I mentioned "I will add more details 90 days after my report
or a security bulletin available". Here it comes.

NOTICE : This vulnerability seems did not get full patched!

After install IBM Db2 decompile C:Program
FilesIBMSQLLIBBINdb2swtchg.exe and we can find vulnerable code like
"LoadLibraryA("..\xxx\xxx.dll")".

It wants to load dll by providing path begins with ".." like
"..lib_isuser.dll" and "..mriEn_USdb2istring_v115.dll" and so on to
LoadLibraryA.

For path like "..lib_isuser.dll" windows will treat it as
"C:lib_isuser.dll" instead of "C:Program
FilesIBMSQLLIBlib_isuser.dll" as developer assumes. A non-admin
attacker can create a directory under C: and put a dll to it, so this dll
will be loaded by db2swtchg.exe and attacker can execute any code as admin.

I reported to IBM on hackerone. After noticed they released security
bulletin, I checked IBM® Db2 11.5.5 and found the fix is not complete and
reported immediately.

There is still path like "..msgdb2istring_v115.dll" provided to
LoadLibraryA.

put a dll to C:bindb2odbct.dll, double click db2fedsvrcfg.exe and
C:bindb2odbct.dll will be loaded.

put a dll to C:msgdb2istring_v115.dll, double click db2swtchg.exe and
C:msgdb2istring_v115.dll will be loaded.

It is already 90 days and they did not response.

timeline:

2020-08-24: vulnerability found in IBM Db2 and reported to them on hackerone

2020-08-25: HackerOne staff asked me to provide a link to download IBM Db2
and I provided

2020-08-26: HackerOne staff validated the report and IBM staff received the
report

2020-09-24: report moved to triaged after initial review

2020-10-20: I asked for update

2020-10-21: IBM staff said they confirmed the vulnerability and asked me
acknowledge information, and I provided

2020-11-17: IBM PSIRT released security bulletin

2020-11-20: found fix incomplete and reported to them on hackerone

2020-11-21: IBM staff:"Thank you for the update. We have shared your
feedback with our product team and will follow up with you when we have
more information."

2021-02-13: I asked for update, no response

2021-02-20: public disclosure

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


Source: 37/beF/1202/erusolcsidlluf/gro.stsilces

Read:157 | Comments:0 | Tags: Vulnerability

“IBM(R) Db2(R) Windows client DLL Hijacking Vulnerability(0day)”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Tools

Tag Cloud