'[FD] IBM(R) Db2(R) Windows client DLL Hijacking Vulnerability(0day)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] IBM(R) Db2(R) Windows client DLL Hijacking Vulnerability(0day)
From:       houjingyi <houjingyi647 () gmail ! com>
Date:       2021-02-20 3:18:10
Message-ID: CAN1eSktpNpZ-j8NytJc4cFjD-QSSTeT6DctSk0975oMCsZPZkA () mail ! gmail ! com
[Download RAW message or body]

A few months ago I disclosed Cisco Webex Teams Client for Windows DLL
Hijacking Vulnerability I found :

https://seclists.org/fulldisclosure/2020/Oct/16

In that post I mentioned "I will add more details 90 days after my report
or a security bulletin available". Here it comes.

NOTICE : This vulnerability seems did not get full patched!

After install IBM Db2 decompile C:\Program
Files\IBM\SQLLIB\BIN\db2swtchg.exe and we can find vulnerable code like
"LoadLibraryA("..\\xxx\\xxx.dll")".

It wants to load dll by providing path begins with ".." like
"..\lib\_isuser.dll" and "..mri\En_US\db2istring_v115.dll" and so on to
LoadLibraryA.

For path like "..\lib\_isuser.dll" windows will treat it as
"C:\lib\_isuser.dll" instead of "C:\Program
Files\IBM\SQLLIB\lib\_isuser.dll" as developer assumes. A non-admin
attacker can create a directory under C:\ and put a dll to it, so this dll
will be loaded by db2swtchg.exe and attacker can execute any code as admin.

I reported to IBM on hackerone. After noticed they released security
bulletin, I checked IBM Ž Db2 11.5.5 and found the fix is not complete and
reported immediately.

There is still path like "..\msg\db2istring_v115.dll" provided to
LoadLibraryA.

put a dll to C:\bin\db2odbct.dll, double click db2fedsvrcfg.exe and
C:\bin\db2odbct.dll will be loaded.

put a dll to C:\msg\db2istring_v115.dll, double click db2swtchg.exe and
C:\msg\db2istring_v115.dll will be loaded.

It is already 90 days and they did not response.

timeline:

2020-08-24: vulnerability found in IBM Db2 and reported to them on hackerone

2020-08-25: HackerOne staff asked me to provide a link to download IBM Db2
and I provided

2020-08-26: HackerOne staff validated the report and IBM staff received the
report

2020-09-24: report moved to triaged after initial review

2020-10-20: I asked for update

2020-10-21: IBM staff said they confirmed the vulnerability and asked me
acknowledge information, and I provided

2020-11-17: IBM PSIRT released security bulletin

2020-11-20: found fix incomplete and reported to them on hackerone

2020-11-21: IBM staff:"Thank you for the update. We have shared your
feedback with our product team and will follow up with you when we have
more information."

2021-02-13: I asked for update, no response

2021-02-20: public disclosure

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread] 