Full Disclosure mailing list archives
IBM(R) Db2(R) Windows client DLL Hijacking Vulnerability(0day)
From: houjingyi <houjingyi647 () gmail com>
Date: Sat, 20 Feb 2021 11:18:10 +0800
A few months ago I disclosed Cisco Webex Teams Client for Windows DLL Hijacking Vulnerability I found : https://seclists.org/fulldisclosure/2020/Oct/16 In that post I mentioned "I will add more details 90 days after my report or a security bulletin available". Here it comes. NOTICE : This vulnerability seems did not get full patched! After install IBM Db2 decompile C:\Program Files\IBM\SQLLIB\BIN\db2swtchg.exe and we can find vulnerable code like "LoadLibraryA("..\\xxx\\xxx.dll")". It wants to load dll by providing path begins with ".." like "..\lib\_isuser.dll" and "..mri\En_US\db2istring_v115.dll" and so on to LoadLibraryA. For path like "..\lib\_isuser.dll" windows will treat it as "C:\lib\_isuser.dll" instead of "C:\Program Files\IBM\SQLLIB\lib\_isuser.dll" as developer assumes. A non-admin attacker can create a directory under C:\ and put a dll to it, so this dll will be loaded by db2swtchg.exe and attacker can execute any code as admin. I reported to IBM on hackerone. After noticed they released security bulletin, I checked IBM® Db2 11.5.5 and found the fix is not complete and reported immediately. There is still path like "..\msg\db2istring_v115.dll" provided to LoadLibraryA. put a dll to C:\bin\db2odbct.dll, double click db2fedsvrcfg.exe and C:\bin\db2odbct.dll will be loaded. put a dll to C:\msg\db2istring_v115.dll, double click db2swtchg.exe and C:\msg\db2istring_v115.dll will be loaded. It is already 90 days and they did not response. timeline: 2020-08-24: vulnerability found in IBM Db2 and reported to them on hackerone 2020-08-25: HackerOne staff asked me to provide a link to download IBM Db2 and I provided 2020-08-26: HackerOne staff validated the report and IBM staff received the report 2020-09-24: report moved to triaged after initial review 2020-10-20: I asked for update 2020-10-21: IBM staff said they confirmed the vulnerability and asked me acknowledge information, and I provided 2020-11-17: IBM PSIRT released security bulletin 2020-11-20: found fix incomplete and reported to them on hackerone 2020-11-21: IBM staff:"Thank you for the update. We have shared your feedback with our product team and will follow up with you when we have more information." 2021-02-13: I asked for update, no response 2021-02-20: public disclosure _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- IBM(R) Db2(R) Windows client DLL Hijacking Vulnerability(0day) houjingyi (Feb 23)