lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAN1eSktpNpZ-j8NytJc4cFjD-QSSTeT6DctSk0975oMCsZPZkA@mail.gmail.com>
Date: Sat, 20 Feb 2021 11:18:10 +0800
From: houjingyi <houjingyi647@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] IBM(R) Db2(R) Windows client DLL Hijacking Vulnerability(0day)

A few months ago I disclosed Cisco Webex Teams Client for Windows DLL
Hijacking Vulnerability I found :

https://seclists.org/fulldisclosure/2020/Oct/16

In that post I mentioned "I will add more details 90 days after my report
or a security bulletin available". Here it comes.

NOTICE : This vulnerability seems did not get full patched!

After install IBM Db2 decompile C:\Program
Files\IBM\SQLLIB\BIN\db2swtchg.exe and we can find vulnerable code like
"LoadLibraryA("..\\xxx\\xxx.dll")".

It wants to load dll by providing path begins with ".." like
"..\lib\_isuser.dll" and "..mri\En_US\db2istring_v115.dll" and so on to
LoadLibraryA.

For path like "..\lib\_isuser.dll" windows will treat it as
"C:\lib\_isuser.dll" instead of "C:\Program
Files\IBM\SQLLIB\lib\_isuser.dll" as developer assumes. A non-admin
attacker can create a directory under C:\ and put a dll to it, so this dll
will be loaded by db2swtchg.exe and attacker can execute any code as admin.

I reported to IBM on hackerone. After noticed they released security
bulletin, I checked IBM® Db2 11.5.5 and found the fix is not complete and
reported immediately.

There is still path like "..\msg\db2istring_v115.dll" provided to
LoadLibraryA.

put a dll to C:\bin\db2odbct.dll, double click db2fedsvrcfg.exe and
C:\bin\db2odbct.dll will be loaded.

put a dll to C:\msg\db2istring_v115.dll, double click db2swtchg.exe and
C:\msg\db2istring_v115.dll will be loaded.

It is already 90 days and they did not response.

timeline:

2020-08-24: vulnerability found in IBM Db2 and reported to them on hackerone

2020-08-25: HackerOne staff asked me to provide a link to download IBM Db2
and I provided

2020-08-26: HackerOne staff validated the report and IBM staff received the
report

2020-09-24: report moved to triaged after initial review

2020-10-20: I asked for update

2020-10-21: IBM staff said they confirmed the vulnerability and asked me
acknowledge information, and I provided

2020-11-17: IBM PSIRT released security bulletin

2020-11-20: found fix incomplete and reported to them on hackerone

2020-11-21: IBM staff:"Thank you for the update. We have shared your
feedback with our product team and will follow up with you when we have
more information."

2021-02-13: I asked for update, no response

2021-02-20: public disclosure

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ