Source: psirt@us.ibm.com
Untrusted search path vulnerability in IBM InfoSphere BigInsights 3.0, 3.0.0.1, 3.0.0.2, and 4.0, when a DB2 database is used, allows local users to gain privileges via a Trojan horse library that is loaded by a setuid or setgid program.
IBM InfoSphere BigInsights versions 3.0, 3.0.0.1, 3.0.0.2, and 4.0 are vulnerable to a privilege escalation attack. This vulnerability allows local attackers to execute arbitrary code with elevated privileges by exploiting an untrusted search path when a DB2 database is used, potentially leading to a complete system compromise.
Step 1: Preparation: The attacker identifies a setuid or setgid program within the vulnerable BigInsights installation that loads shared libraries and is associated with DB2 usage.
Step 2: Payload Placement: The attacker creates a malicious shared library (e.g., a .so file on Linux) containing their desired payload (e.g., a reverse shell, or code to add a user to the system with root privileges).
Step 3: Path Manipulation: The attacker places the malicious shared library in a directory that is part of the setuid/setgid program's library search path. This could be the current working directory, a temporary directory, or a directory writable by the attacker that is searched before the legitimate library location.
Step 4: Program Execution: The attacker triggers the execution of the vulnerable setuid/setgid program, typically by interacting with the DB2 database or a related BigInsights service.
Step 5: Library Loading: The setuid/setgid program attempts to load a shared library. Due to the insecure search path, it finds and loads the attacker's malicious library instead of the legitimate one.
Step 6: Payload Execution: The attacker's payload within the malicious library is executed with the privileges of the setuid/setgid program, resulting in privilege escalation.
The vulnerability stems from an untrusted search path configuration within the IBM InfoSphere BigInsights software when interacting with a DB2 database. Specifically, setuid or setgid programs, which run with elevated privileges, are configured to load shared libraries. The software does not properly validate the location from which these libraries are loaded. An attacker can place a malicious shared library (a Trojan horse) in a directory that is part of the program's search path, such as the current working directory or a directory writable by the attacker. When the setuid/setgid program is executed, it loads the attacker-controlled malicious library instead of the legitimate one, leading to the execution of arbitrary code with the privileges of the setuid/setgid program. The root cause is the lack of secure library loading mechanisms and the reliance on an insecure search path. This allows for DLL hijacking or library preloading.
This vulnerability could be leveraged by any attacker with local access to the system. There is no specific APT group known to be targeting this vulnerability. However, any threat actor seeking to escalate privileges on a BigInsights system could utilize this. CISA KEV status: Not listed.
Monitor system logs for suspicious activity related to setuid/setgid programs, especially those associated with DB2 and BigInsights.
Analyze process execution and library loading using tools like strace (Linux) or Process Monitor (Windows) to identify programs loading libraries from unexpected locations.
Check file system integrity to detect the presence of malicious shared libraries in writable directories that are part of the library search path.
Monitor network traffic for unusual connections originating from the compromised system, such as reverse shells.
Review audit logs for changes to setuid/setgid permissions or modifications to library search paths.
Upgrade to a patched version of IBM InfoSphere BigInsights that addresses the vulnerability. Consult IBM's security advisories for specific patch details.
Implement secure library loading mechanisms. Ensure that setuid/setgid programs explicitly specify the full path to the required libraries, rather than relying on the system's default search path.
Review and restrict the permissions on directories used by the library search path. Ensure that only authorized users can write to these directories.
Remove unnecessary setuid/setgid permissions from programs. Reduce the attack surface by minimizing the number of programs running with elevated privileges.
Implement file integrity monitoring to detect unauthorized modifications to system files, including shared libraries.
Regularly audit system configurations and security settings to identify and address potential vulnerabilities.