Untrusted search path vulnerability in IBM InfoSphere BigInsights 3.0, 3.0.0.1, 3.0.0.2, and 4.0, when a DB2 database is used, allows local users to gain privileges via a Trojan horse library that is loaded by a setuid or setgid program.
IBM InfoSphere BigInsights versions 3.0, 3.0.0.1, 3.0.0.2, and 4.0 are vulnerable to a privilege escalation attack. Local users can exploit an untrusted search path vulnerability when a DB2 database is used, allowing them to execute arbitrary code with elevated privileges by injecting a malicious library.
Step 1: Identify Target Program: The attacker identifies a setuid or setgid program within the BigInsights installation that interacts with the DB2 database and is vulnerable. This program will be the target for exploitation.
Step 2: Determine Library Dependencies: The attacker identifies the shared libraries that the target program loads. This can be done using tools like ldd.
Step 3: Craft Malicious Library: The attacker creates a malicious shared library (e.g., a .so file on Linux) that contains the attacker's payload. This payload could be anything from a reverse shell to a command that adds a new user with elevated privileges.
Step 4: Place Malicious Library: The attacker places the malicious shared library in a directory that is part of the program's library search path before the correct library. This is the core of the vulnerability. The attacker needs to find a writable directory in the search path.
Step 5: Trigger Execution: The attacker executes the vulnerable setuid/setgid program. This triggers the program to load the attacker's malicious library.
Step 6: Payload Execution: The attacker's payload within the malicious library is executed with the privileges of the setuid/setgid program.
The vulnerability stems from the way setuid/setgid programs within IBM InfoSphere BigInsights, when interacting with a DB2 database, search for shared libraries. The program does not properly sanitize or control the search path used to locate these libraries. This allows a local, unprivileged user to place a malicious shared library (a Trojan horse) in a directory that is searched before the correct library. When the setuid/setgid program is executed, it loads the attacker-controlled library, effectively executing arbitrary code with the privileges of the program (typically a higher-privileged user like db2inst1 or root). The root cause is the lack of secure path handling, specifically the absence of robust checks to prevent the loading of libraries from untrusted locations. This is a classic example of an untrusted search path vulnerability, leading to privilege escalation.