Privilege escalation in IBM Notes Diagnostics #6

This is the fifth blog post in a series documenting various bugs found in installed software during customer engagements. Vulnerabilities will be published, when the vendor has provided fixes, or our deadline for the vendor to take action expires. This process is aligned with the Improsec Responsible Disclosure Policy.

In these blog posts I tend to be a bit verbose and give some insights into the process. Concrete exploitation steps and code is listed at the bottom.

CVE-ID: 2018-1437
IBM Bulletin: IBM Notes Privilege Escalation in IBM Notes System Diagnostics service (CVE-2018-1437)


This is yet another case of DLL Search Order Hijacking. Even though Windows has a few safety mechanisms to prevent this class of vulnerabilities, they still occur quite frequently.
In most cases, when you call LoadLibray, you will want to call SetDllDirectory first, to effectively remove the current working directory from the list of paths that will be searched. The dll hijacking vulnerabilities I have found in IBM Notes have all been the result of the application trying to load a missing dll, causing it to end up searching the current working directory, which I have been able to control.

In this case, it is tlhelp32.dll, which the nsd.exe running as SYSTEM attempts to load, while having its current working directory set from the “Directory” variable in the users notes.ini file. 

Privilege escalation in IBM Notes Diagnostics #6_1.png
Privilege escalation in IBM Notes Diagnostics #6_2.png

Recommendations

  • Apply the patch/fix provided by IBM in the related Security Bulletin (see above).

TL;DR


Exploitation steps:

1. Make sure that the Notes application is already running, and that the user has the necessary Notes configuration files present.

2. Place a malicious dll with the filename tlhelp32.dll in c:\Users\[username]\AppData\Local\IBM\Notes\Data\

3. Go to c:\Users\[username]\AppData\Local\IBM\Notes\Data\

4. Run: "c:\Program Files (x86)\IBM\Notes\nsd.exe"