SAINT CorporationSAINT:2408CD2B680C4475079F0453E41F7531Lotus Expeditor cai URI handler command injection
EPSS
Percentile
99.0%
Added: 06/20/2008
CVE: CVE-2008-1965
BID: 28926
OSVDB: 44868
Background
Lotus Expeditor is a desktop integration framework used by Lotus products including Lotus Symphony.
Problem
Lotus Expeditor registers a handler for **cai:** URIs which passes arbitrary arguments to **rcplauncher.exe**. This allows command execution when a user loads a specially crafted **cai:** web page which uses the **-launcher** argument.
Resolution
Remove the following registry key: **HKEY_CLASSES_ROOT\cai\shell\open\command**
References
<http://archives.neohapsis.com/archives/fulldisclosure/2008-04/0640.html>
<http://www-1.ibm.com/support/docview.wss?uid=swg21303813>
Limitations
Exploit works on IBM Lotus Symphony 1.0 Beta 4. Before the exploit can succeed the **exploit.exe** file must be downloaded from the exploit server and placed on an SMB share which is accessible from the target system.
Platforms
Windows
Related
