Lotus Expeditor cai URI handler command injection

2008-06-2000:00:00

SAINT Corporation

my.saintcorporation.com

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

EPSS

0.926

Percentile

99.0%

JSON

Added: 06/20/2008
CVE: CVE-2008-1965
BID: 28926
OSVDB: 44868

Background

Lotus Expeditor is a desktop integration framework used by Lotus products including Lotus Symphony.

Problem

Lotus Expeditor registers a handler for **cai:** URIs which passes arbitrary arguments to **rcplauncher.exe**. This allows command execution when a user loads a specially crafted **cai:** web page which uses the **-launcher** argument.

Resolution

Remove the following registry key: **HKEY_CLASSES_ROOT\cai\shell\open\command**

References

<http://archives.neohapsis.com/archives/fulldisclosure/2008-04/0640.html>
<http://www-1.ibm.com/support/docview.wss?uid=swg21303813>

Limitations

Exploit works on IBM Lotus Symphony 1.0 Beta 4. Before the exploit can succeed the **exploit.exe** file must be downloaded from the exploit server and placed on an SMB share which is accessible from the target system.