IBM Lotus Notes URL Handler Command Execution

2012-09-07T00:00:00
ID SAINT:4C6CD66A579269BBC6A033367A5ED1B9
Type saint
Reporter SAINT Corporation
Modified 2012-09-07T00:00:00

Description

Added: 09/07/2012
CVE: CVE-2012-2174
BID: 54070
OSVDB: 83063

Background

Lotus Notes is the client for Lotus Domino servers.

Problem

Lotus Notes 8.5.3 (and earlier) is vulnerable to remote code execution when handling a specially crafted URL. A remote attacker can pass the -RPARAMS command line argument to notes.exe, which then launches rpclauncher.exe. Also supplying the java -vm command allows the attacker to execute arbitrary code in the context of the notes.exe process.

Resolution

Apply the updates as described in the IBM Security Bulletin.

References

<http://www.zerodayinitiative.com/advisories/ZDI-12-154/>

Limitations

This exploit has been tested against IBM Lotus Notes 8.5.3 FP1 on Microsoft Windows XP SP3 English (DEP OptIn) and Microsoft Windows 7 SP1 (DEP OptIn).

The user must open the HTML page using Internet Explorer 8 or 9 on the target.

The binary 'smbclient' must be available to the script.

The target must be able to access the specified SMB share anonymously.

A valid login and password with write permission for the specified SMB share are required.

Platforms

Windows