IBM Lotus Notes URL Handler Command Execution

2012-09-0700:00:00

SAINT Corporation

my.saintcorporation.com

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.971 High

EPSS

Percentile

99.7%

JSON

Added: 09/07/2012
CVE: CVE-2012-2174
BID: 54070
OSVDB: 83063

Background

Lotus Notes is the client for Lotus Domino servers.

Problem

Lotus Notes 8.5.3 (and earlier) is vulnerable to remote code execution when handling a specially crafted URL. A remote attacker can pass the -RPARAMS command line argument to notes.exe, which then launches rpclauncher.exe. Also supplying the java -vm command allows the attacker to execute arbitrary code in the context of the notes.exe process.

Resolution

Apply the updates as described in the IBM Security Bulletin.

References

<http://www.zerodayinitiative.com/advisories/ZDI-12-154/>

Limitations

This exploit has been tested against IBM Lotus Notes 8.5.3 FP1 on Microsoft Windows XP SP3 English (DEP OptIn) and Microsoft Windows 7 SP1 (DEP OptIn).

The user must open the HTML page using Internet Explorer 8 or 9 on the target.

The binary ‘smbclient’ must be available to the script.

The target must be able to access the specified SMB share anonymously.

A valid login and password with write permission for the specified SMB share are required.