IBM Lotus Notes URL Command Injection Remote Code Execution Vulnerability

ID ZDI-12-154
Type zdi
Reporter Moritz Jodeit
Modified 2012-06-22T00:00:00


This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM Lotus Notes. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within notes.exe. When handling URLs, it is possible to inject the -RPARAMS command line argument into the call to notes.exe, which will then launch rcplauncher.exe. Including the java -vm command will allow for the attacker to execute code under the context of the process.