Lotus Expeditor cai URI handler command injection

Added: 06/20/2008
CVE: CVE-2008-1965
BID: 28926
OSVDB: 44868

Background

Lotus Expeditor is a desktop integration framework used by Lotus products including Lotus Symphony.

Problem

Lotus Expeditor registers a handler for cai: URIs which passes arbitrary arguments to rcplauncher.exe. This allows command execution when a user loads a specially crafted cai: web page which uses the -launcher argument.

Resolution

Remove the following registry key: HKEY_CLASSES_ROOT\cai\shell\open\command

References

http://archives.neohapsis.com/archives/fulldisclosure/2008-04/0640.html
http://www-1.ibm.com/support/docview.wss?uid=swg21303813

Limitations

Exploit works on IBM Lotus Symphony 1.0 Beta 4. Before the exploit can succeed the exploit.exe file must be downloaded from the exploit server and placed on an SMB share which is accessible from the target system.

Platforms

Windows

Back to exploit index