Lotus Expeditor cai URI handler command injection
Added: 06/20/2008CVE: CVE-2008-1965
BID: 28926
OSVDB: 44868
Background
Lotus Expeditor is a desktop integration framework used by Lotus products including Lotus Symphony.Problem
Lotus Expeditor registers a handler for cai: URIs which passes arbitrary arguments to rcplauncher.exe. This allows command execution when a user loads a specially crafted cai: web page which uses the -launcher argument.Resolution
Remove the following registry key: HKEY_CLASSES_ROOT\cai\shell\open\commandReferences
http://archives.neohapsis.com/archives/fulldisclosure/2008-04/0640.htmlhttp://www-1.ibm.com/support/docview.wss?uid=swg21303813
Limitations
Exploit works on IBM Lotus Symphony 1.0 Beta 4. Before the exploit can succeed the exploit.exe file must be downloaded from the exploit server and placed on an SMB share which is accessible from the target system.Platforms
WindowsBack to exploit index