IBM Lotus Notes URL Handler Command Execution

Added: 09/07/2012
CVE: CVE-2012-2174
BID: 54070
OSVDB: 83063


Lotus Notes is the client for Lotus Domino servers.


Lotus Notes 8.5.3 (and earlier) is vulnerable to remote code execution when handling a specially crafted URL. A remote attacker can pass the -RPARAMS command line argument to notes.exe, which then launches rpclauncher.exe. Also supplying the java -vm command allows the attacker to execute arbitrary code in the context of the notes.exe process.


Apply the updates as described in the IBM Security Bulletin.



This exploit has been tested against IBM Lotus Notes 8.5.3 FP1 on Microsoft Windows XP SP3 English (DEP OptIn) and Microsoft Windows 7 SP1 (DEP OptIn).

The user must open the HTML page using Internet Explorer 8 or 9 on the target.

The binary 'smbclient' must be available to the script.

The target must be able to access the specified SMB share anonymously.

A valid login and password with write permission for the specified SMB share are required.



Back to exploit index