Nmap Development mailing list archives
Nmap service probe for Zend Java Bridge control port
From: Michael Schierl <schierlm () gmx de>
Date: Sun, 17 Apr 2011 20:29:37 +0200
[Please CC me since I am not subscribed to the list.] Hi all, as described in <http://www.zerodayinitiative.com/advisories/ZDI-11-113/>, Zend Java Bridge has a control port which accidentally has been bound to all interfaces instead of only loopback device in some (vulnerable) versions of Zend Server. You can use this service probe to detect that control port (Unfortunately, there are no version commands, so no version numbers available). But, if you find that port open, and it answers the probe correctly, you can exploit it. It was a bit tricky to find a request that does not require any objrefs (which would have needed to be requested first and then inserted into a subsequent request), but still provides an answer that does not consist of only an objref (4 "random" bytes). But I guess the GetClassName call called with an empty string is a good candidate. Port 10001 is default, it can be changed, but I guess most admins won't.
################################################################### # Zend Java Bridge, vulnerable control port, see # <http://www.zerodayinitiative.com/advisories/ZDI-11-113/> # Probe TCP ZendJavaBridge q|\0\0\0\x1f\0\0\0\0\0\0\0\x0cGetClassName\0\0\0\x02\x04\0\0\0\0\x01\0| rarity 8 ports 10001 match zend-java-bridge m|^\0\0\0\x15\x04\0\0\0\x10java\.lang\.String$| ###################################################################
Example output:
PORT STATE SERVICE VERSION 10001/tcp open zend-java-bridge
Have fun :-) Michael _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Nmap service probe for Zend Java Bridge control port Michael Schierl (Apr 17)
- Re: Nmap service probe for Zend Java Bridge control port David Fifield (Apr 18)