Nmap service probe for Zend Java Bridge control port

[Michael Schierl <schierlm () gmx de>]

[Please CC me since I am not subscribed to the list.]

Hi all,

as described in
<http://www.zerodayinitiative.com/advisories/ZDI-11-113/>, Zend Java
Bridge has a control port which accidentally has been bound to all
interfaces instead of only loopback device in some (vulnerable) versions
of Zend Server.

You can use this service probe to detect that control port
(Unfortunately, there are no version commands, so no version numbers
available). But, if you find that port open, and it answers the probe
correctly, you can exploit it.


It was a bit tricky to find a request that does not require any objrefs
(which would have needed to be requested first and then inserted into a
subsequent request), but still provides an answer that does not consist
of only an objref (4 "random" bytes). But I guess the GetClassName call
called with an empty string is a good candidate.

Port 10001 is default, it can be changed, but I guess most admins won't.

> ###################################################################
> # Zend Java Bridge, vulnerable control port, see
> # <http://www.zerodayinitiative.com/advisories/ZDI-11-113/>
> #
> Probe TCP ZendJavaBridge q|\0\0\0\x1f\0\0\0\0\0\0\0\x0cGetClassName\0\0\0\x02\x04\0\0\0\0\x01\0|
> rarity 8
> ports 10001
>
> match zend-java-bridge m|^\0\0\0\x15\x04\0\0\0\x10java\.lang\.String$|
> ###################################################################


Example output:

> PORT      STATE SERVICE          VERSION
> 10001/tcp open  zend-java-bridge

Have fun :-)

Michael
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/