Nmap Development mailing list archives

Re: Nmap service probe for Zend Java Bridge control port

From: David Fifield <david () bamsoftware com>
Date: Mon, 18 Apr 2011 12:30:02 -0700

On Sun, Apr 17, 2011 at 08:29:37PM +0200, Michael Schierl wrote:

[Please CC me since I am not subscribed to the list.]

Hi all,

as described in
<http://www.zerodayinitiative.com/advisories/ZDI-11-113/>, Zend Java
Bridge has a control port which accidentally has been bound to all
interfaces instead of only loopback device in some (vulnerable) versions
of Zend Server.

You can use this service probe to detect that control port
(Unfortunately, there are no version commands, so no version numbers
available). But, if you find that port open, and it answers the probe
correctly, you can exploit it.


It was a bit tricky to find a request that does not require any objrefs
(which would have needed to be requested first and then inserted into a
subsequent request), but still provides an answer that does not consist
of only an objref (4 "random" bytes). But I guess the GetClassName call
called with an empty string is a good candidate.


Thanks Michael, I have just committed this.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Nmap service probe for Zend Java Bridge control port Michael Schierl (Apr 17)
- Re: Nmap service probe for Zend Java Bridge control port David Fifield (Apr 18)