Nmap Development mailing list archives
Re: Nmap service probe for Zend Java Bridge control port
From: David Fifield <david () bamsoftware com>
Date: Mon, 18 Apr 2011 12:30:02 -0700
On Sun, Apr 17, 2011 at 08:29:37PM +0200, Michael Schierl wrote:
[Please CC me since I am not subscribed to the list.] Hi all, as described in <http://www.zerodayinitiative.com/advisories/ZDI-11-113/>, Zend Java Bridge has a control port which accidentally has been bound to all interfaces instead of only loopback device in some (vulnerable) versions of Zend Server. You can use this service probe to detect that control port (Unfortunately, there are no version commands, so no version numbers available). But, if you find that port open, and it answers the probe correctly, you can exploit it. It was a bit tricky to find a request that does not require any objrefs (which would have needed to be requested first and then inserted into a subsequent request), but still provides an answer that does not consist of only an objref (4 "random" bytes). But I guess the GetClassName call called with an empty string is a good candidate.
Thanks Michael, I have just committed this. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Nmap service probe for Zend Java Bridge control port Michael Schierl (Apr 17)
- Re: Nmap service probe for Zend Java Bridge control port David Fifield (Apr 18)