mailing list archives
Re: Nmap service probe for Zend Java Bridge control port
From: David Fifield <david () bamsoftware com>
Date: Mon, 18 Apr 2011 12:30:02 -0700
On Sun, Apr 17, 2011 at 08:29:37PM +0200, Michael Schierl wrote:
[Please CC me since I am not subscribed to the list.]
as described in
<http://www.zerodayinitiative.com/advisories/ZDI-11-113/>, Zend Java
Bridge has a control port which accidentally has been bound to all
interfaces instead of only loopback device in some (vulnerable) versions
of Zend Server.
You can use this service probe to detect that control port
(Unfortunately, there are no version commands, so no version numbers
available). But, if you find that port open, and it answers the probe
correctly, you can exploit it.
It was a bit tricky to find a request that does not require any objrefs
(which would have needed to be requested first and then inserted into a
subsequent request), but still provides an answer that does not consist
of only an objref (4 "random" bytes). But I guess the GetClassName call
called with an empty string is a good candidate.
Thanks Michael, I have just committed this.
Sent through the nmap-dev mailing list
Archived at http://seclists.org/nmap-dev/