Zend Server Java Bridge Remote Code Execution

2011-04-08T00:00:00
ID SAINT:417288D53D4790C098441CD38B03A420
Type saint
Reporter SAINT Corporation
Modified 2011-04-08T00:00:00

Description

Added: 04/08/2011
BID: 47060
OSVDB: 71420

Background

Zend Server is an enterprise web application server for hosting PHP applications.

Problem

The Zend Server Java Bridge allows PHP applications to execute methods in Java classes. The Java Bridge does not validate that requests to execute Java code have originated from the Zend Server. An attacker can exploit this weakness to execute malicious Java code on the server.

Resolution

Upgrade Zend Server 5.1.0 by applying the Java Bridge hotfix dated March 24, 2011 or updating to a later version.

References

<http://static.zend.com/topics/ZS-510-JavaBridge-Hotfix-ReleaseNotes-20110324.txt>
<http://www.zerodayinitiative.com/advisories/ZDI-11-113/>
<http://secunia.com/advisories/43867/>

Limitations

This exploit has been tested against Zend Technologies Zend Server 5.1.0 running on Microsoft Windows Server 2003 SP2 English (DEP OptOut) and Windows Server 2008 SP1 English (DEP OptOut).

The executable smbclient must be available on the exploit server, and a valid SMB user with permission to write to the SMB share is required. The smb password is not allowed to contain single quotes (').

Platforms

Windows