Brian Holyfield has published an entry on using Windows WCF to perform backend port scanning. This is possible due to the callback functionality WCF provides. From his article
"Last weekend at Shmoocon, I demonstrated how an attacker can trick
certain WCF web services into performing an unauthorized port scan of
machines behind a firewall. For those that were not able to attend the
talk, the slides are posted here.
The part that covers the port scanning technique may not be clear in
isolation, so I’ll try and explain it in detail. The problem is related
to the WSDualHttpBinding, so in order to understand how the scanning
technique works you must first understand some WSDualHttpBinding basics."
Not groundbreaking, but worth the read if you're unfamiliar with such things. He has also posted PoC code.
Article Link: http://www.gdssecurity.com/l/b/2010/02/12/abusing-wcf-to-perform-remote-port-scans/
