Activity Feed

2

Hey @oosman-rak ! I saw you reported this as exploited in the wild, but I haven’t been able to find any sources on exploitation myself. I’m definitely interested in knowing where this is being exploited so we can maybe make a note to look into it!

2
Technical Analysis

This has now been reported as being exploited in the wild as part of the FreakOut attacks as first reported by CheckPoint Research at https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/.

2
Ratings
Technical Analysis

Reported as exploited in the wild by CheckPoint Research as part of the FreakOut attacks, as written up at https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/. This operation was designed to create a IRC controlled botnet that could be used for future operations, and for coin mining.

As written in https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/, the attackers abused the Zend3 feature (which loads classes from objects) of Zend Framework version 3.0.0 and higher to cause a deserialization issue. In the case of the FreakOut attacks, attackers sent a crafted POST request to /zend3/public with a serialized payload containing a callback parameter, and injected commands to be executed into the serialized callbackOptions parameter in place of the normal array.

There is also a nice analysis of this vulnerability at https://github.com/Ling-Yizhou/zendframework3-/blob/main/zend%20framework3%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%20rce.md should you wish to dive further into the gory details of the bug. This is written in Chinese though so you might need to translate it first.

As there is a lot of information on this vulnerability out at the moment, I am rating this as a high probability of exploitability not cause its a complex bug, but purely because given Checkpoint Research’s writeable, all an attacker has to do is write a sample request from the screenshot provided, and they will be able to replicate the bug and craft a working exploit. Otherwise this would normally have a lower exploitability rating as deserialization bugs are not always that simple to exploit.

Additionally, the bigger concern here is that there is no patch for this vulnerability for the Zend Framework to the best of my knowledge, since it is no longer supported by its developers. Users who are affected by this vulnerability are therefore encouraged to migrate to a different framework as soon as possible and severely limit interaction with any servers running Zend Framework in the meantime.

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

Noted as exploited in the wild by CheckPoint Research at https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/, who noted an exploit for this vulnerability was being used as part of a botnet building operation.

Looking into their writeup, they note that remote unauthenticated attackers can use this vulnerability to take over the TerraMaster TOS operating system via command injection in the event parameter in the /include/makecvs.php page. Interestingly they don’t specify the user the attacker’s injected command will run as, but they do include a very useful screenshot which shows that a GET request to /include/makecve.php?Event=%60, followed by the command the attacker wishes to execute, followed by another %60, will allow for arbitrary command injection. %60 is `, which suggests that the command being executed may have been enclosed in backticks, and that by escaping these backticks, the attacker is able to execute arbitrary commands.

Users can patch this vulnerability by upgrading to version 4.2.06 of Terramaster TOS on their NAS devices. Given the severity of this bug and evidence of exploitation in the wild, it is strongly encouraged to patch this vulnerability as soon as possible.

2
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Medium
Technical Analysis

A blind, time based SQL injection was discovered in Email Subscribers & Newsletters WordPress plugin versions before 4.3.1. The hash parameter is vulnerable to injection. While readily accessible, and a decent amount of installs, the SQLi is relatively complex compared to most commons SQLi for Wordpress Plugins. The request requires a GUID (random is fine), and email (random is fine), and is formatted as such:
{"contact_id":"100','100','100','3'),('1594999398','1594999398','1',(1) AND #{payload},'100','100','3'),('1594999398','1594999398','1','100","campaign_id":"100","message_id":"100","email":"#{email}","guid":"#{guid}","action":"open"}

https://github.com/rapid7/metasploit-framework/pull/14418