Attacker Value
Very High
(2 users assessed)
Exploitability
Very High
(2 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
2

CVE-2021-3007

Disclosure Date: January 04, 2021
Exploited in the Wild
Reported by gwillcox-r7
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

** DISPUTED ** Laminas Project laminas-http before 2.14.2, and Zend Framework 3.0.0, has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php. NOTE: Zend Framework is no longer supported by the maintainer. NOTE: the laminas-http vendor considers this a “vulnerability in the PHP language itself” but has added certain type checking as a way to prevent exploitation in (unrecommended) use cases where attacker-supplied data can be deserialized.

Add Assessment

2
Ratings
Technical Analysis

Reported as exploited in the wild by CheckPoint Research as part of the FreakOut attacks, as written up at https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/. This operation was designed to create a IRC controlled botnet that could be used for future operations, and for coin mining.

As written in https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/, the attackers abused the Zend3 feature (which loads classes from objects) of Zend Framework version 3.0.0 and higher to cause a deserialization issue. In the case of the FreakOut attacks, attackers sent a crafted POST request to /zend3/public with a serialized payload containing a callback parameter, and injected commands to be executed into the serialized callbackOptions parameter in place of the normal array.

There is also a nice analysis of this vulnerability at https://github.com/Ling-Yizhou/zendframework3-/blob/main/zend%20framework3%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%20rce.md should you wish to dive further into the gory details of the bug. This is written in Chinese though so you might need to translate it first.

As there is a lot of information on this vulnerability out at the moment, I am rating this as a high probability of exploitability not cause its a complex bug, but purely because given Checkpoint Research’s writeable, all an attacker has to do is write a sample request from the screenshot provided, and they will be able to replicate the bug and craft a working exploit. Otherwise this would normally have a lower exploitability rating as deserialization bugs are not always that simple to exploit.

Additionally, the bigger concern here is that there is no patch for this vulnerability for the Zend Framework to the best of my knowledge, since it is no longer supported by its developers. Users who are affected by this vulnerability are therefore encouraged to migrate to a different framework as soon as possible and severely limit interaction with any servers running Zend Framework in the meantime.

1
Technical Analysis

Please see the Rapid7 analysis. CVE-2021-3007 is being used in the “FreakOut” attack campaign.

General Information

Technical Analysis

Description

On January 2, 2021, security researcher Ling Yizhou published research detailing a remote code execution (RCE) vulnerability in Zend Framework 3.0.0. The vulnerability is also present in Zend Framework’s successor, the Laminas Project, and stems from how the frameworks can be configured to deserialize PHP objects insecurely. It must be noted that neither Zend nor Laminas is vulnerable out of the box.

According to a CheckPoint research blog, CVE-2021-3007 is being exploited in the wild by malicious actors to create an IRC botnet. This attack campaign has been dubbed “FreakOut.”

Affected products

  • Laminas Project laminas-http before 2.14.2
  • Zend Framework 3.0.0

Rapid7 analysis

As Bleeping Computer describes:

While the actual untrusted deserialization has to come from a vulnerable application and does not exist in Zend Framework itself, the chain of classes provided by Zend allows an attacker to achieve RCE.

As does the PoC:

Zend framework3 itself has no point to trigger deserialization, so we need to construct a vulnerability demo by ourselves to verify the poc..

The affected products are not vulnerable by default. The PoC instructs you to insert the following lines into module/Application/src/Controller/IndexController.php in order to trigger the vulnerability:

$data = $this->getRequest()->getPost('hello');
unserialize(base64_decode($data));

The vulnerability can only be exploited—in this case—when Zend deserializes the data passed through the hello parameter in a POST request.

The attacker must know an endpoint and parameter combination that accepts serialized data in order to exploit the vulnerability. It is likely mature applications will accept serialized data somewhere in the application and therefore be vulnerable. It is also likely attackers will be able to find those attack vectors with a bit of determination.

Guidance

Zend Framework or Laminas Project customers who have instances that are internet-facing should strongly consider investigating their environments for signs of compromise and suspicious activity. We also urge all defenders to ensure both of the affected products are not exposed to the internet until the appropriate patches have been applied.

References