An untrusted deserialization vulnerability has been disclosed this week in how Zend Framework can be exploited by attackers to achieve remote code execution on vulnerable PHP sites.
This vulnerability tracked as CVE-2021-3007 may also impact apps built with Laminas Project, Zend’s successor.
Zend Framework consists of PHP packages installed over 570 million times. The framework is used by developers to build object-oriented web applications.
The project has now disputed the vulnerability due to the fact the exploitation requires vulnerable deserialization to take place within the developer’s app. However, Laminas has still issued a patch to “tighten security” in its framework.
From untrusted deserialization to RCE
This week, security researcher Ling Yizhou has disclosed how a particular gadget chain in Zend Framework 3.0.0 could be abused in untrusted deserialization attacks.
If exploited, the flaw could allow remote attackers to conduct remote code execution (RCE) attacks on vulnerable PHP applications under certain circumstances.
“Zend Framework 3.0.0 has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the ZendHttpResponseStream class in Stream.php,” states MITRE’s advisory for CVE-2021-3007.
While the actual untrusted deserialization has to come from a vulnerable application and does not exist in Zend Framework itself, the chain of classes provided by Zend allows an attacker to achieve RCE.
Untrusted deserialization vulnerabilities occur in applications when encoded data being received by the application from a user or a system is not properly validated before it is decoded by the application.
A vulnerable application may deserialize and process the received data of an improper format, which can have consequences ranging from application crashes (Denial of Service) to the attacker being able to run arbitrary commands in the context of the application.
In the case of Zend, the vulnerability stems from the destructor of the Stream class which is a PHP magic method.
In object-oriented programming, constructors and destructors are methods that are respectively called when a new class object is created and destroyed.
For example, a newly created Stream object, in this case, would run a series of commands at its conception via the constructor.
Once the object has served its purpose throughout the program execution workflow, the PHP interpreter will eventually call the object’s destructor and follow another sequence of commands to free up memory, perform cleanup tasks and delete any temporary files, as a good practice.
Yizhou points out the unlink() method called by Stream’s destructor for deleting a file expects a filename as a parameter, which is of the string data type.
In effect, should the streamName object be of a non-string type, at the end of the application execution it would still get passed to the destructor.
The destructor, which only expects a string value would therefore attempt to call the object’s __toString method, to get its string-equivalent value.
But, the __toString method can be easily customized by the creator of the object, or rather the creator of the class that the object instantiates.
As an example, Yizhou highlighted the __toString method in the Gravatar class of Zend Framework had been written by its programmers in such a way that it eventually returned values that the attacker had direct control over, to execute arbitrary code.
This means, should the Stream class be passed a Gravator object where streamName is expected, under certain circumstances, the threat actor could run arbitrary commands within vulnerable PHP applications built with Zend.
The researcher demonstrated at least 2 scenarios in which it was possible to pass serialized objects to Zend, which when parsed by the PHP application would render the output of attacker’s the commands on the rendered webpages.
In a proof-of-concept (PoC) exploit, the researcher demonstrated how the web app’s phpinfo page successfully parsed his system command “whoami” passed through a serialized HTTP request, and returned the Windows account name, “nt authoritysystem.”
Apps built with Laminas may also be impacted
In January 2020, Zend Framework was migrated to Laminas project with a significant amount of code simply having been relocated to the newer codebase.
For example, Zend’s Stream.php class with the aforementioned destructor continues to exist in some versions of Laminas.
“The code may be related to Laminas Project laminas-http. Zend Framework is no longer supported by the maintainer. However, not all Zend Framework 3.0.0 vulnerabilities exist in a Laminas Project release,” states MITRE’s advisory.
While this does not necessarily indicate all applications built with Laminas project are vulnerable, developers are advised to do their due diligence.
Considering PHP powers about 80% of the internet sites in some capacity, and given the historic popularity of Zend Framework, developers are advised to thoroughly check their web applications for cases of untrusted object deserialization.
A similar gadget chain has been found in Yii Framework this week which the attackers can use to target vulnerable applications.
Performing thorough security audits of your applications is one way to spot zero-days and vulnerabilities specific to your environment from time to time.
Update 5-Jan-2021: Clarified the gadget chain in Zend Framework may aid in achieving RCE for an application vulnerable to untrusted deserialization.
Laminas Project has issued a minor security patch on GitHub to update the aforementioned destructor in Stream class, while disputing the CVE reported by Yizhou.
The project’s reasons for disputing the vulnerability and issuing a security enhancement have been outlined in the comments section below.
Is your business effected by Cyber Crime?
If a cyber crime or cyber attack happens to you, you need to respond quickly. Cyber crime in its several formats such as online identity theft, financial fraud, stalking, bullying, hacking, e-mail fraud, email spoofing, invoice fraud, email scams, banking scam, CEO fraud. Cyber fraud can lead to major disruption and financial disasters. Contact Digitpol’s hotlines or respond to us online.
Digitpol’s Cyber Crime Investigation Unit provides investigative support to victims of cyber crimes. Digitpol is available 24/7. https://digitpol.com/cybercrime-investigation/
UK +44 20 8089 9944