¡¾·ì϶¹«¸æ¡¿CVE-2021-3007 Zend FrameworkÔ¶³Ì´úÂëÖ´Ðзì϶

°ä²¼¹¦·ò 2021-01-05

0x00 ·ì϶¸ÅÊö

CVE  ID

CVE-2021-3007

ʱ  ¼ä

2021-01-05

Àà   ÐÍ

RCE

µÈ  ¼¶

¸ßΣ

Ô¶³ÌÀûÓÃ

ÊÇ

Ó°ÏìÁìÓò

Zend Framework 3.0.0

 

0x01 ·ì϶ÏêÇé

image.png

Zend Framework (ZF)ÊÇZend¹«Ë¾ÍƳöµÄÒ»Ì×ʹÓà PHP 5 À´¿ª·¢ web·¨Ê½ºÍ·þÎñµÄ¿ªÔ´¿ò¼Ü¡£

2021Äê01ÔÂ03ÈÕ £¬Zend Framework 3.0.0±»Åû¶һ¸öÔ¶³Ì´úÂëÖ´Ðзì϶£¨CVE-2021-3007£©¡£

¸Ã·ì϶ÊDz»³ÉÐŵķ´ÐòÁл¯Ôì³ÉµÄ¡£µ±ÀûÓ÷¨Ê½´ÓÓû§»òϵͳ½Ó¹ÜµÄÐòÁл¯Êý¾ÝÔÚ±»ÀûÓ÷¨Ê½·´ÐòÁл¯Ö®Ç°Î´µÃµ½ÕýÈ·Ñé֤ʱ½«µ¼Ö·´ÐòÁл¯·ì϶ £¬ÀûÓ÷¨Ê½¿ÉÄܻᷴÐòÁл¯ºÍ´¦Öýӹܵ½µÄÌåʽ²»ÕýÈ·µÄÊý¾Ý £¬Õâ¿ÉÄܻᵼÖÂÀûÓ÷¨Ê½±ÀÀ£¡£³É¹¦ÀûÓô˷ì϶µÄ¹¥»÷ÕßÄܹ»ÔÚijЩÇé¿ö϶ÔPHPÀûÓ÷¨Ê½Ô¶³ÌÖ´ÐдúÂë¡£¸Ã·ì϶ÓëStream.phpÖÐZend\Http\Response\StreamÀàµÄ__destruct²½ÖèÓйØ¡£

 

·ì϶ϸ½Ú

¸Ã·ì϶À´×ÔStreamÀàµÄÎö¹¹º¯Êý¡£ÔÚÃæÏò¶ÔÏóµÄ±à³ÌÖÐ £¬»ú¹Øº¯ÊýºÍÎö¹¹º¯ÊýÊÇÔÚ´´½¨ºÍÏú»ÙеÄÀà¶ÔÏóʱ³½±ðŲÓõIJ½Öè¡£

ºÃ±È £¬Ð´´½¨µÄ Stream¶ÔÏó½«Í¨¹ý»ú¹Øº¯Êý°´Æä¸ÅÏëÔËÐÐһϵÁкÅÁî £¬Ò»µ©¶ÔÏóÔÚÕû¸ö·¨Ê½Ö´Ðй¤×÷Á÷³ÌÖÐʵÏÖ¹¤×÷ £¬PHPÚ¹ÊÍ·¨Ê½½«×îÖÕŲÓøöÔÏóµÄÎö¹¹º¯Êý £¬²¢×ñÑ­ÁíÒ»×éºÅÁîÀ´¿ªÊÍÄÚ´æ¡¢Ö´ÐÐËãÕʹ¤×÷²¢É¾³ýËùÓÐһʱÎļþ¡£

StreamµÄÎö¹¹º¯ÊýŲÓÃunlink£¨£©²½ÖèÀ´É¾³ýÎļþ £¬¸Ã²½ÖèʹÓÃÎļþÃû×÷ΪstringÀàÐ͵IJÎÊý¡£

image.png

¶øÏÖʵÉÏ £¬¼´±ãstreamName¶ÔÏóΪ·ÇstringÀàÐÍ £¬ÔÚÀûÓ÷¨Ê½Ö´ÐÐʵÏÖʱÈԻὫÆä´«µÝ¸øÎö¹¹º¯Êý¡£

Òò¶ø £¬Îö¹¹º¯Êý½«³¢ÊÔŲÓøöÔÏóµÄ__toString²½Öè £¬ÒÔ»ñÈ¡Æä×Ö·û´®Öµ¡£

µ«ÊÇ £¬__toString²½ÖèÄܹ»ºÜÈÝÒ×µØÓɶÔÏóµÄ´´½¨Õß×Ô½ç˵ £¬»òÕ߸üÈ·ÇеØËµÊÇÓɶÔÏóÊ·ý»¯µÄÀàµÄ´´½¨Õß×Ô½ç˵¡£

Zend FrameworkµÄGravatarÀàÖÐµÄ __toString²½ÖèÓÉÆä·¨Ê½Ô±±àдµÄ £¬ÆäÄܹ»·µ»Ø¹¥»÷ÕßÄܹ»Ö±½Ó½ÚÔìµÄÖµ £¬×îÖÕÄܹ»Ô¶³ÌÖ´ÐÐËÁÒâ´úÂë¡£

 

Ôڸ÷ì϶µÄPoCÖÐ £¬×êÑÐÈËÔ±ÑÝʾÁËWebÀûÓ÷¨Ê½µÄphpinfoÒ³ÃæÈôºÎ³É¹¦½âÎöͨ¹ýÐòÁл¯HTTPÒªÇ󴫵ݵÄϵͳºÅÁî¡° whoami¡± £¬²¢·µ»ØWindowsÕÊ»§Ãû³Æ¡° nt Authority \system¡±¡£

image.png

 

0x02 ´ëÖý¨Òé

Ŀǰ £¬Zend FrameworkÏîÄ¿ÒѾ­Ç¨áãµ½LaminasÏîÄ¿ £¬ÇÒZend Framework²»ÔÙÊܵ½Ö§³Ö £¬½¨ÒéǨáãÖÁLaminasÏîÄ¿»òʹÓÃZend Framework 3.0.0ÒÔ±íµÄÆäËü°æ±¾¡£

ÏÂÔØÁ´½Ó£º

https://framework.zend.com/

 

0x03 ²Î¿¼Á´½Ó

https://www.bleepingcomputer.com/news/security/zend-framework-remote-code-execution-vulnerability-revealed/

https://github.com/Ling-Yizhou/zendframework3-/blob/main/zend%20framework3%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%20rce.md

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3007

 

0x04 ¹¦·òÏß

2021-01-03  Ling YizhouÅû¶·ì϶

2021-01-05  VSRC°ä²¼°²È«¹«¸æ

 

0x05 ¸½Â¼

 

CVSSÆÀ·Ö³ß¶È¹ÙÍø£ºhttp://www.first.org/cvss/

image.png