CVE-2021-47667
📋 TL;DR
This CVE describes an unauthenticated remote OS command injection vulnerability in ZendTo file transfer software. Attackers can execute arbitrary commands on the server by sending specially crafted POST requests with shell metacharacters in the tmp_name parameter. All ZendTo installations running vulnerable versions are affected.
💻 Affected Systems
- ZendTo
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attackers to execute arbitrary commands with web server privileges, potentially leading to data theft, ransomware deployment, or complete server takeover.
Likely Case
Remote code execution leading to web shell installation, data exfiltration, or lateral movement within the network.
If Mitigated
Limited impact if proper network segmentation, web application firewalls, and least privilege principles are implemented.
🎯 Exploit Status
Exploitation requires only HTTP POST requests with crafted parameters. Public proof-of-concept code exists.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.10-7 and later
Vendor Advisory: https://github.com/zendto/zendto/releases/tag/6.10-7
Restart Required: Yes
Instructions:
1. Backup current ZendTo installation and configuration. 2. Download ZendTo version 6.10-7 or later from GitHub. 3. Replace vulnerable lib/NSSDropoff.php file with patched version. 4. Restart web server service (Apache/Nginx). 5. Verify functionality.
🔧 Temporary Workarounds
Web Application Firewall Rule
allBlock requests containing shell metacharacters in tmp_name parameter
# Example ModSecurity rule: SecRule ARGS:tmp_name "[;|&`$()]" "id:1001,phase:2,deny,status:403,msg:'ZendTo CVE-2021-47667 exploit attempt'"
# For cloud WAFs: Create rule blocking patterns like ;, |, &, `, $, (, ) in POST parameters
Temporary Disable Dropoff Feature
linuxDisable the vulnerable dropoff functionality until patched
# Rename or move the vulnerable file: mv /path/to/zendto/lib/NSSDropoff.php /path/to/zendto/lib/NSSDropoff.php.disabled
# Or modify .htaccess to block POST to dropoff: RewriteCond %{REQUEST_METHOD} POST [NC]\nRewriteCond %{REQUEST_URI} ^/dropoff [NC]\nRewriteRule .* - [F,L]
🧯 If You Can't Patch
- Implement strict network segmentation to isolate ZendTo server from critical systems
- Deploy web application firewall with rules blocking shell metacharacters in POST parameters
🔍 How to Verify
Check if Vulnerable:
Check ZendTo version and examine lib/NSSDropoff.php for proper input validation. Vulnerable versions lack sanitization of tmp_name parameter before passing to shell_exec.Check Version:
grep -r "ZendTo Version" /path/to/zendto/ || cat /path/to/zendto/VERSION.txtVerify Fix Applied:
Verify ZendTo version is 6.10-7 or later and that lib/NSSDropoff.php properly validates and escapes tmp_name parameter.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /dropoff with shell metacharacters (;, |, &, `, $) in parameters
- Unusual process execution from web server user
- Failed command execution attempts in web server error logs
Network Indicators:
- POST requests to /dropoff endpoint with unusual parameter values
- Outbound connections from web server to unexpected destinations
SIEM Query:
source="web_server_logs" AND (uri_path="/dropoff" AND http_method="POST" AND (param_value="*;*" OR param_value="*|*" OR param_value="*&*" OR param_value="*`*" OR param_value="*$*"))