Drupal Core Remote Code Execution (CVE-2018-7602)
A new critical Remote Code Execution vulnerability in Drupal core was published. This new vulnerability is similar to CVE-2018-7600, also known as “Drupalgeddon 2”. It was found that the sanitation function that was added to address the “Drupalgeddon 2” vulnerability is not covering the case where a parameter contains a path that may be parsed by Drupal’s Forms API. Such case was found when deleting a node in Drupal (a Drupal node can be any content submitted to the site such as Article, page, etc). When submitting the node delete request, Drupal passes a “destination” parameter with a URL to redirect to when the deletion process finishes and this is where an attacker can inject his payload. Although the vulnerability was classified by Drupal as “Highly Critical”, to exploit this vulnerability the attacker is required to have permission for at least deleting content from the vulnerable Drupal site. Figure 1: Node deletion request attempting to exploit CVE-2018-7602 The patch submitted by Drupal’s developers added the “checkDestination” function to the “RequestSanitizer.php” file that checks if a “destination” parameter exists in the request and checks whether it contains dangerous values such as array keys starting with “#” (e.g. “http://URL/?destination=URL?param[#]=”). if it finds such dangerous values, it removes the “destination” parameter from the request. Figure 2: RequestSanitizer.php github commit fixing the vulnerability. Mitigating the vulnerability with BIG-IP ASM BIG-IP ASM customers under any supported BIG-IP version are already protected against this vulnerability. The exploitation attempt will be detected by the existing “Drupalgeddon 2” signature. Figure 3: Exploit blocked with attack signature 200004440
Drupal Core SA-CORE-2018-002 Remote Code Execution Vulnerability
The Drupal community woke up to a worrisome morning with the SA-CORE-2018-002 security advisory (CVE-2018-7600). The highly critical vulnerability mentions remote code execution vulnerability applicable to multiple Drupal core subsystems. The vulnerability resides in the Drupal core, which means all installations of Drupal, regardless of any installed plugin, are vulnerable. Drupal is reporting on over a million installs across the internet: https://www.drupal.org/project/usage/drupal Open-Source Investigation The security advisory does not mention full details regarding the vulnerability, nor have any publicly available exploits been spotted in the wild yet. However, due to the open-source nature of Drupal, security researchers are able to understand the context of the change using the git commit. The code change shows an alarmingly named library added to the code: request-sanitizer.inc. The main function in the library is called “stripDangerousValues”. This gives an obvious hint that there are user input sanitization issues with Drupal. This means that user input could end up unsafely evaluated in unprotected code execution methods – or in other words, arbitrary remote code execution.A deeper look at the code change shows a specific issue with Form API handling of attributes such as #type, #description and more. Therefore, an example exploit may look similar to the following: index.php?page['#payload']=home.php Source: https://blog.appsecco.com/remote-code-execution-with-drupal-core-sa-core-2018-002-95e6ecc0c714 ASM Mitigation ASM is able to detect this attack vector using the “SQL-INJ "' #" (SQL comment) (Parameter)” signature: Nonetheless, an ASU containing signatures specific for this vulnerability has been released and ready for download. The relevant signature IDs are: 200004423, 200004424, 200004440, 200004441, 200004442, 200004443, 200004444.
DRUPAL Critical SQLI (CVE-2014-3704)
Drupal is an open source framework written in PHP and is ranked as the third most popular content management system by W3Techs. It has introduced a database abstraction API to prevent SQL injection attacks, so only sanitized queries will be executed. However, recently a highly critical SQL injection vulnerability was discovered in the API itself allowing attackers to execute arbitrary SQL queries. Successful exploitation may result in a complete system compromise. Several exploits are already published. Most are exploiting this vulnerability to create an administrative account. Mitigation using F5 ASM Attack Signatures While running the SQLI exploit on an ASM protected application the attacker will be blocked by generic SQL injection signatures. Those signatures are part of the generic signature set that is assigned to any security policy by default. The injection is inside a parameter name called “name”. An example exploit vector will update the “users” table with a user named “owned”. The vulnerable parameter “name” will contain following SQL query: name[0 ;update users set name='owned' , pass = <hash> where uid = '1';;# ]=test3 This exploit will trigger 3 signatures. Two of them (200002289, 200002248) will catch the attempt to update a certain table, while one (200005005) catches the attempt to specify the “uid” attribute (specifying user id), which is used in LDAP injection attacks as well.Drupal 8 REST Module Remote Code Execution (CVE-2019-6340)
In the recent days Drupal released a security advisory regarding a new highly critical risk vulnerability affecting Drupal 8 instances. The vulnerability may allow unauthenticated users to execute arbitrary code by forcing the vulnerable Drupal 8 instance to unserialize an arbitrary PHP serialized object via a crafted request to aREST API endpoint. The exploited API endpoint isaccessible to unauthenticated users by default on instances wherethe RESTful Web Services module is enabled. Mitigating the vulnerability with BIG-IP ASM BIG-IP ASM customers under any supported BIG-IP version are already protected against this vulnerability. The exploitation attempt will be detected by existing PHP code injection attack signatures which can be found in signature sets that include the “Server Side Code Injection” attack type or “PHP” System. Figure 1: Exploit blocked with attack signature 200004268 Figure 2: Exploit blocked with attack signature 200004188 Additional Reading https://www.drupal.org/sa-core-2019-003 https://www.ambionics.io/blog/drupal8-rceDrupal 7.X Services Module Unserialize Vulnerability
An advisory has been published regarding a critical 0-day unauthenticated RCE (Remote Code Execution) vulnerability in the Drupal System. Drupal is a free and open source content-management framework written in PHP, and it provides a back-end framework for at least 2.2% of all Web sites worldwide. The vulnerability resides in the services module of Drupal which is a popular solution for building API’s in order to allow external clients to communicate with Drupal. Drupal’s services module allows enabling the /user/login resource to allow login via JSON or XML. One of the features of Drupal’s services module is that it supports multiple input formats, which the user can specify by setting the Content-Type header of the HTTP request. One of those formats is “application/vnd.php.serialized” which means the user is allowed to send his credentials in a serialized PHP object, which will get unserialized by the Drupal services module. By sending a specially crafted serialized object attackers may trigger a SQL Injection vulnerability, which may later lead to Remote Code Execution. Mitigation with Big-IP ASM ASM customers are already protected against this vulnerability. While exploiting this vulnerability, attackers will try to send a malicious PHP serialized object which contains a SQL Injection payload. The exploitation attempt will be detected by multiple existing PHP Object Serialization and SQL Injection attack signatures. Figure 1:Exploit blocked with Attack Signature (200004188) Figure 2:Exploit blocked with Attack Signature (200000073) Figure 3:Exploit blocked with Attack Signature (200000082)
