Drupalgeddon 2
Drupalgeddon 2
Drupalgeddon2/CVE-2018–7600 stems from insufficient input validation on the Drupal 7 Form API. It affects all Drupal versions 7.x before 7.58, 8.3.x versions before 8.3.9, 8.4.x versions before 8.4.6, and 8.5.x before 8.5.1. First discovered in March 2018 the vulnerability can be triggered remotely on default and common Drupal installations, leading to RCE. The flaw was fixed by the Drupal team in the same month. At the time of discovery, it was estimated that more than one million websites were vulnerable and, although the patch was issued over a year ago, it seems that many websites’ owners failed to apply the fix putting their sites in danger.
Shodan Search for Drupal 7 CMS on the internet and some of them might be vulnerable.
Background
The root cause of this vulnerability is related to the Drupal theme rendering system. To create all of its UI elements, Drupal uses — Form API, a powerful tool allowing developers to create forms and handle form submissions quickly and easily. To achieve this, the API uses a hierarchical associative array (Render Array) containing the data that will be rendered, as well as some properties which establish how the data should be rendered.
Below is a Render Array:
You can see the associative array. It contains two elements (first_para and second_para), both have several parameters. A parameter key can be identified as it always starts with the hashtag # symbol. The #type parameter specifies the type of the HTML element (checkbox, textarea, etc.) and the #markup parameter is used to set HTML that will be output on the form.
The array in the example above is recursively parsed afterward by the Render API and converted into HTML, as shown below.
There are many other parameters that can be used with forms. Some of them provide a way to post-process the rendered output by re-parsing it through a user-supplied function. According to Drupal API documentation, this can be used to cache a view and still have some level of dynamic output.
In an ideal world, the actual output will include HTML comment based tokens, and then the post process can replace those tokens. However, if the user-supplied callback function is not properly validated, a potential attacker might be able to insert malicious functions such as exec, system, eval, etc. to execute system commands and take over the server. The following four Form API parameters support callback functions and can be leveraged to exploit the CVE-2018–7600 vulnerability:
- #post_render
- #pre_render
- #access_callback
- #lazy_builder
Drupalgeddon Honeypot
Drupal 7.54 running on Docker
Snort IDS
Elasticsearch
This part will be updated shortly.
Drupalgeddon VM exploitation (Lampiao vulnhub)
Exploits available in Metasploit database
Setting up Metasploit
Simple Exploitation resulting in RCE
Exploits available on GitHub
