Lucene search

K
hackeroneShorstH1:31756
HistoryOct 17, 2014 - 10:50 a.m.

Internet Bug Bounty: Drupal 7 pre auth sql injection and remote code execution

2014-10-1710:50:36
shorst
hackerone.com
416

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.975 High

EPSS

Percentile

100.0%

Motivation

I found a SQL Injection bug in Drupal < 7.32. Which can lead to a code execution.

You need not have any user or knowledge of the targeted site.

Since Drupal is used as they state by “millions of websites and applications” I thought about applying for this bug bounty.

The Bug

Drupal uses Prepared Statements to secure the SQL Querys from Injections. To handle IN statements they created a expandArguments function, which uses the Array keys to create names for the placeholders.

foreach ($data as $i =&gt; $value) {
      [...]
      $new_keys[$key . '_' . $i] = $value;
}

The function assumes that it is called with an array which has no keys. Example:

db_query("SELECT * FROM {users} where name IN (:name)", array(':name'=&gt;array('user1','user2')));

Which results in this SQL Statement

SELECT * from users where name IN (:name_0, :name_1)

with the parameters name_0 = user1 and name_1 = user2.

The Problem occurs, if the array has keys, which are no integers. Example:

db_query("SELECT * FROM {users} where name IN (:name)", array(':name'=&gt;array('test) -- ' =&gt; 'user1','test' =&gt; 'user2')));

this results in an exploitable SQL query:

 SELECT * FROM users WHERE name IN (:name_test) -- , :name_test )

with parameters :name_test = user2.

Since Drupal uses PDO, multi-queries are allowed. So this SQL Injection can be used to insert arbitrary data in the database, dump or modify existing data or drop the whole database.

With the possibility to INSERT arbitrary data into the database an attacker can execute any PHP code through a manipulated Session and Drupal features with callbacks.

Advisory

https://www.sektioneins.de/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html

CVE Information

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2014-3704 to this vulnerability.

Poc

I included two PoCs. The first creates one request to create a session which has Admin privileges (UserID 1). The second executes code with only one request and destroys the session afterwards to not create a new Database entry. Some parts of the Second PoC were discovered with help of my coworker Stefan Esser.

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.975 High

EPSS

Percentile

100.0%