Drupal Embedded Media Field Code Execution / Shell Upload

Type packetstorm
Reporter Justin C. Klein Keane
Modified 2010-12-09T00:00:00


                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
Details of this disclosure can also be found at  
Description of Vulnerability:  
- -----------------------------  
Drupal (http://drupal.org) is a robust content management system (CMS)  
written in PHP and MySQL. The Drupal Embedded Media Field module  
(http://drupal.org/project/emfield) "will create fields for content  
types that can be used to display video, image, and audio files from  
various third party providers" Unfortunately the Embedded Media Field  
module contains a vulnerability that could allow arbitrary file upload  
and potentially code execution. The proof of concept and patch detailed  
below only cover the upload of an image directly to the server, but a  
remotely sourced image could also be used to exploit this vulnerability.  
Systems affected:  
- -----------------  
Drupal 6.19 with Embedded Media Field 6.x-1.25 and CCK 6.x-2.8 was  
tested and shown to be vulnerable  
- ------  
Malicious users can upload arbitrary files with extensions other than  
.php, .pl, .py, .cgi, .asp, or .js. Many web servers support legacy PHP  
extensions not included in this list (such as .phtml, or .php3) which  
would allow attackers to upload and execute arbitrary PHP code.  
Attackers could also upload malicious documents or other material with  
virus payload and use these to attack other users or exploit flaws in  
file include vulnerabilities.  
Mitigating factors:  
- -------------------  
In order to exploit this vulnerability the attacker must have the  
ability to edit or create content of a content type with an embedded  
media field and custom thumbnail.  
Proof of concept:  
- -----------------  
1. Install Drupal 6-19, CCK module, and Embedded Media Field module  
version 6.x-1.25  
2. Enable the Content, Embedded Media Field, Embedded Audio Field, and  
Embedded Medi Thumbnail modules from ?q=/admin/build/modules  
3. Alter the default 'Story' content type at  
4. Add a 'New Field' in the form at the bottom of this page with the  
label 'audio' the field name 'field_audio' the type 'Embedded Audio' and  
the form element '3rd Party Aduio' then click the 'Save' button  
5. Configure the new video field from  
6. Select all content providers for convenience, ensure the 'Allow  
custom thumbnails for this field' checkbox is checked and click 'Save  
field settings' button at the bottom of the form  
7. Create a new piece of story content from ?q=node/add/story entering  
arbitrary values.  
8. Upload a test file called test.phtml as the custom image thumbnail.  
9. Click the 'Upload' button  
10. Although an error is displayed the file is still uploaded and  
available at sites/default/files/test.phtml by default  
Vendor Response  
- ----------------  
- --   
Justin Klein Keane  
The digital signature on this message can be confirmed using  
the public key at http://www.madirish.net/gpgkey  
Version: GnuPG v1.4.11 (GNU/Linux)  
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/