Drupal Remote Code Execution Vulnerability(CVE-2018-7600)

  • Source:SANGFOR Security Center
  • Date Published:2018-05-04
#

Summary

On March 28, 2018, a highly critical remote code execution vulnerability (CVE-2018-7600) in the popular open-source Drupal CMS was exposed.  

Definition From Encyclopedia

Drupal is an open source content-management framework(CMF) written in PHP, consisting of content-management system(CMS) and PHP framework. Framework refers to powerful PHP class and function libraries, and an abstract Drupal API in Drupal core. As Drupal CMS has powerful features which can be configured flexibly, it can be used by a variety of websites, from personal Web blogs to community-driven websites. What is more, Drupal employs cutting edge technology to ensure code security and robustness. Therefore, many foreign governments and institutions use Drupal CMS to build websites, such as the White House, the United States Department of Commerce, New York Times and Sony, etc., as well as lots of Chinese universities.

Summary

According to official announcement by Drupal, affected versions include Drupal 6.x, Drupal 7.x and Drupal 8.x. This vulnerability has a wide impact, for over one million websites are using Drupal CMS around the globe, according to official statistics from Drupal, which accounts for 9% of CMS based websites.  Additionally, as this vulnerability can be exploited very easily, attackers can get access to unpublished data or take over a Drupal website just by accessing an URL without the need to provide any logon credentials. 

In the version Drupal7.58, there is a new file request-sanitizer.inc in /includes and some existing .inc files are updated. The ‘santize’ feature in the request-sanitizer.inc file can receive inputs via GET, POST and Cookie, and santize the inputs to prevent risky operations.

Risky operations are filtered by the main function(stripDangerousValues). When the input is an array, that function will check every parameter name starting with special character(#) in that array. Finally, that function will remove that character( #) and save the parameters to that array again, then return the new parameters to another function that calls them.

As Drupal core can receive array object as response parameter and does not filter arrays, it allows attackers to exploit this flaw by using array with payload.

Vulnerability Reproduction 

The introduction above may be a little professional. To offer you an intuitive view of the vulnerability and the attack process, we reproduce the vulnerability. 

Since this flaw exists in earlier versions of Drupal CMS, we build a website using Drupal 8.4.5.

image.pngCreate a new account by visiting http://xxx.xxx.xxx.xxx/user/register 

image.png

Since the email field is not cleared after being passed as parameter, attackers can construct an array containing malicious command, which is submitted by means of AJAX call and executed subsequently.

image.png

The above screenshot shows that a response package with the information that ID command is executed is returned after the constructed array is passed, indicating that that array with malicious command is successfully executed.

To prevent attack by this means, you may clear the arrays passed via hash tag(This method is used in the patches released by Drupal. Please perform upgrade ASAP). 

Affected Versions

Drupal 6

Drupal 7

Drupal 8


Solution

If you are running Drupal 6.x, visit the link below:

https://www.drupal.org/project/d6lts 

If you are running Drupal 7.x, upgrade it to Drupal 7.5.8.

If you are unable to update immediately, fix the vulnerability by applying the patch for version Drupal 7.x, released by Drupal. Visit the link below to get the patch: https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=2266d2a83db50e2f97682d9a0fb8a18e2722cba5

If you are running 8.5.x, upgrade it to Drupal 8.5.1.

If you are unable to update immediately, fix the vulnerability by applying the patch for version Drupal 8.5.X, released by Drupal. Visit the link below to get the patch:

https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac8738fa69df34a0635f0907d661b509ff9a28f

Drupal does not support Drupal 8.3.x and 8.4.x any more. However, given the potential severity of this vulnerability, Drupal releases the corresponding patch which is the same with that for version 8.5.x. Visit the link below to get the patch:

https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac8738fa69df34a0635f0907d661b509ff9a28f

Since Drupal 8.3.x and 8.4.x are no longer supported, it is recommended to upgrade to Drupal 8.3.9 or Drupal 8.4.6.

Sangfor Solution

For Sangfor NGAF customers, update security databases to the latest version.