Shulou(Shulou.com)06/01 Report--

What this article shares with you is what the Drupal core remote code execution vulnerability analysis report is like. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article. Let's take a look at it.

An overview of 0x00 vulnerabilities a few days ago, details of the Drupal remote code execution vulnerability numbered CVE-2018-7600 detected by 360-CERT were released (see link 1 for details). The vulnerability was first officially disclosed by Drupal on March 28 (see link 3 for details), but the details of the vulnerability were not disclosed. 360-CERT issued an early warning report in time (see link 2 for details) and followed up. On April 13, 2018, the checkpoint security team released a report on the technical details of this vulnerability (CVE-2018-7600); the exploit code has been made public.

Drupal is an open source PHP content management system that is widely used by more than 1 million websites around the world (including government, e-retail, business organizations, financial institutions, etc.). 360-CERT believes that this vulnerability has a serious impact and that PoC may be widely spread and exploited in a short period of time. Users using Drupal open source content management system are advised to update it as soon as possible.

0x01 PoC analysis and technical details of vulnerabilities

Drupal Render API does special treatment for #.

Where # pre_render manipulates the array before render, # post_render receives the result of render and adds wrappers to it, and # lazy_builder is used to add elements at the end of the render process.

Because for some of the # attribute array values, Drupal will handle it in a call_user_func way, resulting in arbitrary code execution.

Vulnerability trigger process

In core\ modules\ file\ src\ Element\ ManagedFile.php, the application uses uploadAjaxCallback to process the user request form, gets the special variable getValue function with # in it, and traverses the form to get the variable with # attribute

Calling call_user_func in doRender causes arbitrary code execution

The call stack is as follows

0x02 patch analysis and related instructions

Patch analysis

The latest version filters requests for GET, POST and COOKIE.

All array inputs with # are checked and filtered

Related instructions

For Drupal version 8.x, remote code execution attacks can be directly exploited by PoC.

For Drupal version 7.x, PoC is currently unavailable because the relevant upload point was not found.

This is what the Drupal core remote code execution vulnerability analysis report looks like. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.