Shulou(Shulou.com)06/01 Report--

Drupal core remote code execution vulnerability analysis early warning is what, I believe that many inexperienced people do not know what to do, so this paper summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

Overview of 0x00 vulnerabilities

On April 26th, Drupal officially released a new patch and security bulletin that fixed the remote code execution vulnerability numbered CVE-2018-7602 due to the incomplete fix of the vulnerability numbered CVE-2018-7600 in the update on March 28th, which led to the patch being bypassed and could cause arbitrary code execution.

At present, it has been found that the CVE-2018-7602/CVE-2018-7600 vulnerability has been exploited in the wild, and some of the exploiting code has been made public. 360-CERT conducted a technical analysis of this vulnerability and recommended that users using the Drupal open source content management system update it as soon as possible.

0x01 vulnerability impact surface impact version

Drupal 7.x,8.x

Repair version

Drupal 7.59,Drupal 8.5.3,Drupal 8.4.8

Fix a patch

Version 8.x

Https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=bb6d396609600d1169da29456ba3db59abae4b7e

Version 7.x

Https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=080daa38f265ea28444c540832509a48861587d0

Note: this patch is only for CVE-2018-7602 vulnerabilities, and for CVE-2018-7600 fixes.

CVE-2018-7600:Drupal core remote code execution vulnerability alert https://cert.360.cn/warning/detail?id=3d862f150b642421c087b0493645b745.

0x02 vulnerability details

The patch for the CVE-2018-7600 vulnerability processes data in the request (GET,POST,COOKIE,REQUEST) by filtering input with #.

However, Drupal applications also process requests in the form of path?destination=URL. To initiate a request, you need to encode the URL in destination=URL. When you encode the # in URL twice, you can bypass sanitize ().

Function filtering.

Construct special requests to bypass the filtering code

POST / drupal-7.59/drupal-7.59/node/9/delete?destination=node?q [% 2523] [] = passthru%26q [% 2523type] = markup%26q [% 2523markup] = whoami

Of which% 2523 is twice URL encoding of

WEB middleware decodes% 2523 to get% 23

Bypass sanitize (), stripDangrousValues function check.

When the Drupal application processes the destination URL, it decodes% 23 again and gets #.

Using parse_str and storing it in options requires additional steps to trigger the vulnerability.

0x03 patch analysis

Add security handling to destination URL

Restrict parse_str to process only string parameters

And add processing to file modules that may trigger vulnerabilities.

After reading the above, have you mastered the method of Drupal core remote code execution vulnerability analysis and early warning? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.