Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to use Drupal vulnerabilities and achieve a one-click RCE through malicious images. The quality of the article is high, so Xiaobian shares it with you as a reference. I hope you have a certain understanding of related knowledge after reading this article.

Recently, Drupal released two critical bug fixes for versions 7.x and 8.x. Attackers could exploit both vulnerabilities to achieve remote code execution, but they would first have to upload malicious images to a remote server and trick authenticated webmasters through a series of forged links to help them achieve code execution. Although this method is more "tortuous," it is enough.

Exploit Demonstration

The two vulnerabilities, ZDI-19-130 and ZDI-19-291, could be used in combination to enable one-click code execution. During the account registration process, attackers can upload images embedded with malicious code in the form of avatars or in the comments section of the forum. Drupal websites that have disabled user registration and user comments will not be affected by this attack. Please upgrade your Drupal site to the latest version as soon as possible.

ZDI-19-130 is a PHP deserialization vulnerability that allows an attacker to exploit a website administrator to achieve remote code execution, while ZDI-19-291 is a persistent XSS vulnerability that can be exploited to force a website administrator to send malicious requests and trigger vulnerability ZDI-19-130.

For more information on how ZDI-19-130 can be utilized, see Thomas 'presentation at this year's Black Hat [White Paper] or Thomas' presentation at BSidesMCR. In short, this is a new way to trigger PHP deserialization vulnerabilities through a Phar file, whose metadata is stored as PHP serialization objects, and file operations against the Phar file trigger the server to perform a deserialization-unserialization () operation on the stored metadata, ultimately resulting in remote code execution.

Vulnerability ZDI-19-291 is a vulnerability in Drupal's processing of uploaded file names, which is related to PCRE-Perl compatible regular expressions. When a user uploads a file, Drupal uses PRCE to modify the file name to avoid duplication. However, if a file is uploaded multiple times, Drupal removes file extensions and allows attackers to upload arbitrary HTML files.

Vulnerability Analysis Attack Phase 1: ZDI-19-291

This PHP code snippet can be used to test part of Drupal's source code: [click me to get].

According to the source comments, the following code attempts to remove ASCII control characters with a median value less than 0x02 from file names and replace them with underscores ('_'). The '/u' in the code indicates that the PHP engine will process PCRE expressions and related strings in UTF-8 encoding:

Test results of the first phase of the attack:

where\xFF bytes are invalid,\x80 bytes have no valid start byte, PHP throws a "PREG_BAD_UTF8_ERROR" error, and the $basename variable is set to NULL.

In the Drupal source code, preg_replace() is not error-checked. When an image with an invalid UTF-8 character filename is uploaded to Drupal twice, the function will run with the $basename variable value and treat it as an empty string. Finally, the function returns $destination, which is '_'.$ counter++ result.

This allows an attacker to upload a GIF image to the Drupal website via the user registration feature, and Drupal stores the image in the following way:

/sites/default/files/pictures//_0

Instead of default storage:

/sites/default/files/pictures//profile_pic.gif

Although the app will detect the attributes of uploaded images, adding the words "GIF" or ".gif" will already satisfy the detection conditions.

Another method is to upload malicious GIF files via comment editors. The requested URL/sites/default/files/inline-images/_0 was not found on this server. However, attackers register a user account before commenting on an article.

By uploading malicious GIF/HTML files to the Drupal server, attackers can trick browsers into rendering the files as HTML pages:

At this point, an attacker would be able to implement a persistent XSS attack on the targeted Drupal site. By exploiting this vulnerability, an attacker would be able to force users with administrator privileges to send malicious requests for the second stage of the attack.

Executable PoC: [Click me to get]

Exploitation-Phase 2: ZDI-19-130

ZDI-19-130 is a deserialization vulnerability that can be triggered via the file_temporary_path request parameter of the/admin/config/media/file-system node. An attacker could also specify the "phar://" stream wrapper to direct the file_temporary_path request parameter to malicious Phar documents uploaded by the attacker to the Drupal server.

The following system_check_directory() function is a form callback function that handles user requests. According to our research,"! Is_dir($directory)"lets PHP trigger deserialization of metadata in Phar documents directly. Through POP chain exploitation techniques, attackers would be able to use specially crafted Phar documents to achieve arbitrary code execution in Web servers.

Exploitability-Phase 2: Polyglot Files

Before using ZDI-19-130, we need to upload a Phar file, which we can upload as a JPEG/Phar Polyglot file during user registration. Shown below is a sample JPEG/Pharglot file that executes the cat /etc/passwd command and exploits vulnerability ZDI-19-130.

A Phar document is similar to a JAR file in that it is a component package collection file. In our exploit scenario, we used TAR based Phar documentation.

To create a Polyglot file, an attacker would need to select a JPEG image vector. Malicious Phar documents based on TAR need to be stored in the JPEG comments field at the beginning of the JPEG file. Note that we need to fix the checksum of the TAR file, otherwise the TAR file will crash.

About how to use Drupal vulnerability and achieve a one-click RCE through malicious images to share here, I hope the above content can be of some help to everyone, you can learn more knowledge. If you think the article is good, you can share it so that more people can see it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.