Shulou(Shulou.com)05/31 Report--

This article introduces the Drupal SA-CORE remote command execution analysis, the content is very detailed, interested friends can refer to, hope to be helpful to you.

First, the background of loopholes

On February 20th, Drupal officially disclosed a remote command execution vulnerability in Drupal:

Https://www.drupal.org/sa-core-2019-003

The trigger condition of the vulnerability is that RESTful Web Services is turned on and POST/PATCH requests are allowed.

Depending on the configuration of Drupal, this vulnerability may not require any privileges to trigger, but it is not universal. Once this vulnerability is exploited, the attacker can execute arbitrary PHP code directly on the Web server, resulting in server intrusion, user information disclosure and other consequences.

Tencent Cloud is not affected by this vulnerability. After the vulnerability broke out, the Tencent Cloud security team immediately carried out tracking and analysis, and gave early warning notification to customers on the cloud.

Second, loophole location

The vulnerability notification indicates that Drupal 8 can create a code execution vulnerability when the RESTful Web Services module is turned on and PATCH/POST method requests are allowed.

According to commit log (https://github.com/drupal/core/commit/24b3fae89eab2b3951f17f80a02e19d9a24750f5), it can be located that the trigger of the vulnerability lies in the deserialization operation:

It can be speculated that the contents of the options parameter are brought into the unserialize function during the REST API operation. Through diff, we can find that both LinkItem.php and MapItem.php are affected, and here we dig up the leak points from LinkItem.

Check out core\ modules\ link\ src\ Plugin\ Field\ FieldType\ LinkItem.php:

Combing the entire call chain, starting from the REST request, we first get the corresponding Entity through the _ links.type of the JSON passed by the user, then get the Fields list in the Entity, traverse this list to get the key, extract the key from the JSON passed by the user, and splice it into the form of field_item:key (the process is brief). Finally, we look up the field definitions in the definitions array in getDefinition and get a corresponding Field instance object.

Then the denormalize method of FieldNormalizer calls the setValue method of Field.

That is, if we can control $field_item to LinkItem or MapItem, we can trigger deserialization.

Third, trigger point structure

We configure the RESTful Web Service plug-in in the Drupal background and select an operation that can be used for POST.

To simulate the webmaster's configuration as much as possible, we allow POST operations for / user/register here.

Being reasonable, the user registry must be able to operate as an anonymous user. Enable / user/register:

The setting allows anonymous users to access / user/register using POST:

As mentioned above, we need an Entity memory LinkItem Field. Through the search of Entity, locate MenuLinkContent and Shortcut to use LinkItem, and use Shortcut for further testing.

The _ links.type of Shortcut is: http://127.0.0.1/rest/type/shortcut/default.

Send a POST request to / user/register and change the denormalize function in core\ modules\ hal\ src\ Normalizer\ FieldItemNormalizer.php under the breakpoint in PHPStorm:

You can see that at the site where the setValue method is called, $field_item is LinkItem. Follow the setValue method (figure 2), logically, if $values is an array. And $values ['options'] exists, then the deserialization operation is performed. We modify payload to trigger deserialization.

Verify the video:

An attacker can use this deserialization to execute arbitrary code on the server, and the video of the calculator popping up on the server is as follows:

4. The recommended repair scheme for security is as follows:

Upgrade 1.Drupal version 8.6.x to version 8.6.10

Upgrade from 2.Drupal 8.5.x or earlier to 8.5.11

There is no update for 3.Drupal 7.

Mitigation measures are as follows:

1. Disable the RESTful Web Services module

two。 The configuration server does not allow POST/PATCH requests.

This is the end of the analysis on the execution of Drupal SA-CORE remote commands. I hope the above content can be helpful to you and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.