-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Drupal SA-CORE-2019-003 (CVE-2019-6340) #11481
Conversation
Please add some module documentation for this module. |
msftidy is unhappy and complained a lot. It's nothing personal.
|
Co-Authored-By: rotemreiss <reiss.r@gmail.com>
Co-Authored-By: rotemreiss <reiss.r@gmail.com>
Co-Authored-By: rotemreiss <reiss.r@gmail.com>
Nice first try! There are a good number of improvements you should make, along with some module documentation, etc. I'd suggest starting with an empty module, and only add the code you need from examples. That'll help you understand better how all the pieces work together. Our local analysis of this vulnerability made it seem like too much of a stretch to see the specific circumstances required for exploitability being very readily expressed in the wild, so we didn't attempt to create a module locally. Feel free to open a new PR for this when you think it is ready. Thanks! |
@busterb By that you mean that the exploit isn't "bullet-proof" / reliable enough or something else? The code in that new module is mostly after I removed / fixed things that are irrelevant or seems to much complicated for that use case. (e.g. the @wvu-r7 BTW I am insulted that you didn't give us credit in your Drupalgeddon 2 module 😜 |
Credit right here. Normally we put vuln discovery, PoC, and module authors in the If you'd like to be added as an author, I'd be happy to, but I worked off the PoCs directly. Relevant independent analysis (such as the greysec.net thread) was referenced. That said, your blog post was a great read! |
@rotemreiss: I would be happy to merge the module if the review comments are addressed, the requirements and limitations on the vuln are noted (all Web Services enabled and per-node caching), and documentation is added! You can continue to push commits here, and when you're ready to reopen, just ping us! |
Since we've accumulated some history here, let's reopen this so we can track it instead of having to reference it. I apologize for the misdirection! |
@rotemreiss: You'll want to |
@wvu-r7 Cool, I'll try that after you'll make your changes. I'm glad that I understood the framework ok and it wasn't me reinventing the wheel. In the beginning I thought that it will take me ~3 hours.. I think I spent something like a day an a half on that :S . If you can merge it before your |
I merged #11485, since I don't like module PRs blocking library changes. You can still change your code later, or I can handle it when I do testing and final cleanup. |
I can take care of it, I'll just make the changes you did on #11485 manually on my env, since I'm on the latest release here I think. |
Remove custom full_uri implementation in favor of a library change in rapid7#11485 which adds vhost support in the full_uri method.
Changed, tested and pushed ;) Let's make it happen? |
This is not the right place for it, but i just wanted to say awesome job team. While I'm not keeping up on all the emails, everyone seems to be putting in a lot of work and really working hard to make this happen. While I dont have an immediate need for the module, let me be the first in the community to say thanks for working so hard to make this module happen! |
@rotemreiss: Can you give the module a test? I'm ready to land when you are. |
|
|
Release NotesThe unix/webapp/drupal_restws_unserialize exploit module has been added to the framework. This module targets the Drupal SA-CORE-2019-003 remote code execution vulnerability (CVE-2019-6340). Various enhancements to Drupalgeddon 2 and the Drupal mixin have also been added. |
Add new exploit for Drupal SA-CORE-2019-003.
This is my first Metasploit exploit so be gentle with me ;)
#7108, #9876