by Branden Lynch (Threats Analyst)
The content management framework Drupal recently fixed a vulnerability (CVE-2019-6340) in their core software, identified as SA-CORE-2019-003. The flaw is categorized as highly critical, exposing vulnerable installations to unauthenticated remote code execution (RCE). The vulnerability affects a substantial portion of Drupal installations, since it impacts the widely installed RESTful Web Services (rest) module. Specifically, the vulnerability requires that the following preconditions are met:
This vulnerability is specifically in the REST API, which includes a deserialization module. In particular, the LinkItem class (a subclass of the FieldItemBase class) defines the link field, which defines the structure of links and associated fields (descriptions, etc.). Inside the LinkItem class is a single line that performs deserialization of options supplied for the link property. The Shortcut class then makes use of the link property, which is what ultimately exposes the deserialization to user controlled data. In Drupal, a shortcut is a way of visually displaying a quick link to a frequently used page via a toolbar or menu item.
Knowing these factors, an attacker can submit a crafted link that references a type of shortcut and contains serialized PHP in the ‘options’ field for the link.
Figure 1. The serialized content is processed even if the user is not authenticated
Figure 2. Successful remote code execution
In the response, you can see that we have successfully executed ‘cat /etc/passwd’ on the target, although this command could be trivially changed to anything, including downloading a web shell or establishing persistence on the target via malware or other means. All executed commands will inherit the privileges of the user running Drupal.
Figure 3. Attack variations can be easily performed with other API endpoints
The specific payload used in the serialization makes use of a gadget chain via Guzzle, a PHP HTTP client, and was generated via PHPGGC (PHP Generic Gadget Chains), as pointed out by other researchers.
All REST API endpoints in the applicable Drupal versions are potentially vulnerable, with the following HTTP methods: GET, PUT, PATCH, and POST. Disabling all web services modules or blocking all requests to them that use the aforementioned methods should be sufficient to prevent this attack. Users are also advised to upgrade to the latest Drupal version, which patches this issue.
A proactive, multilayered approach to security is key against threats that exploit vulnerabilities — from the gateway, endpoints, networks, and servers. Trend Micro Deep Security and Trend Micro
The Trend Micro Deep Security and Trend Micro
Users who have the Trend Micro
The Trend Micro
The post Drupal Vulnerability (CVE-2019-6340) Can Be Exploited for Remote Code Execution appeared first on .
The head of counterintelligence for a division of the Russian Federal Security Service (FSB) was… Read More
For nearly a dozen years, residents of South Carolina have been kept in the dark… Read More
The U.S. government is warning that “smart locks” securing entry to an estimated 50,000 dwellings… Read More
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said today it is investigating a breach… Read More
On April 9, Twitter/X began automatically modifying links that mention “twitter.com” to read “x.com” instead.… Read More
If only Patch Tuesdays came around infrequently — like total solar eclipse rare — instead… Read More