Khám phá thế giới Drupalgeddon từ tác giả Eyal Shalev qua Drupal 7

Khám phá thế giới Drupalgeddon từ tác giả Eyal Shalev qua Drupal 7

Hướng dẫn sử dụng Redux để quản lý hiệu quả trong ứng dụng React

Average: 6.5 (4 votes)

Cài đặt Webpack để viết Reactjs bằng ES6 và những thuận lợi của ES6

Average: 9.5 (2 votes)

Khám phá thế giới Drupalgeddon từ tác giả Eyal Shalev qua Drupal 7


Two weeks ago, a highly critical (25/25 NIST rank) vulnerability, nicknamed Drupalgeddon 2 (SA-CORE-2018-002 / CVE-2018-7600), was disclosed by the Drupal security team. This vulnerability allowed an unauthenticated attacker to perform remote code execution on default or common Drupal installations.

>> Drupalgeddon - Thử injection Drupal 7 tại form tạo tài khoản và cái kết

Drupal is an open-source content management system (CMS) that is used by more than one million sites around the world (including governments, e-retail, enterprise organizations, financial institutions and more), all of which are vulnerable unless patched.

Until now details of the vulnerability were not available to the public, however, Check Point Research can now expand upon this vulnerability and reveal exactly how it works.

In brief, Drupal had insufficient input sanitation on Form API (FAPI) AJAX requests. As a result, this enabled an attacker to potentially inject a malicious payload into the internal form structure. This would have caused Drupal to execute it without user authentication. By exploiting this vulnerability an attacker would have been able to carry out a full site takeover of any Drupal customer.

The vulnerability existed on all Drupal versions from 6 to 8, though has since been patched to those who manually update their site. In this document we will showcase real life attack scenarios around an out-of-the-box installation of Drupal’s flagship product, Drupal 8.

Technical Details

The Vulnerability

To provide some background, Drupal’s Form API was introduced in Drupal 6 and allowed alteration of the form data during the form rendering process. This revolutionized the way markup processing was done.

In Drupal 7 the Form API was generalized to what is now known as “Renderable Arrays”. This extended API is used to represent the structure of most of the UI elements in Drupal, such as pages, blocks, nodes and more.

Renderable arrays contain metadata that is used in the rendering process. These renderable arrays are a key-value structure in which the property keys start with a hash sign (#). Please see below for an example:

‘#type’ => ‘markup’,
‘#markup’ => ‘<em>some text</em>’,
‘#prefix’ => ‘<div>’,
‘#suffix’ => ‘</div>’

Drupal’s Patch

The patch that Drupal published adds a single class called RequestSanitizer with a stripDangerousValues method that unsets all the items in an input array for keys that start with a hash sign. This method sanitizes input data in $_GET, $_POST & $_COOKIES during the very early stages of Drupal’s bootstrap (immediately after loading the site configurations).

We assume that one of the reasons that the patch was done in this way was to make it harder to find and exploit the vulnerability.

Finding an Attack Vector

Because of the above we focused on forms that are exposed to anonymous users.

There are a few of those forms available, one of which is the user registration form. This form contains multiple fields, as can be seen in the screenshot below.

Drupalgeddon - Thử injection Drupal 7 tại form tạo tài khoản và cái kết

Figure 1: The Drupal registration form.

We knew that we needed to inject a renderable array somewhere in the form structure, we just had to find out where.

As it happens, the “Email address” field does not sanitize the type of input that it receives. This allowed us to inject an array to the form array structure (as the value of the email field).

Drupalgeddon - Thử injection Drupal 7 tại form tạo tài khoản và cái kết

Figure 2: Injecting our renderable array into the mail input of the registration form.

Drupalgeddon - Thử injection Drupal 7 tại form tạo tài khoản và cái kết

Figure 3: Example of injected form renderable array.

Now all we needed was for Drupal to render our injected array. Since Drupal treats our injected array as a value and not as an element, we needed to trick Drupal into rendering it.

The situations in which Drupal renders arrays are as follows:

  1. Page load
  2. Drupal AJAX API – i.e. when a user fills an AJAX form, a request is made to Drupal which renders an HTML markup and updates the form.

After investigating possible attack vectors surrounding the above functionalities, because of the post-submission rendering process and the way Drupal implements it, we came to the conclusion that an AJAX API call is our best option to leverage an attack.

As part of the user registration form, the “Picture” field uses Drupal’s AJAX API to upload a picture into the server and replace it with a thumbnail of the uploaded image.

Drupalgeddon - Thử injection Drupal 7 tại form tạo tài khoản và cái kết

Figure 4: Form used to upload a picture using AJAX API.

Diving into the AJAX file upload callback revealed that it uses a GET parameter to locate the part of the form that needs to be updated in the client.

Drupalgeddon - Thử injection Drupal 7 tại form tạo tài khoản và cái kết

Figure 5: The AJAX ‘upload file’ callback function code.

After pointing element_parents to the part of the form that contained our injected array, Drupal successfully rendered it.

Weaponizing Drupalgeddon 2

Now, all we had to do is to inject a malicious render array that uses one of Drupal’s rendering callback to execute code on the system.

There were several properties we could have injected:

  • #access_callback
    Used by Drupal to determine whether or not the current user has access to an element.
  • #pre_render
    Manipulates the render array before rendering.
  • #lazy_builder
    Used to add elements in the very end of the rendering process.
  • #post_render
    Receives the result of the rendering process and adds wrappers around it.

For our POC to work, we chose the #lazy_builder element as the one being injected into the mail array. Combined with the AJAX API callback functionality, we could direct Drupal to render our malicious array.

This allowed us to take control over the administrator’s account, install a malicious backdoor module and finally execute arbitrary commands on the server.

Drupalgeddon - Thử injection Drupal 7 tại form tạo tài khoản và cái kết

Figure 6: injecting malicious command into one of Drupal’s rendering callbacks.

Drupalgeddon - Thử injection Drupal 7 tại form tạo tài khoản và cái kết

Figure 7: Successfully executing shell commands using the malicious module.


After seeing earlier publications on Twitter and several security blogs, it was apparent that there was much confusion among the community regarding this vulnerability announcement, with some even doubting the severity of it. As a result, we considered it worthwhile to looking deeper into.

The research however was challenging as we were starting from a very large attack surface since the patch blurred the real attack vectors. To expedite our findings, we were fortunate to be joined by experts in the Drupal platform. The final results highlight how easy it is for organization to be exposed through no fault of their own, but rather through the third party platforms they use every day.

Bạn thấy bài viết này như thế nào?: 
Average: 5 (2 votes)

Bình luận (1)

Ảnh của admin 2
admin 2 (chưa được kiểm chứng)- Mar 29, 2020 02:19 PM Reply



Add Comment

Plain text

  • No HTML tags allowed.
  • Các địa chỉ web và email sẽ tự động được chuyển sang dạng liên kết.
  • Tự động ngắt dòng và đoạn văn.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
12 + 2 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.




Dich vu khu trung tphcm

Dich vu diet chuot tphcm

Dich vu diet con trung

Quảng Cáo Bài Viết

Book: Selling Online with Drupal e-Commerce
Download sách Drupal: Selling Online and Drupal e-Commerce

Drupal is a free and open-source modular web application framework and content management system (CMS) written in PHP that can run in many environments, including Windows, Mac OS X, Linux, and FreeBSD. Drupal e-Commerce is a free, open-source, feature-rich, flexible package of modules that seamlessly adds full e-Store capabilities to Drupal.

tin nhắn SMS, Android, Android 4.1 Jelly Bean, Google Play
5 ứng dụng chặn cuộc gọi và tin nhắn SMS trên Android

Đôi khi bạn nhận được quá nhiều cuộc gọi và tin nhắn rác không mong muốn từ một số điện thoại nào đó, làm cho bạn cảm thấy phiền hà, khó chịu và muốn ngăn chặn nó. Hiện nay có rất nhiều ứng dụng miễn phí để ngăn chặn, lọc tin nhắn SMS và cuộc gọi trên điện thoại, nếu bạn đang sử dụng điện thoại Android thì dưới đây là 5 ứng dụng miễn phí được Google Play cung cấp tốt nhất bạn nên dùng.

Đề xuất phương án doanh nghiệp tự quyết định giá nước sạch
Luật Thoát nước và Xử lý nước thải sẽ được ban hành sau năm 2020

Theo bà Mai Thị Liên Hương, Bộ Xây dựng đang định hướng xây dựng một số chính sách mới trong quản lý cấp nước như quy định người dân có quyền được tiếp cận nước sạch