But finding how any of them applies to the codebase was the hard part, especially for a non-expert in Drupal’s vast developer API. Exploit developers had to look through all of the API reference to identify which properties were actually exploitable. There are many different properties that accept function callbacks, which was key for exploitation. These various properties can take different inputs. In Drupal’s design, # properties are used by the Forms API, which is how it generates forms, dynamically modifies forms, etc. That was pretty difficult across the community of exploit developers to actually find the code path for exploitation. It added a request sanitizer that applied broadly to the application, making it hard to understand what code path needed to be exploited. The initial patch was non-specific on what the actual vulnerable path was. Metasploit Notes: Step 1 for Drupalgeddon Exploit Development - Understanding the Attack Vector This has been an especially busy year for the Drupal Security Team since they’re on-track to surpass previous years in both frequency and severity at the rate they’re going: Host: User-Agent: Mozilla/4.0 (compatible MSIE 6.0 Windows NT 5.1)Ĭontent-Type: application/x. The vast majority of these connections were attempting to use the following “login account” vector vs the CHANGELOG detection method: POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1 Rapid7 Labs has been monitoring active exploitation attempts through Project Heisenberg since the release and began seeing a serious uptick in probes for Drupal nodes in mid-April: The advisory was released with a patch and CVE (CVE-2018-7600) at the same time. The Drupalgeddon 2 vulnerability announcement came out in late March ( ) as SA-CORE-2018-002. Background on the Drupalgeddon vulnerability First up: many thanks to Brent Cook, William Vu and Matt Hand for their massive assistance in both the Rapid7 research into “Drupalgeddon” and their contributions to this post.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |