Exploiting Drupalgeddon2: CVE-2018-7600

In March 2018, a new Drupal core vulnerability (later named Drupalgeddon2) was discovered and marked as Highly Critical by the Drupal team. The vulnerability affected versions < 8.3.9 / < 8.4.6 / < 8.5.1. This article covers how the vulnerability can be manually exploited using Burp Suite. Further details regarding the vulnerability can be found here.

The vulnerable Drupal installation was found on the official website. The application was downloaded and installed on an Ubuntu 16.04 with LAMP.

The Drupalgeddon2 vulnerability allows an attacker to remotely execute commands on the targeted system. In practice, any shell command could be executed with the same privileges as the running web server. This is highly critical, as it does not require any form of authentication.

form_id=user_register_form&_drupal_ajax=1&timezone[a][#lazy_builder][]=passthru&timezone[a][#lazy_builder][][]=ANY_COMMAND_HERE

The payload above can be sent to the webserver as a POST request, which allows any remote attacker to execute system commands.

A specially crafted POST request is required to execute commands on the targeted system, as shown in the image above. The command will echo some text into test.txt, as a proof of concept.

Furthermore, the file text.txt is located on the web server. This confirms that the server is successfully executing the parsed commands from Burp Suite.

Reading internal system files, such as /etc/passwd can also be conducted by exploiting the same vulnerability. This could also allow an attacker to read the settings.php configuration file or other sensitive content located on the system.

If traditional tools (such as wget) are installed on the system, they can be used to download a reverse shell, as shown in the image above. The attacker can, for example, host the payload on a web server. This would allow an attacker to achieve a meterpreter shell on the targeted system.

If wget is not installed, another method is to use create a netcat listener on the targeted system. The attacker can then transfer the payload using netcat as well.

Start Metasploit’s multi/handler, set the appropriate values, and visit http://192.168.0.49/meterpreter.php to trigger the payload.

However, what if there are no appropriate system tools available on the targeted system? The payload can then be encoded with base64. The image above shows how the payload is decoded before being assigned as shell.php.

Moreover, the base64 payload was successfully decoded and stored by the targeted system. Visting http://192.168.0.49/shell.php triggered the payload and connected to the netcat listener on port 1234.

Conclusion

CVE-2018-7600 is both a serious and interesting vulnerability. It can be exploited using a variety of methods, as demonstrated in the article. The exploit itself is not complex and is publicly available in, for example, the Exploit Database.