by Branden Lynch (Threats Analyst)
The content management framework Drupal recently fixed a vulnerability (CVE-2019-6340) in their core software, identified as SA-CORE-2019-003. The flaw is categorized as highly critical, exposing vulnerable installations to unauthenticated remote code execution (RCE). The vulnerability affects a substantial portion of Drupal installations, since it impacts the widely installed RESTful Web Services (rest) module. Specifically, the vulnerability requires that the following preconditions are met:
- Drupal 8.6.x, < 8.6.10 OR Drupal < 8.5.11
- RESTful Web Services module is enabled
This vulnerability is specifically in the REST API, which includes a deserialization module. In particular, the LinkItem class (a subclass of the FieldItemBase class) defines the link field, which defines the structure of links and associated fields (descriptions, etc.). Inside the LinkItem class is a single line that performs deserialization of options supplied for the link property. The Shortcut class then makes use of the link property, which is what ultimately exposes the deserialization to user controlled data. In Drupal, a shortcut is a way of visually displaying a quick link to a frequently used page via a toolbar or menu item.
How attackers exploit the vulnerability
Knowing these factors, an attacker can submit a crafted link that references a type of shortcut and contains serialized PHP in the ‘options’ field for the link.
Figure 1. The serialized content is processed even if the user is not authenticated
Figure 2. Successful remote code execution
In the response, you can see that we have successfully executed ‘cat /etc/passwd’ on the target, although this command could be trivially changed to anything, including downloading a web shell or establishing persistence on the target via malware or other means. All executed commands will inherit the privileges of the user running Drupal.
Figure 3. Attack variations can be easily performed with other API endpoints
The specific payload used in the serialization makes use of a gadget chain via Guzzle, a PHP HTTP client, and was generated via PHPGGC (PHP Generic Gadget Chains), as pointed out by other researchers.
Trend Micro Solutions
All REST API endpoints in the applicable Drupal versions are potentially vulnerable, with the following HTTP methods: GET, PUT, PATCH, and POST. Disabling all web services modules or blocking all requests to them that use the aforementioned methods should be sufficient to prevent this attack. Users are also advised to upgrade to the latest Drupal version, which patches this issue.
A proactive, multilayered approach to security is key against threats that exploit vulnerabilities — from the gateway, endpoints, networks, and servers. Trend Micro Deep Security and Trend Micro™ Vulnerability Protection also provide virtual patching that protects servers and endpoints from threats that abuse vulnerabilities in critical applications or websites such as those that use Drupal. Trend Micro™ OfficeScan™ with XGen™ endpoint security has Vulnerability Protection that shields endpoints from identified and unknown vulnerability exploits even before patches are even deployed. Trend Micro™ Smart Protection Suites and Worry-Free™ Business Security protect end users and businesses from these threats by detecting and blocking malicious files and all related malicious URLs.
- 1009541 – Drupal Core Remote Code Execution Vulnerability (CVE-2019-6340)
- 34578: HTTP: Drupal RESTful Web Services Code Injection Vulnerability
The Trend Micro™ Deep Discovery Inspector™ solution protects customers from related attacks via this DDI rule:
- 2833: CVE-2019-6340 Drupal8 RESTful Web Services Remote Code Execution – HTTP (Request)