Radu-Emanuel Chiscariu in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
My name
Positon
Web application vulnerability that appeared this year
RCE
A lot of articles appeared starting with 16th April
It seemed to affect all versions of Drupal
Moreover after two weeks or so
Another wave of attacks after patch
What happened
User with limited permissions
Interact with a confirmation form ()
Fisrt patch 21 march
Then It came the sec advis ( responsible disclosure)
Then It came the public poc
But a diff thing happened
the second wave of attack
First it came the exploit
Then the patch and sec advisory, same day
Full disclosure,
The inpact seemed to be over 1 mil websites
Before going through the vulnerable code,,
Form API in processing and presenting forms.
Building blocks : renderable arrays
Map keys to HTML TAGS
So what hap when
The outcome of the rend
Looking at the vulnerable code
doRender takes care of the rendering resource requested by client
It contains logic that, with respect to will render the page the form properties within the $elements array
The form properties within the elements array will affect the rendering process
The managed File. builds an AJAX response using the uploadAjaxCallback() function
Looking at the vulnerable code
doRender takes care of the rendering resource requested by client
It contains logic that, with respect to will render the page the form properties within the $elements array
The form properties within the elements array will affect the rendering process
Filter all items starting with a hash sign
they applied a general ..
stripDangerousValues … hash sign
This method sanitizes input data in $_GET, $_POST & $_COOKIES
during the very early stages of Drupal’s bootstrap (immediately after loading the site configurations).
2 days after
Cumulating
The max number
Our honeypots also report the source…
Of course, It seems that
- Terminate other mining process if found on the machine
Install dependencies
Ensure persistence with cron jobs
Ensure attacker access by adding an authorized ssh key as a backdor,
then download some resouces
star
Looking at the strings …
Also, the found ip are reported