2. Agenda
● Drupal Basics
● Anatomy of Attack
● Vulnerable Form APIs
● Elements used in exploit
● Demo
● Key component of vulnerability
● Remediation
3. Drupal Basics
● Drupal is the platform for web content management among global enterprises,
governments, higher education institutions, and NGOs. Flexible and highly scalable, Drupal
publishes a single web site or shares content in multiple languages across many devices.
● Drupal’s Form API was introduced in Drupal 6 and allowed for alteration of the form data
during the form rendering process. This revolutionized the way markup processing was
done.
4. Anatomy of Attack
● Affected versions - < 7.58 / 8.x < 8.3.9 / 8.4.x < 8.4.6 / 8.5.x < 8.5.1
● This vulnerability allowes an unauthenticated attacker to perform remote code execution on default or common
Drupal installations which allows accessing all non-public data as well as being able to modify or delete it.
● The vulnerability relates to a conflict between how PHP handles arrays in parameters and Drupal's use of the
hash (#) in at the beginning of array keys to signify special keys that typically result in further computation,
leading to the ability to inject code arbitrarily.
● Drupalgeddon2 target AJAX requests composed of Drupal Form API’s renderable arrays, which are used to
render a requested page through Drupal’s theming system.
5. ● Renderable arrays contain metadata that is used in the rendering process. These renderable
arrays are a key-value structure in which the property keys start with a hash sign (#).
Please see below for an example:
6. Vulnerable Form APIs
● [#post_render]
○ Receives the result of the rendering process and adds wrappers around it.
● [#pre_render]
○ Manipulates the render array before rendering.
● [#access_callback]
○ Determine whether or not the current user has access to an element.
● [#lazy_builder]
○ Used to add elements in the very end of the rendering process.
7. The elements used in exploit
● [#post_render] : An array of functions which may operate on the rendered HTML after rendering. It receives
both the rendered HTML and the render array from which it was rendered and can use those to change the
rendered HTML.
● passthru : This PHP function is similar to the exec() function.
● #<Name> : These properties are used by the Forms API to generate forms, dynamically modifies forms, etc.
● #type : Defines element type. If this array is an element, this will cause the default element properties to be
loaded.
● [#markup] : One of the renderable arrays which is used to return the string as #markup in order for it to be
rendered along with some extra information, to change the text and/or tags down the line in the theming
process in runtime.
9. Key components of vulnerability
● Target unauthenticated page to make it much effective.
● Dynamically generated things based on user input are always suspect to data sanitization
issues.
● Presence of CHANGELOG.txt
10. Remediation
● New PHP processes created by the webserver user, particularly php -r <encoded command>
● New PHP files written to the web root
● Entries in web server access logs for requests to a registration form
● Single requests to CHANGELOG.txt
● For sites using Drupal 7.x, Drupal 7.59 has been released.
● For sites using Drupal 8.5.x, Drupal 8.5.3 has been released.
● For sites using Drupal 8.4.x, Drupal 8.4.8 has been released.
The Form API is known as “Renderable Arrays”. This extended API is used to represent the structure of most of the UI elements in Drupal, such as pages, blocks, nodes and more.
Rendering in the Drupal world means turning structured "render" arrays into HTML.
A render array is a classic Drupal structured array that provides data as to how it should be rendered.
Vulnerability Reported by Jasper Mattsson.
Theming system defines the visual look and feel of your site.
Passthru function executes a command and displays the raw output.
When you need to return the string as #markup in order for it to be rendered along with the table, row, headers etc. You can use simple string to show any error but for extra information you need to use #markup.
isset - check whether the variable is set and not NULL.
$_REQUEST - It is global variable which is used to collect data after submitting html form like $_GET, $_POST etc.
form_build_id - In order to manage multi-step form, Drupal has a mechanism to temporary save the submitted values in the database. During the next steps of the form submission, those cached values will be retrieved and processed.
Drupal 8, we have to run PHP as a subprocess, which is easier to notice in process listings.