Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Drupal Dev Days 2018 - Autopsy of Vulnerabilities

119 views

Published on

Slides of session "Autopsy of Vulnerabilities" from Drupal Developer Days 2018.

Published in: Technology
  • Be the first to comment

Drupal Dev Days 2018 - Autopsy of Vulnerabilities

  1. 1. Our sponsors Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities
  2. 2. Our sponsors Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities
  3. 3. Our sponsors Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities
  4. 4. About me Who’s me? Ezequiel ”Zequi”V´azquez Backend Developer Sysadmin & DevOps Hacking & Security @RabbitLair Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities
  5. 5. About me Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities
  6. 6. Index 1 Introduction 2 Analysis of Vulnerabilities 3 What if I don’t patch? Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities
  7. 7. Index 1 Introduction 2 Analysis of Vulnerabilities 3 What if I don’t patch? Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities
  8. 8. Life cycle of a patch General steps 1 Discovery of a vulnerability → security team 2 Implementation of a patch, new release is published 3 Hackers study patch using reverse engineering → POC 4 POC published → massive attacks Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities
  9. 9. Ok! I will patch my system, but . . . Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities
  10. 10. Ok! I will patch my system, but . . . Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities
  11. 11. Index 1 Introduction 2 Analysis of Vulnerabilities 3 What if I don’t patch? Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities
  12. 12. Drupalgeddon 1 SA-CORE-2014-005 CVE-2014-3704 Patch released on October 15th, 2014 SQL injection as anonymous user All Drupal 7.x prior to 7.32 affected 25/25 score on NIST index Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities
  13. 13. Drupalgeddon 1 Arrays on HTTP POST method Method POST submits form values to server application Usually, integers or strings, but arrays are allowed Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities
  14. 14. Drupalgeddon 1 Database queries sanitization File includes/database/database.inc Method expandArguments Queries with condition like “column IN (a, b, c, . . . )” Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities
  15. 15. Drupalgeddon 1 Database queries sanitization File includes/database/database.inc Method expandArguments Queries with condition like “column IN (a, b, c, . . . )” Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities
  16. 16. Drupalgeddon 1 Database queries sanitization File includes/database/database.inc Method expandArguments Queries with condition like “column IN (a, b, c, . . . )” Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities
  17. 17. Drupalgeddon 1 The vulnerability Array index is not sanitized properly Poisoned variable is passed to database Result: Arbitrary SQL queries can be executed Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities
  18. 18. Drupalgeddon 1 The vulnerability Array index is not sanitized properly Poisoned variable is passed to database Result: Arbitrary SQL queries can be executed Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities
  19. 19. Drupalgeddon 1 Let’s see it Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities
  20. 20. Drupalgeddon 2 SA-CORE-2018-002 CVE-2018-7600 Patch released on March 28th, 2018 Remote code execution as anonymous user All versions affected prior to 7.58 and 8.5.1 24/25 score on NIST index Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities
  21. 21. Drupalgeddon 2 Renderable Arrays Forms API introduced in Drupal 4.7 Arrays whose keys start with “#” Drupal 7 generalized this mechanism to render everything Recursive behavior Callbacks: post render, pre render, value callback, . . . Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities
  22. 22. Drupalgeddon 2 Submitting forms Submitted value is stored in #value HTTP POST method allows to submit array as value Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities
  23. 23. Drupalgeddon 2 The vulnerability Use POSTMAN or similar to bypass the form Submit an array value in a field where Drupal expects a string Submitted array contains indexes starting with “#” Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities
  24. 24. Drupalgeddon 2 The vulnerability Use Ajax API to trick Drupal to renderize again mail field element parents determines part of form to be renderized Field is renderized, and post render callback is executed Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities
  25. 25. Drupalgeddon 2 Let’s see it Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities
  26. 26. Drupalgeddon 3 SA-CORE-2018-004 CVE-2018-7602 Patch released on April 25th, 2018 Remote code execution as authenticated user All versions affected prior to 7.59 and 8.5.3 20/25 score on NIST index Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities
  27. 27. Drupalgeddon 3 Destination parameter GET parameter used to redirect to an URL after execution It’s passed to stripDangerousValues to sanitize it Double encoding not detected: “#” → “ %23” → “ %2523” Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities
  28. 28. Drupalgeddon 3 Destination parameter GET parameter used to redirect to an URL after execution It’s passed to stripDangerousValues to sanitize it Double encoding not detected: “#” → “ %23” → “ %2523” Option trigering element name File includes/ajax.inc Identifies the element used for submission Sets a form element to be renderized again Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities
  29. 29. Drupalgeddon 3 The vulnerability: First step Perform a POST call to URL of a confirmation form trigering element name with value form id Destination contains a field with post render callback POST call redirects to confirmation form again → All set Payload must be URL encoded Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities
  30. 30. Drupalgeddon 3 The vulnerability: First step Perform a POST call to URL of a confirmation form trigering element name with value form id Destination contains a field with post render callback POST call redirects to confirmation form again → All set Payload must be URL encoded Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities
  31. 31. Drupalgeddon 3 The vulnerability: Second step Execute form cancel action as AJAX POST call /file/ajax/actions/cancel/ %23options/path/[form build id] Ajax API processes the form and executes poisoned post render Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities
  32. 32. Drupalgeddon 3 Let’s see it Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities
  33. 33. Index 1 Introduction 2 Analysis of Vulnerabilities 3 What if I don’t patch? Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities
  34. 34. Attacks in the wild Kids, don’t do this at home Full database dump Execute cryptocurrency mining malware Server used as malicious proxy Infect site users Defacement / Black SEO ??? Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities
  35. 35. In summary . . . Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities
  36. 36. That’s all, folks! Thank you! @RabbitLair zequi[at]lullabot[dot]com Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

×