Drupal Dev Days 2018 - Autopsy of Vulnerabilities

•

2 recomendaciones•255 vistas

zekivazquez

Slides of session "Autopsy of Vulnerabilities" from Drupal Developer Days 2018.

Tecnología

Our sponsors
Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

About me
Who’s me?
Ezequiel ”Zequi”V´azquez
Backend Developer
Sysadmin & DevOps
Hacking & Security
@RabbitLair
Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

About me
Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

Index
1 Introduction
2 Analysis of Vulnerabilities
3 What if I don’t patch?
Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

Life cycle of a patch
General steps
1 Discovery of a vulnerability → security team
2 Implementation of a patch, new release is published
3 Hackers study patch using reverse engineering → POC
4 POC published → massive attacks
Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

Ok! I will patch my system, but . . .
Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

Drupalgeddon 1
SA-CORE-2014-005
CVE-2014-3704
Patch released on October 15th, 2014
SQL injection as anonymous user
All Drupal 7.x prior to 7.32 aﬀected
25/25 score on NIST index
Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

Drupalgeddon 1
Arrays on HTTP POST method
Method POST submits form values to server application
Usually, integers or strings, but arrays are allowed
Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

Drupalgeddon 1
Database queries sanitization
File includes/database/database.inc
Method expandArguments
Queries with condition like “column IN (a, b, c, . . . )”
Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

Drupalgeddon 1
The vulnerability
Array index is not sanitized properly
Poisoned variable is passed to database
Result: Arbitrary SQL queries can be executed
Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

Drupalgeddon 1
Let’s see it
Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

Drupalgeddon 2
SA-CORE-2018-002
CVE-2018-7600
Patch released on March 28th, 2018
Remote code execution as anonymous user
All versions aﬀected prior to 7.58 and 8.5.1
24/25 score on NIST index
Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

Drupalgeddon 2
Renderable Arrays
Forms API introduced in Drupal 4.7
Arrays whose keys start with “#”
Drupal 7 generalized this mechanism to render everything
Recursive behavior
Callbacks: post render, pre render, value callback, . . .
Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

Drupalgeddon 2
Submitting forms
Submitted value is stored in #value
HTTP POST method allows to submit array as value
Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

Drupalgeddon 2
The vulnerability
Use POSTMAN or similar to bypass the form
Submit an array value in a ﬁeld where Drupal expects a string
Submitted array contains indexes starting with “#”
Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

Drupalgeddon 2
The vulnerability
Use Ajax API to trick Drupal to renderize again mail ﬁeld
element parents determines part of form to be renderized
Field is renderized, and post render callback is executed
Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

Drupalgeddon 2
Let’s see it
Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

Drupalgeddon 3
SA-CORE-2018-004
CVE-2018-7602
Patch released on April 25th, 2018
Remote code execution as authenticated user
All versions aﬀected prior to 7.59 and 8.5.3
20/25 score on NIST index
Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

Drupalgeddon 3
Destination parameter
GET parameter used to redirect to an URL after execution
It’s passed to stripDangerousValues to sanitize it
Double encoding not detected: “#” → “ %23” → “ %2523”
Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

Drupalgeddon 3
The vulnerability: First step
Perform a POST call to URL of a conﬁrmation form
trigering element name with value form id
Destination contains a ﬁeld with post render callback
POST call redirects to conﬁrmation form again → All set
Payload must be URL encoded
Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

Drupalgeddon 3
The vulnerability: Second step
Execute form cancel action as AJAX POST call
/ﬁle/ajax/actions/cancel/ %23options/path/[form build id]
Ajax API processes the form and executes poisoned post render
Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

Drupalgeddon 3
Let’s see it
Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

Attacks in the wild
Kids, don’t do this at home
Full database dump
Execute cryptocurrency mining malware
Server used as malicious proxy
Infect site users
Defacement / Black SEO
???
Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

In summary . . .
Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

That’s all, folks!
Thank you!
@RabbitLair
zequi[at]lullabot[dot]com
Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

Más contenido relacionado

La actualidad más candente

Justin collins - Practical Static Analysis for continuous application delivery

DevSecCon

This talk presents a system that is able to track and log errors inside an Ember.js application (available on https://github.com/kredde/ember-error-tracker ). The error logs are then evaluated by analyzing the stack trace to determine when the bug was introduced into the system. The system is also able to automatically file bug reports and to track how long it took for the team to fix bugs. The objective is to facilitate the process of identifying and fixing bugs for developers, by partially automating the issue tracking procedure.

SFSCon19 - Kristian Schwienbacher - Custom error and event tracking for Ember...

South Tyrol Free Software Conference

PETKO D. PETKOV Thanks to the DevSecOps philosophy a growing number of organisations around the world are ensuring their businesses are set up with the security in mind from the get-go. DevSecOps is taking the world by storm. This talk is about how to introduce DevSecOps in your organisation with ready-made, zero-cost, open source templates accessible to everyone. The talk will introduce the OpenDevSecOps project and show many practical examples of how to easily deploy security testing infrastructure on top of existing and well-established development tools.

DevSecCon London 2018: Open DevSecOps

DevSecCon

Invoke-DOSfuscation

Daniel Bohannon

A Taxonomy of Clustering, or, No Container is an Island

Ted M. Young

Geb for browser automation

Jacob Aae Mikkelsen

La actualidad más candente (6)

Justin collins - Practical Static Analysis for continuous application delivery

SFSCon19 - Kristian Schwienbacher - Custom error and event tracking for Ember...

DevSecCon London 2018: Open DevSecOps

Invoke-DOSfuscation

A Taxonomy of Clustering, or, No Container is an Island

Geb for browser automation

Similar a Drupal Dev Days 2018 - Autopsy of Vulnerabilities

So, you’ve fully embraced the container revolution and are now deploying all the Java applications packaged in Docker containers, but are you exercising appropriate caution with the new security issues container technology can bring? This session presents an overview of the current threat landscape, with a focus on container technology and Java applications, and shows how to mitigate the risks. Hear about the impact of security throughout the software creation and delivery lifecycle and how container technology changes and adds to the security requirements of modern software. Also learn about the important open source tools for code scanning, dependency verification, and so on—and guidelines on when to use them.

CodeOne SF 2018 "Are you deploying and operating with security in mind?"

Daniel Bryant

Cybercrime is rising at an alarming rate. As a Java developer you know you need to be better informed about security matters but it’s hard to know where to start. This workshop will help you understand how to improve the security of your application through a series of demonstration hacks and related hands on exercises. Serious though the topic is, this practical session will be fun and will leaving you more informed and better prepared. Start building your security memory muscle here

Java application security the hard way - a workshop for the serious developer

Steve Poole

Checking Bitcoin

Andrey Karpov

Presented at SauceCon 2021, April. More details: https://www.eviltester.com/conference/saucecon2021_conference/ Security Testing is a highly technical set of skills, covering a wide domain of knowledge that can take a long time to learn and gain proficiency. We already have enough to learn with Software Testing and even more when we add in Automating. So are there any simple ways to increase the scope of what we already do, that provide more insight into the security of our application? Answer: Yes. And in this talk we will cover practical steps, dos and don’ts to add some Security focus fast, without spending years learning how to Hack applications.

Add More Security To Your Testing and Automating - Saucecon 2021

Alan Richardson

Security is hard. We all miss things. Attackers find things. "You must learn from the mistakes of others. You can't possibly live long enough to make them all yourself." -Samuel Levenson This talk is a fun, fast-moving survey of some of the best recent bug bounty finds against some of the largest and best-known applications in the world. Some of the bugs are really simple, some are super complex, but all are entertaining. As we go through these, we'll take a look at what caused the issue, and how to fix it. From this talk, you'll walk away with: * a few minutes of entertainment * a view of the wide breadth of security issues * practical ideas on testing and shoring up security in your own applications * (maybe) a new side gig as a bug bounty hunter!

Watch How The Giants Fall: Learning from Bug Bounty Results

jtmelton

Auscert 2022 - log4shell and history of Java deserialisation RCE

David Jorm

Unity3D is one of the most promising and rapidly developing game engines to date. Every now and then, the developers upload new libraries and components to the official repository, many of which weren't available in as open-source projects until recently. Unfortunately, the Unity3D developer team allowed the public to dissect only some of the components, libraries, and demos employed by the project, while keeping the bulk of its code closed. In this article, we will try to find bugs and typos in those components with the help of PVS-Studio static analyzer.

Discussing Errors in Unity3D's Open-Source Components

PVS-Studio

JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложение

JSFestUA

Vulners: Google for hackers

Kirill Ermakov

DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...

DevSecCon

Security as Code: DOES15

Ed Bellis

Security process should be integrated with SDLC well to be successful. While many companies have already moved from Waterfall to Agile methodologies security remains behind more often than not. We have demonstrated in our presentation how security can move to agile by utilizing open source tools, customizing them to meet our needs and to implement a continuos security testing using dynamic scanners as well as manual testing. It’s very important also to assure that false positives are not fed to the developers bug tracking systems and to assign a severity for each finding correctly. To make it happen we import all our findings to a security dashboard and review them before exporting to a bug tracking system.

Making Security Agile

Oleg Gryb

Automation of web attacks from advisories to create real world exploits

Munir Njiru

6 ways to hack your JavaScript application by Viktor Turskyi

OdessaJS Conf

JavaScript Supply Chain Security

Adam Baldwin

This talk cares about the fundamentals of testing, a little bit history of how the professional community developed what we currently know as testing, but also about why I should care about testing? why is it important to do a test? What is important to test? What is not important to test? How to do testing? There some examples in plnker just to see each step, and many surprises. This talk also compares what people learned in the Computer Sciences and Engineering degrees and what people does in testing. It gives some tips to catch up with current state of art and gives some points to start changing syllabus to make better engineers. This talk is good for beginners, teachers, bosses, but also for seasoned techies that just want to light up some of the ideas that they might have been hatching. Spoiler alert: testing will save you development time and make you a good professional.

(automatic) Testing: from business to university and back

David Rodenas

Mining SQL Injection and Cross Site Scripting Vulnerabilities using Hybrid Pr...

Lionel Briand

In May 2016, German game-development company Crytek made a decision to upload the source code of their game engine CryEngine V to Github. The engine is written in C++ and has immediately attracted attention of both the open-source developer community and the team of developers of PVS-Studio static analyzer who regularly scan the code of open-source projects to estimate its quality. A lot of great games were created by a number of video-game development studios using various versions of CryEngine, and now the engine has become available to even more developers. This article gives an overview of errors found in the project by PVS-Studio static analyzer.

Long-Awaited Check of CryEngine V

PVS-Studio

Presented at the droidcon NYC 2015: http://droidcon.nyc/2015/dcnyc/25/ Nearly every Android developer has heard of the Lint and Checkstyle tools - however few use either to its full power, if at all. In addition to maintaining a consistent code style, we will see how to enforce architecture conventions and even prevent wrong usage of both internal and your own APIs. For example, you have a fancy BaseFragment which should be extended by all your Fragments, or you have a custom logger which should be used instead of android.util.Log. Both of these are perfect use cases for custom Lint checks. This session will show you how to configure Checkstyle and Lint to your liking, and how to use their APIs to create custom checks, as well as how to include both in your Gradle-based project.

Better Code through Lint and Checkstyle

Marc Prengemann

Continuous Integration - Live Static Analysis with Puma Scan

Puma Security, LLC

Similar a Drupal Dev Days 2018 - Autopsy of Vulnerabilities (20)

CodeOne SF 2018 "Are you deploying and operating with security in mind?"

Java application security the hard way - a workshop for the serious developer

Checking Bitcoin

Add More Security To Your Testing and Automating - Saucecon 2021

Watch How The Giants Fall: Learning from Bug Bounty Results

Auscert 2022 - log4shell and history of Java deserialisation RCE

Discussing Errors in Unity3D's Open-Source Components

JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложение

Vulners: Google for hackers

DevSecCon Boston 2018: Building a practical DevSecOps pipeline for free by Je...

Security as Code: DOES15

Making Security Agile

Automation of web attacks from advisories to create real world exploits

6 ways to hack your JavaScript application by Viktor Turskyi

JavaScript Supply Chain Security

(automatic) Testing: from business to university and back

Mining SQL Injection and Cross Site Scripting Vulnerabilities using Hybrid Pr...

Long-Awaited Check of CryEngine V

Better Code through Lint and Checkstyle

Continuous Integration - Live Static Analysis with Puma Scan

Más de zekivazquez

DrupalCamp Spain 2018: CSI, autopsia de vulnerabilidades

zekivazquez

Hacking a sistemas CMS

zekivazquez

Security for Human Beings

zekivazquez

Information is Power

zekivazquez

Slides de la charla impartida en el Hack&Beers Cádiz, Vol. 3, sobre una pequeña introducción al "remapeo" (o cambio de parámetros en la centralita) de una motocicleta con motor de inyección. Se explicó el origen de la emblemática marca Harley Davidson, la diferencia entre motores de carburación e inyección, y en qué consiste la modificación de los parámetros de ésta última (coloquialmente conocido como "remapeo"), con el objetivo de afinar el comportamiento del motor. La sesión consiste en unas pequeñas pinceladas, ya que el autor no es experto en mecánica.

Hackea tu propia Harley

zekivazquez

Seguridad para todos

zekivazquez

DrupalCon Barcelona 2015 - Drupal Extreme Scaling

zekivazquez

Hack & Beers - Seguridad en Drupal

zekivazquez

Hacking & Hardening Drupal

zekivazquez

Drupal Extreme Scaling

zekivazquez

Hacking Drupal - Anatomía de una auditoría de seguridad

zekivazquez

Taller Drupal - Jornadas Software Libre UCA

zekivazquez

Desarrollo Seguro en Drupal - DrupalCamp Spain 2013

zekivazquez

Betabeers Sevilla - Hacking web con OWASP

zekivazquez

Hacking web con OWASP

zekivazquez

Más de zekivazquez (15)

DrupalCamp Spain 2018: CSI, autopsia de vulnerabilidades

Hacking a sistemas CMS

Security for Human Beings

Information is Power

Hackea tu propia Harley

Seguridad para todos

DrupalCon Barcelona 2015 - Drupal Extreme Scaling

Hack & Beers - Seguridad en Drupal

Hacking & Hardening Drupal

Drupal Extreme Scaling

Hacking Drupal - Anatomía de una auditoría de seguridad

Taller Drupal - Jornadas Software Libre UCA

Desarrollo Seguro en Drupal - DrupalCamp Spain 2013

Betabeers Sevilla - Hacking web con OWASP

Hacking web con OWASP

Último

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

MadyBayot

Corporate and higher education. Two industries that, in the past, have had a clear divide with very little crossover. The difference in goals, learning styles and objectives paved the way for differing learning technologies platforms to evolve. Now, those stark lines are blurring as both sides are discovering they have content that’s relevant to the other. Join Tammy Rutherford as she walks through the pros and cons of corporate and higher ed collaborating. And the challenges of these different technology platforms working together for a brighter future.

Corporate and higher education May webinar.pptx

Rustici Software

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

Zilliz

The action of the next cyber saga takes place in the mystical lands of the Asia-Pacific region, where the main characters began their digital activities in the middle of 2021 and qualitatively strengthened it in 2022. Corporate espionage, document theft, audio recordings, and data leaks from messaging platforms were all a matter of one day for Dark Pink. Their geographical focus may have started in the Asia-Pacific region, but their ambitions knew no bounds, targeting a European government ministry in a bold move to expand their portfolio. Their victim profile was as diverse as a UN meeting, targeting military organizations, government agencies, and even a religious organization. Because discrimination is not a fashionable agenda. In the world of cybercrime, they serve as a reminder that sometimes the most serious threats come in the most unassuming packages with a pink bow.

Cyberprint. Dark Pink Apt Group [EN].pdf

Overkill Security

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

Angeliki Cooney has spent over twenty years at the forefront of the life sciences industry, working out of Wynantskill, NY. She is highly regarded for her dedication to advancing the development and accessibility of innovative treatments for chronic diseases, rare disorders, and cancer. Her professional journey has centered on strategic consulting for biopharmaceutical companies, facilitating digital transformation, enhancing omnichannel engagement, and refining strategic commercial practices. Angeliki's innovative contributions include pioneering several software-as-a-service (SaaS) products for the life sciences sector, earning her three patents. As the Senior Vice President of Life Sciences at Avenga, Angeliki orchestrated the firm's strategic entry into the U.S. market. Avenga, a renowned digital engineering and consulting firm, partners with significant entities in the pharmaceutical and biotechnology fields. Her leadership was instrumental in expanding Avenga's client base and establishing its presence in the competitive U.S. market.

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...

Angeliki Cooney

Exploring Multimodal Embeddings with Milvus

Zilliz

Accelerating FinTech Innovation: Unleashing API Economy and GenAI Vasa Krishnan, Chief Technology Officer - FinResults Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

apidays

Dubai, often portrayed as a shimmering oasis in the desert, faces its own set of challenges, including the occasional threat of flooding. Despite its reputation for opulence and modernity, the emirate is not immune to the forces of nature. In recent years, Dubai has experienced sporadic but significant floods, testing the resilience of its infrastructure and communities. Among the critical lifelines in this bustling metropolis is the Dubai International Airport, a bustling hub that connects the city to the world. This article explores the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...

Orbitshub

The Good, the Bad and the Governed - Why is governance a dirty word? David O'Neill, Chief Operating Officer - APIContext Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...

apidays

ICT role in 21st century education and its challenges

rafiqahmad00786416

Artificial Intelligence Chap.5 : Uncertainty

Khushali Kathiriya

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Edi Saputra

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Zilliz

Manulife - Insurer Transformation Award 2024

The Digital Insurer

Keynote 2: APIs in 2030: The Risk of Technological Sleepwalk Paolo Malinverno, Growth Advisor - The Business of Technology Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

apidays

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

Drupal Dev Days 2018 - Autopsy of Vulnerabilities

2. Our sponsors Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

3. Our sponsors Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

4. Our sponsors Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

5. About me Who’s me? Ezequiel ”Zequi”V´azquez Backend Developer Sysadmin & DevOps Hacking & Security @RabbitLair Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

6. About me Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

7. Index 1 Introduction 2 Analysis of Vulnerabilities 3 What if I don’t patch? Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

8. Index 1 Introduction 2 Analysis of Vulnerabilities 3 What if I don’t patch? Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

9. Life cycle of a patch General steps 1 Discovery of a vulnerability → security team 2 Implementation of a patch, new release is published 3 Hackers study patch using reverse engineering → POC 4 POC published → massive attacks Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

10. Ok! I will patch my system, but . . . Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

11. Ok! I will patch my system, but . . . Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

12. Index 1 Introduction 2 Analysis of Vulnerabilities 3 What if I don’t patch? Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

13. Drupalgeddon 1 SA-CORE-2014-005 CVE-2014-3704 Patch released on October 15th, 2014 SQL injection as anonymous user All Drupal 7.x prior to 7.32 aﬀected 25/25 score on NIST index Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

14. Drupalgeddon 1 Arrays on HTTP POST method Method POST submits form values to server application Usually, integers or strings, but arrays are allowed Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

15. Drupalgeddon 1 Database queries sanitization File includes/database/database.inc Method expandArguments Queries with condition like “column IN (a, b, c, . . . )” Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

16. Drupalgeddon 1 Database queries sanitization File includes/database/database.inc Method expandArguments Queries with condition like “column IN (a, b, c, . . . )” Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

17. Drupalgeddon 1 Database queries sanitization File includes/database/database.inc Method expandArguments Queries with condition like “column IN (a, b, c, . . . )” Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

18. Drupalgeddon 1 The vulnerability Array index is not sanitized properly Poisoned variable is passed to database Result: Arbitrary SQL queries can be executed Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

19. Drupalgeddon 1 The vulnerability Array index is not sanitized properly Poisoned variable is passed to database Result: Arbitrary SQL queries can be executed Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

20. Drupalgeddon 1 Let’s see it Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

21. Drupalgeddon 2 SA-CORE-2018-002 CVE-2018-7600 Patch released on March 28th, 2018 Remote code execution as anonymous user All versions aﬀected prior to 7.58 and 8.5.1 24/25 score on NIST index Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

22. Drupalgeddon 2 Renderable Arrays Forms API introduced in Drupal 4.7 Arrays whose keys start with “#” Drupal 7 generalized this mechanism to render everything Recursive behavior Callbacks: post render, pre render, value callback, . . . Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

23. Drupalgeddon 2 Submitting forms Submitted value is stored in #value HTTP POST method allows to submit array as value Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

24. Drupalgeddon 2 The vulnerability Use POSTMAN or similar to bypass the form Submit an array value in a ﬁeld where Drupal expects a string Submitted array contains indexes starting with “#” Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

25. Drupalgeddon 2 The vulnerability Use Ajax API to trick Drupal to renderize again mail ﬁeld element parents determines part of form to be renderized Field is renderized, and post render callback is executed Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

26. Drupalgeddon 2 Let’s see it Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

27. Drupalgeddon 3 SA-CORE-2018-004 CVE-2018-7602 Patch released on April 25th, 2018 Remote code execution as authenticated user All versions aﬀected prior to 7.59 and 8.5.3 20/25 score on NIST index Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

28. Drupalgeddon 3 Destination parameter GET parameter used to redirect to an URL after execution It’s passed to stripDangerousValues to sanitize it Double encoding not detected: “#” → “ %23” → “ %2523” Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

29. Drupalgeddon 3 Destination parameter GET parameter used to redirect to an URL after execution It’s passed to stripDangerousValues to sanitize it Double encoding not detected: “#” → “ %23” → “ %2523” Option trigering element name File includes/ajax.inc Identiﬁes the element used for submission Sets a form element to be renderized again Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

30. Drupalgeddon 3 The vulnerability: First step Perform a POST call to URL of a confirmation form trigering element name with value form id Destination contains a field with post render callback POST call redirects to confirmation form again → All set Payload must be URL encoded Zequi Vázquez @RabbitLair Autopsy of Vulnerabilities

31. Drupalgeddon 3 The vulnerability: First step Perform a POST call to URL of a confirmation form trigering element name with value form id Destination contains a field with post render callback POST call redirects to confirmation form again → All set Payload must be URL encoded Zequi Vázquez @RabbitLair Autopsy of Vulnerabilities

32. Drupalgeddon 3 The vulnerability: Second step Execute form cancel action as AJAX POST call /ﬁle/ajax/actions/cancel/ %23options/path/[form build id] Ajax API processes the form and executes poisoned post render Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

33. Drupalgeddon 3 Let’s see it Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

34. Index 1 Introduction 2 Analysis of Vulnerabilities 3 What if I don’t patch? Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

35. Attacks in the wild Kids, don’t do this at home Full database dump Execute cryptocurrency mining malware Server used as malicious proxy Infect site users Defacement / Black SEO ??? Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

36. In summary . . . Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

37. That’s all, folks! Thank you! @RabbitLair zequi[at]lullabot[dot]com Zequi V´azquez @RabbitLair Autopsy of Vulnerabilities

Drupal Dev Days 2018 - Autopsy of Vulnerabilities

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (6)

Similar a Drupal Dev Days 2018 - Autopsy of Vulnerabilities

Similar a Drupal Dev Days 2018 - Autopsy of Vulnerabilities (20)

Más de zekivazquez

Más de zekivazquez (15)

Último

Último (20)

Drupal Dev Days 2018 - Autopsy of Vulnerabilities