Drupalgeddon2

The exploitation of a very dangerous Drupal vulnerability has started after the publication of proof-of-concept (PoC) code.

The code, hosted on GitHub, was created by Vitalii Rudnykh, a Russian security researcher. The code is based on a breakdown of the Drupalgeddon2 vulnerability published by Check Point and Dofinity researchers.

It all happened within a few hours between Check Point's blog post, Rudnykh's PoC, and the start of exploitation attempts —first spotted by web security firm Sucuri.

Sucuri: Not a lot of exploitation attempts yet

"Not seeing a lot of attempts yet, just a couple from a few IP addresses," Daniel Cid, VP of Engineering at GoDaddy and CTO/Founder of Sucuri told Bleeping Computer in a private conversation last night.

Cid told us that most exploitation attempts are "based on the PoC shared on GitHub," but other attackers might be working on their own code as well.

The Druppalgeddon2 vulnerability (CVE-2018-7600) allows an attacker to run any code he desires against one of the CMS' core components, effectively taking over a site. See Check Point and Dofinity's explanation below:

In brief, Drupal had insufficient input sanitation on Form API (FAPI) AJAX requests. As a result, this enabled an attacker to potentially inject a malicious payload into the internal form structure. This would have caused Drupal to execute it without user authentication. By exploiting this vulnerability an attacker would have been able to carry out a full site takeover of any Drupal customer.

The Drupal security team patched Drupalgeddon2 on March 28 with the release of Drupal 7.58 and Drupal 8.5.1. The Drupal team said it expected that "exploits might be developed within hours or days."

It took two weeks for the first exploit PoC to be published mainly because the Drupal team withheld as many details about the vulnerability from the public as possible to delay the creation of the PoC and allow site owners the time to update their sites.

No site takeovers yet. Just a lot of PoC testing.

Kevin Liston, a security researcher with SANS ISC, has also detected exploitation attempts against his organization's honeypots. The commands that attackers are trying to run via the PoC are currently harmless, and none are attempting to take over the underlying server (see list below).

echo `whoami`
phpinfo()
echo 123
whoami
touch 1.html
echo "xiokv"

These are instructions that are specific to attackers testing the PoC's effectiveness. Taking into account the low number of scans Sucuri has observed, the vulnerability's intrusive nature, and the history of past vulnerability exploitation attempts, it's only a matter of time before exploitation numbers explode and crooks replace these instructions with web-based malware or SEO spam injection mechanisms.

"I assume that tonight and tomorrow morning it will pick up," Cid told us about the scale and complexity of these exploitation attempts. "[It's] a little arms race to see who can get the sites first."

News site caught using Drupalgeddon2 PoC

Liston has already started tracking down some of the sources of these scans. The one he was able to identify this morning tied back to a Chinese security news site.

"The authoritative name server for 'ceye.io' is ns[12].hackernews.cc, which appears to belong to a Chinese security news site," Liston said today in a forum post.

"Maybe they are working on a story to publish how many vulnerable systems there are, but actual exploitation of a vulnerability, even if somewhat benign, may be a step too far for a news story."

If you run a Drupal site, this may be your last few hours you have to patch before you are at serious risk of losing control over your site.

Related Articles:

Two Months Later, Over 115,000 Drupal Sites Still Vulnerable to Drupalgeddon 2

Unpatched Flaw Disclosed in WordPress CMS Core

Cisco ASA Flaw Exploited in the Wild After Publication of Two PoCs

LOL: BabaYaga WordPress Malware Updates Your Site

Hackers Find New Method of Installing Backdoored Plugins on WordPress Sites