The exploitation of a very dangerous Drupal vulnerability has started after the publication of proof-of-concept (PoC) code.
The code, hosted on GitHub, was created by Vitalii Rudnykh, a Russian security researcher. The code is based on a breakdown of the Drupalgeddon2 vulnerability published by Check Point and Dofinity researchers.
"Not seeing a lot of attempts yet, just a couple from a few IP addresses," Daniel Cid, VP of Engineering at GoDaddy and CTO/Founder of Sucuri told Bleeping Computer in a private conversation last night.
Cid told us that most exploitation attempts are "based on the PoC shared on GitHub," but other attackers might be working on their own code as well.
The Druppalgeddon2 vulnerability (CVE-2018-7600) allows an attacker to run any code he desires against one of the CMS' core components, effectively taking over a site. See Check Point and Dofinity's explanation below:
The Drupal security team patched Drupalgeddon2 on March 28 with the release of Drupal 7.58 and Drupal 8.5.1. The Drupal team said it expected that "exploits might be developed within hours or days."
It took two weeks for the first exploit PoC to be published mainly because the Drupal team withheld as many details about the vulnerability from the public as possible to delay the creation of the PoC and allow site owners the time to update their sites.
Kevin Liston, a security researcher with SANS ISC, has also detected exploitation attempts against his organization's honeypots. The commands that attackers are trying to run via the PoC are currently harmless, and none are attempting to take over the underlying server (see list below).
echo `whoami` phpinfo() echo 123 whoami touch 1.html echo "xiokv"
These are instructions that are specific to attackers testing the PoC's effectiveness. Taking into account the low number of scans Sucuri has observed, the vulnerability's intrusive nature, and the history of past vulnerability exploitation attempts, it's only a matter of time before exploitation numbers explode and crooks replace these instructions with web-based malware or SEO spam injection mechanisms.
"I assume that tonight and tomorrow morning it will pick up," Cid told us about the scale and complexity of these exploitation attempts. "[It's] a little arms race to see who can get the sites first."
Liston has already started tracking down some of the sources of these scans. The one he was able to identify this morning tied back to a Chinese security news site.
"The authoritative name server for 'ceye.io' is ns.hackernews.cc, which appears to belong to a Chinese security news site," Liston said today in a forum post.
"Maybe they are working on a story to publish how many vulnerable systems there are, but actual exploitation of a vulnerability, even if somewhat benign, may be a step too far for a news story."
If you run a Drupal site, this may be your last few hours you have to patch before you are at serious risk of losing control over your site.