Vulnerabilities > CVE-2019-6340 - Deserialization of Untrusted Data vulnerability in Drupal

047910
CVSS 8.1 - HIGH
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
high complexity
drupal
CWE-502
nessus
exploit available
metasploit

Summary

Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RESTful Web Services (rest) module enabled and allows PATCH or POST requests, or the site has another web services module enabled, like JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. (Note: The Drupal 7 Services module itself does not require an update at this time, but you should apply other contributed updates associated with this advisory if Services is in use.)

Common Weakness Enumeration (CWE)

Exploit-Db

  • fileexploits/php/webapps/46459.py
    idEDB-ID:46459
    last seen2019-02-25
    modified2019-02-25
    platformphp
    port
    published2019-02-25
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/46459
    titleDrupal < 8.6.9 - REST Module Remote Code Execution
    typewebapps
  • fileexploits/php/webapps/46452.txt
    idEDB-ID:46452
    last seen2019-02-23
    modified2019-02-23
    platformphp
    port80
    published2019-02-23
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/46452
    titleDrupal < 8.6.10 / < 8.5.11 - REST Module Remote Code Execution
    typewebapps
  • fileexploits/php/remote/46510.rb
    idEDB-ID:46510
    last seen2019-03-07
    modified2019-03-07
    platformphp
    port
    published2019-03-07
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/46510
    titleDrupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() RCE (Metasploit)
    typeremote

Metasploit

descriptionThis module exploits a PHP unserialize() vulnerability in Drupal RESTful Web Services by sending a crafted request to the /node REST endpoint. As per SA-CORE-2019-003, the initial remediation was to disable POST, PATCH, and PUT, but Ambionics discovered that GET was also vulnerable (albeit cached). Cached nodes can be exploited only once. Drupal updated SA-CORE-2019-003 with PSA-2019-02-22 to notify users of this alternate vector. Drupal < 8.5.11 and < 8.6.10 are vulnerable.
idMSF:EXPLOIT/UNIX/WEBAPP/DRUPAL_RESTWS_UNSERIALIZE
last seen2020-06-12
modified2020-02-19
published2019-03-05
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/drupal_restws_unserialize.rb
titleDrupal RESTful Web Services unserialize() RCE

Nessus

  • NASL familyCGI abuses
    NASL idDRUPAL_8_6_10.NASL
    descriptionAccording to its self-reported version, the instance of Drupal running on the remote web server is 8.5.x prior to 8.5.11, or 8.6.x prior to 8.6.10. It is, therefore, affected by a remote code execution vulnerability due to improper sanitization of data from non-form sources.
    last seen2020-06-01
    modified2020-06-02
    plugin id122349
    published2019-02-20
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122349
    titleDrupal 8.5.x < 8.5.11 / 8.6.x < 8.6.10 Remote Code Execution (SA-CORE-2019-003)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(122349);
      script_version("1.9");
      script_cvs_date("Date: 2019/10/31 15:18:51");
    
      script_cve_id("CVE-2019-6340");
    
      script_name(english:"Drupal 8.5.x < 8.5.11 / 8.6.x < 8.6.10 Remote Code Execution (SA-CORE-2019-003)");
      script_summary(english:"Checks the version of Drupal.");
    
      script_set_attribute(attribute:"synopsis", value:
    "A PHP application running on the remote web server is affected by
    a remote code execution vulnerability.");
      script_set_attribute(attribute:"description", value:
    "According to its self-reported version, the instance of Drupal
    running on the remote web server is 8.5.x prior to 8.5.11, or 8.6.x
    prior to 8.6.10. It is, therefore, affected by a remote code
    execution vulnerability due to improper sanitization of data from
    non-form sources.");
      script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/sa-core-2019-003");
      script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/project/drupal/releases/8.5.11");
      script_set_attribute(attribute:"see_also", value:"https://www.drupal.org/project/drupal/releases/8.6.10");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Drupal version 8.5.11 / 8.6.10 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-6340");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Drupal RESTful Web Services unserialize() RCE');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/02/20");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/02/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/20");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:drupal:drupal");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("drupal_detect.nasl");
      script_require_keys("installed_sw/Drupal", "Settings/ParanoidReport");
      script_require_ports("Services/www", 80, 443);
    
      exit(0);
    }
    
    include("vcf.inc");
    include("http.inc");
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    port = get_http_port(default:80, php:TRUE);
    
    app_info = vcf::get_app_info(app:"Drupal", port:port, webapp:true);
    
    vcf::check_granularity(app_info:app_info, sig_segments:2);
    
    constraints = [
      { "min_version" : "8.5", "fixed_version" : "8.5.11" },
      { "min_version" : "8.6", "fixed_version" : "8.6.10" }
    ];
    
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_002B4B0535DD11E994A8000FFEC0B3E1.NASL
    descriptionDrupal Security Team Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases..
    last seen2020-06-01
    modified2020-06-02
    plugin id122372
    published2019-02-22
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122372
    titleFreeBSD : drupal -- Drupal core - Highly critical - Remote Code Execution (002b4b05-35dd-11e9-94a8-000ffec0b3e1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2019 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(122372);
      script_version("1.7");
      script_cvs_date("Date: 2019/08/23 10:01:45");
    
      script_cve_id("CVE-2019-6340");
    
      script_name(english:"FreeBSD : drupal -- Drupal core - Highly critical - Remote Code Execution (002b4b05-35dd-11e9-94a8-000ffec0b3e1)");
      script_summary(english:"Checks for updated package in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote FreeBSD host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Drupal Security Team
    
    Some field types do not properly sanitize data from non-form sources.
    This can lead to arbitrary PHP code execution in some cases.."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.drupal.org/sa-core-2019-002"
      );
      # https://vuxml.freebsd.org/freebsd/002b4b05-35dd-11e9-94a8-000ffec0b3e1.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?01080f35"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Drupal RESTful Web Services unserialize() RCE');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:drupal8");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/02/20");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/02/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/22");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"drupal8<8.6.10")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    

Packetstorm

Saint

bid107106
descriptionDrupal REST module command execution
idweb_cms_drupal
titledrupal_rest
typeremote

The Hacker News