Drupal Vulnerability (CVE-2019-6340) Can Be Exploited for Remote Code Execution

Drupal 8.6.9 RCE Exploiting with Python (CVE-2019-6340/SA-CORE-2019-003)

Drupal 8.6.9 RCE Exploiting with Python (CVE-2019-6340/SA-CORE-2019-003)

The content management framework Drupal recently fixed a vulnerability (CVE-2019-6340) in their core software, identified as SA-CORE-2019-003. The flaw is categorized as highly critical, exposing vulnerable installations to unauthenticated remote code execution (RCE). The vulnerability affects a substantial portion of Drupal installations, since it impacts the widely installed RESTful Web Services (rest) module. Specifically, the vulnerability requires that the following preconditions are met:

  1. Drupal 8.6.x, < 8.6.10 OR Drupal < 8.5.11
  2. RESTful Web Services module is enabled

This vulnerability is specifically in the REST API, which includes a deserialization module. In particular, the LinkItem class (a subclass of the FieldItemBase class) defines the link field, which defines the structure of links and associated fields (descriptions, etc.). Inside the LinkItem class is a single line that performs deserialization of options supplied for the link property. The Shortcut class then makes use of the link property, which is what ultimately exposes the deserialization to user controlled data. In Drupal, a shortcut is a way of visually displaying a quick link to a frequently used page via a toolbar or menu item.

How attackers exploit the vulnerability

Knowing these factors, an attacker can submit a crafted link that references a type of shortcut and contains serialized PHP in the ‘options’ field for the link.

Figure 1. The serialized content is processed even if the user is not authenticated

Figure 1. The serialized content is processed even if the user is not authenticated

Figure 2. Successful remote code execution

Figure 2. Successful remote code execution

In the response, you can see that we have successfully executed ‘cat /etc/passwd’ on the target, although this command could be trivially changed to anything, including downloading a web shell or establishing persistence on the target via malware or other means. All executed commands will inherit the privileges of the user running Drupal.

Figure 3. Attack variations can be easily performed with other API endpoints

Figure 3. Attack variations can be easily performed with other API endpoints

The specific payload used in the serialization makes use of a gadget chain via Guzzle, a PHP HTTP client, and was generated via PHPGGC (PHP Generic Gadget Chains), as pointed out by other researchers.

Trend Micro Solutions

All REST API endpoints in the applicable Drupal versions are potentially vulnerable, with the following HTTP methods: GET, PUT, PATCH, and POST. Disabling all web services modules or blocking all requests to them that use the aforementioned methods should be sufficient to prevent this attack. Users are also advised to upgrade to the latest Drupal version, which patches this issue.

A proactive, multilayered approach to security is key against threats that exploit vulnerabilities — from the gateway, endpoints, networks, and servers. Trend Micro Deep Security and Trend Micro™ Vulnerability Protection also provide virtual patching that protects servers and endpoints from threats that abuse vulnerabilities in critical applications or websites such as those that use Drupal. Trend Micro™ OfficeScan™ with XGen™ endpoint security has Vulnerability Protection that shields endpoints from identified and unknown vulnerability exploits even before patches are even deployed. Trend Micro™ Smart Protection Suites and Worry-Free™ Business Security protect end users and businesses from these threats by detecting and blocking malicious files and all related malicious URLs.

The Trend Micro Deep Security and Trend Micro™ Vulnerability Protection solutions protect user systems from any threats that may target the vulnerability mentioned above via the following DPI rule:

  • 1009541 – Drupal Core Remote Code Execution Vulnerability (CVE-2019-6340)

Users who have the Trend Micro™ TippingPoint® system are protected from potential vulnerability exploitation via this MainlineDV filter:

  • 34578: HTTP: Drupal RESTful Web Services Code Injection Vulnerability

The Trend Micro™ Deep Discovery Inspector™ solution protects customers from related attacks via this DDI rule:

  • 2833: CVE-2019-6340 Drupal8 RESTful Web Services Remote Code Execution – HTTP (Request)

47 thoughts on “Drupal Vulnerability (CVE-2019-6340) Can Be Exploited for Remote Code Execution

  1. 780732 273714Youre so cool! I dont suppose Ive read anything in this way before. So good to uncover somebody with some original tips on this topic. realy appreciate starting this up. this superb site is something that is required more than the internet, a person if we do originality. valuable function for bringing something new towards the internet! 479993

  2. Hello would you mind stating which blog platform you?re working with?
    I?m looking to start my own blog in the near future but
    I?m having a difficult time selecting between BlogEngine/Wordpress/B2evolution and
    Drupal. The reason I ask is because your design seems different then most blogs and
    I?m looking for something completely unique.

    P.S Apologies for getting off-topic but I had to ask! https://www.m2move.ca

  3. Pretty section of content. I simply stumbled upon your blog and in accession capital to assert that I get actually
    enjoyed account your blog posts. Anyway I will be subscribing on your
    feeds and even I success you get right of entry to consistently rapidly.

  4. When I initially left a comment I appear to have clicked the -Notify me when new comments
    are added- checkbox and now each time a comment is added I receive 4 emails with
    the same comment. There has to be an easy method you can remove me from that service?

    Thank you!

  5. Hello would you mind letting me know which webhost you’re utilizing?
    I’ve loaded your blog in 3 different browsers and I must say this blog loads a lot faster then most.
    Can you suggest a good internet hosting provider at a honest price?
    Thank you, I appreciate it!

  6. Hi there, I found your site by means of Google whilst searching for a comparable topic, your web site got here up, it seems good.
    I’ve bookmarked it in my google bookmarks.
    Hi there, simply turned into aware of your weblog through Google, and located
    that it is really informative. I am gonna watch out for
    brussels. I will be grateful if you continue this in future.
    A lot of other folks will probably be benefited out of your writing.

  7. Nice weblog right here! Also your website so much up very fast!
    What host are you the usage of? Can I get your associate link in your host?
    I desire my site loaded up as quickly as yours lol

  8. This is very interesting, You’re a very skilled blogger.
    I have joined your rss feed and look forward to seeking more
    of your excellent post. Also, I have shared your website in my social networks!

  9. Thanks for some other informative website. The place else could I get that type of information written in such a
    perfect way? I’ve a mission that I’m simply now running on, and I’ve been at the look
    out for such info.

  10. how to photograph water drops

    Cheap Jerseys china In cricket’s case, that country would
    be. Now I, like most ns, think that’s a really bad idea.
    In the same way as I think that an ICC president whose agenda was to marginalize the BCCI would be
    a fool.. You take away their money because they all understand money and you simply say,
    ‘You’re done for 10 games and guess what? You guys are not getting
    even close to a Stanley Cup.’ If it’s an elite player on the other side, there’s no room for it in the NHL.”We all know who he is. He’s just a whiner beyond belief. You do this kind of stuff I don’t care who you are in the league. Cheap Jerseys china

    wholesale jerseys from china Simple. Chances are you already know which nation’s team is playing the game when you turn on the TV. Or are you that stupid that you have to see it plastered over the uniform of each player? No, didn’t think so. Almonds protect against cancer The content of amygdalin in almonds reduces the risk of developing cancer. The composition acts as antioxidant and helps to the removal of carcinogenic free radicals from the body. The high fiber content in nuts purified toxins from the gut, leading to degeneration of the cells and reduces the risk of developing colon cancer. wholesale jerseys from china

    wholesale jerseys The reflection of the light is perceived as a glow to humans. The most commonly spotted spider, for this reason, is the wolf spider. These nighttime hunters have better vision than many other arachnid species and therefore enjoy a better developed tapetum in the indirect eyes. In fact, he shouldn’t have got Murray annoyed because the No.2 seed destroyed him from there on it.Capdeville was broken in the second game of the third set and there was no way back. Murray seized on his opponent’s fading fitness and bludgeoned him into submission. Another two breaks were secured before the third set was wrapped up 6 0 in 21 minutes and the South American knew there was simply no way back.He did win his opening service game of the fourth set but it didn’t stop the rot. wholesale jerseys

    wholesale jerseys from china I thought I could live with it and decided to continue with the finishing process. After the first coat of polyurethane, I changed my mind and decided to try and fix the problem. I was able to sand off almost all of the stain and re apply the stain for a much more even color. In the midst of this holiday idyll, there is a diminutive knock at my wreathed door. And what to my wondering eyes should appear, but five tired, frazzled, haggard, broke, suddenly out of work, beautiful young Swedish strippers unloading themselves from a cab and looking for sanctuary in Bel Air. I, of course, granted it.. wholesale jerseys from china

    cheap jerseys It’s pretty disappointing in gear, too, whereby picking up pace on the motorway requires more planning than you’d hope.The gearbox you get depends on the engine you choose go for the cheaper 200t and you’ll get a six speed automatic, while the hybrid 450h uses a CVT (continuously variable transmission) setup. This gearbox doesn’t have gears as such, but is constantly changing ratios to keep the engine moving optimally.The new RX has a stronger body structure and chassis than the previous model, and some models are available with adaptive suspension, here called Adaptive Variable Suspension (AVS). This changes the damping rates it can switch to a soft setup to maintain a smooth ride, and firm up to improve the car’s handling when cornering.All cars get a drive select system, which lets you set up the suspension, throttle response, power output and fuel economy via one of three modes: Normal, Eco and Sport. cheap jerseys

    wholesale nfl jerseys For a plethora of reasons, professional football and Los Angeles just aren’t meant for each other. Louis to the City of Angels, where they have an almost 50 year history. Sure, that history includes only one measly, unsuccessful trip to the Super Bowl, back in ’79, and then a subsequent dash straight out of South Central Los Angeles to the city of Anaheim, deep in the bowels of Orange County, but it’s still a history.. wholesale nfl jerseys

    wholesale nfl jerseys You know Marcus had a shot at the pros. He was with the Vikings in their camp. He got into Cardinals camp. Friday’s authentic, engaging atmosphere makes it the perfect place to escape, socialize and connect with people while getting a rejuvenating second wind. Members of Give Me More Stripes Friday’s guest recognition program, receive free stuff and special perks year round. Friday’s has a rich heritage which includes being credited with popularizing Happy Hour, Long Island Iced Tea and Loaded Potato Skins. wholesale nfl jerseys

    wholesale nfl jerseys from china Over the last several weeks, I have subjected the ioSafe to extensive abuse testing. It’s been dropped from eight feet on the carpet, thrown across the room (again, on carpet), dropped from five feet onto concrete, and run over repeatedly with the van. It has been flushed multiple times in a (clean) toilet and spent the night in the freezer.. Even if they Finished 4th just in case, There will be no difference in theireur approach They are already taking every game as final. Hoping For a good contest between two sides. Good luck to both teams wholesale nfl jerseys from china.
    Cheap nfl Jerseys

  11. Howdy! Quick question that’s entirely off topic. Do you
    know how to make your site mobile friendly?
    My website looks weird when browsing from mmy apple iphone.
    I’m trying to find a template oor plugin that might be able tto
    correect this problem. If you have any recommendations, please share.
    Many thanks!

  12. I just couldn?t leave your website before suggesting that I actually loved the usual information a person provide
    for your visitors? Is going to be again continuously in order to inspect new
    I need to to thank you for this good read!! I certainly enjoyed every bit of it.
    I have you bookmarked to look at new stuff you post? https://www.miniexcavationrbeaudet.com

  13. This is very interesting, You’re a very skilled blogger.
    I’ve joined your feed annd look forward to seeking more of your magnificent post.
    Also, I have suared your site in my social networks!

  14. Hey There. I discovered your blog the usage of msn. This is
    a reaply smartly writte article. I’ll be sure to
    bookmarrk it and come back to learn extra of your helpful information. Thank you for the
    post. I will definitely comeback.

  15. Have you ever considered about including a little bit more than just your articles?
    I mean, what you say is fundamental and all. But think of if you added some great images or
    videos to give your posts more, “pop”! Your content is excellent but
    with pics and video clips, this site could definitely be one of the greatest in its field.
    Wonderful blog!

  16. Hi! This is kind of off topic but I need some advice from an established blog.
    Is it very hard to seet up your own blog? I’m not very techincal but
    I can figure things out pretty quick. I’m thinking abgout
    setting uup my own but I’m not sure where to begin. Do you have anny tips or suggestions?


  17. Can I simply just say what a relief to uncover somebody who truly understands what they are discussing online.

    You certainly understand how to bring an issue to light
    and make it important. A lot more people should read this and understand this side of the story.
    I can’t believe you are not more popular because you most certainly possess the gift.

Leave a Reply

Your email address will not be published. Required fields are marked *