Posted In Software

Calling a Spade a Spade

It's good to get right to the point.

If you're living in the world of Drupal, then you're likely aware of the SA-CORE-2014-005 security bug, which is a SQL injection attack arising from a bug in the database layer which is supposed to prevent these attacks.

Thankfully, the bug is classified at the most critical level, but unfortunately, it's only a small note that this can lead to "arbitrary PHP execution". Not only can this bug lead to arbitary PHP execution, it will and it's irresponsible to classify this as anything else.

Here's the process:

  1. Enable the PHP Filter Module. All modules in Drupal are enabled by making database queries. Not only is this possible, it's easy.
  2. Setup an Input Format that will allow the PHP filter to run.
  3. Create content with the input format specified in step 2. This content can simply be a PHP based backdoor, or a more sophisticated payload.
  4. Visit the URL of said created content, and back door will be executed.
  5. You're screwed.

Here are some of the things an attacker is likely to be able to do with this:

  • Read SSL private keys. PHP often runs at the same level of privelege as the webserver. This means that it will likely be able to gain access to these files since the webserver typically needs them as well.
  • Run arbitrary processes on the target environment. Thanks to PHP's exec function this is trivial.
  • Steal user credentials (duh)
  • The list goes on...

This is any many ways a worst case scenario bug. If you're running a site, you should patch the vulnerability immediately and perform a thorough analysis of the server the site is on.

If you're in the position to do a "burn to the ground" style of redeploy using backups and replacing the code out of a repository on a freshly deployed VM or server, I would hihgly suggest it. If you're not, a deep analysis of the database and server is going to be in order. Unforunately, just looking at what PHP can do is not enough since an attacker could download and execute any program they wish using this bug.

This bug demonstrates a simple fact, that it should be impossible to execute code from a user supplied string in any fashion. While Drupal's PHP Filter is disabled by default, the nature of this bug means that it's only an extra step to perform and arbitrary code execution attack. Drupal sites should not only disable PHP Filter, they should remove it completely (which has already been done for the upcoming Drupal 8).

Finally, the Drupal security team needs to hihglight the fact that this is essentially an arbitrary code exeuction vulnerability that's facilitated by an SQL injection. It's easy for an attacker to achieve this and not highlighting this fact will mean that site owners will remain unaware of the risks affecting them.

ga_key = "UA-31144606-1"