Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Attackers Target Drupal Web Servers with Chained Vulnerabilities

A recent attack targeted Drupal web servers with a chain of vulnerabilities that included the infamous Drupalgeddon2 and DirtyCOW flaws, Imperva security researchers say.

The attack was short and impacted only some Linux-based systems, but it was noteworthy for attempting to persistently infect vulnerable servers and take over machines.

A recent attack targeted Drupal web servers with a chain of vulnerabilities that included the infamous Drupalgeddon2 and DirtyCOW flaws, Imperva security researchers say.

The attack was short and impacted only some Linux-based systems, but it was noteworthy for attempting to persistently infect vulnerable servers and take over machines.

Drupalgeddon2, a vulnerability tracked as CVE-2018-7600, impacts Drupal versions 6, 7 and 8 and could be exploited to gain full control of a site. Addressed in March this year, the flaw has been exploited for months and remains an important threat because of slow patching. 

DirtyCOW, on the other hand, is a Linux kernel vulnerability that allows an attacker to escalate privileges by modifying existing setuid files. Caused by a race condition in the manner in which Linux kernel’s memory subsystem handles copy-on-write (COW) breakage of private read-only memory mappings, the bug was being already exploited when patched in fall 2016. 

As part of the newly observed attack, cybercriminals are attempting to compromise Drupal servers using exploits for both Drupalgeddon2 and DirtyCOW, while also trying to gain access to the target machines via system misconfigurations. 

Unlike previously observed remote code execution (RCE) attacks on web servers, which were usually once-off security events, the new incident reveals the adoption of persistency, as the attackers use methods to easily re-infect vulnerable servers if the malicious process was terminated. 

As part of the assault, the attackers create a word list by locating all of Drupal’s settings files and extracting all of the lines that contain the word “pass”. With many administrators leaving ‘root’ as the default user to connect from the web application to the database, the attackers can attempt to change the user to root and execute their payload. 

The initial attack surface was the web application, meaning that the attacker’s code was running under the user and permissions of that application, which usually doesn’t have access to installing new services. This is why the attacker would attempt to leverage permissions to root, Imperva points out. 

Provided that the administrator did not leave the root passwords in the configuration files, the attacker then attempts to exploit the DirtyCOW bug to escalate privileges. The security researchers noticed that three different implementations of DirtyCOW were being downloaded as part of the attack, including one in raw format (C source code file), which was being compiled at runtime. 

Despite being a two-year-old vulnerability, one of the implementations has zero detection rate in VirusTotal, Imperva points out. 

After gaining root access and the permission to install new services, the attackers would install SSH, configure it, and then add their key to the list of authorized keys by the service. 

“Now, as long as the machine is up and running, the attacker can remotely transmit any command as the user root – game over,” Imperva concludes. 

Related: Hackers Exploit Drupalgeddon2 to Install Backdoor

Related: Remote Code Execution Flaws Patched in Drupal

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...