Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Attackers Target Drupal Web Servers with Chained Vulnerabilities

A recent attack targeted Drupal web servers with a chain of vulnerabilities that included the infamous Drupalgeddon2 and DirtyCOW flaws, Imperva security researchers say.

The attack was short and impacted only some Linux-based systems, but it was noteworthy for attempting to persistently infect vulnerable servers and take over machines.

A recent attack targeted Drupal web servers with a chain of vulnerabilities that included the infamous Drupalgeddon2 and DirtyCOW flaws, Imperva security researchers say.

The attack was short and impacted only some Linux-based systems, but it was noteworthy for attempting to persistently infect vulnerable servers and take over machines.

Drupalgeddon2, a vulnerability tracked as CVE-2018-7600, impacts Drupal versions 6, 7 and 8 and could be exploited to gain full control of a site. Addressed in March this year, the flaw has been exploited for months and remains an important threat because of slow patching. 

DirtyCOW, on the other hand, is a Linux kernel vulnerability that allows an attacker to escalate privileges by modifying existing setuid files. Caused by a race condition in the manner in which Linux kernel’s memory subsystem handles copy-on-write (COW) breakage of private read-only memory mappings, the bug was being already exploited when patched in fall 2016. 

As part of the newly observed attack, cybercriminals are attempting to compromise Drupal servers using exploits for both Drupalgeddon2 and DirtyCOW, while also trying to gain access to the target machines via system misconfigurations. 

Unlike previously observed remote code execution (RCE) attacks on web servers, which were usually once-off security events, the new incident reveals the adoption of persistency, as the attackers use methods to easily re-infect vulnerable servers if the malicious process was terminated. 

As part of the assault, the attackers create a word list by locating all of Drupal’s settings files and extracting all of the lines that contain the word “pass”. With many administrators leaving ‘root’ as the default user to connect from the web application to the database, the attackers can attempt to change the user to root and execute their payload. 

The initial attack surface was the web application, meaning that the attacker’s code was running under the user and permissions of that application, which usually doesn’t have access to installing new services. This is why the attacker would attempt to leverage permissions to root, Imperva points out. 

Provided that the administrator did not leave the root passwords in the configuration files, the attacker then attempts to exploit the DirtyCOW bug to escalate privileges. The security researchers noticed that three different implementations of DirtyCOW were being downloaded as part of the attack, including one in raw format (C source code file), which was being compiled at runtime. 

Despite being a two-year-old vulnerability, one of the implementations has zero detection rate in VirusTotal, Imperva points out. 

After gaining root access and the permission to install new services, the attackers would install SSH, configure it, and then add their key to the list of authorized keys by the service. 

“Now, as long as the machine is up and running, the attacker can remotely transmit any command as the user root – game over,” Imperva concludes. 

Related: Hackers Exploit Drupalgeddon2 to Install Backdoor

Related: Remote Code Execution Flaws Patched in Drupal

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.