exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Drupal 7.31 SQL Injection

Drupal 7.31 SQL Injection
Posted Oct 16, 2014
Authored by Stefan Horst

Drupal versions 7.0 through 7.31 suffer from a pre-authentication remote SQL injection vulnerability.

tags | advisory, remote, sql injection
advisories | CVE-2014-3704
SHA-256 | f35969a96fc3edeea7c6ff6dae1ff02d6ed45becae3aa463f435daf8161a7cfc

Drupal 7.31 SQL Injection

Change Mirror Download
                         SektionEins GmbH
www.sektioneins.de

-= Security Advisory =-

Advisory: Drupal - pre-auth SQL Injection Vulnerability
Release Date: 2014/10/15
Last Modified: 2014/10/15
Author: Stefan Horst [stefan.horst[at]sektioneins.de]
Application: Drupal >= 7.0 <= 7.31
Severity: Full SQL injection, which results in total control and code execution of Website.
Risk: Highly Critical
Vendor Status: Drupal 7.32 fixed this bug
Reference: https://www.sektioneins.com/en/advisories/advisory-012014-drupal-pre-auth-sql-injection-vulnerability.html

Overview:
Quote from https://www.drupal.org
"Come for the software, stay for the community
Drupal is an open source content management platform powering millions
of websites and applications. It’s built, used, and supported by an
active and diverse community of people around the world."

During a code audit of Drupal extensions for a customer an SQL Injection
was found in the way the Drupal core handles prepared statements.

A malicious user can inject arbitrary SQL queries. And thereby
control the complete Drupal site. This leads to a code execution as well.

This vulnerability can be exploited by remote attackers without any
kind of authentication required.

Details:
Drupal uses prepared statements in all its SQL queries. To handle IN
statements there is an expandArguments function to expand arrays.

protected function expandArguments(&$query, &$args) {
$modified = FALSE;

// If the placeholder value to insert is an array, assume that we need
// to expand it out into a comma-delimited set of placeholders.
foreach (array_filter($args, 'is_array') as $key => $data) {
$new_keys = array();
foreach ($data as $i => $value) {
// This assumes that there are no other placeholders that use the same
// name. For example, if the array placeholder is defined as :example
// and there is already an :example_2 placeholder, this will generate
// a duplicate key. We do not account for that as the calling code
// is already broken if that happens.
$new_keys[$key . '_' . $i] = $value;
}

// Update the query with the new placeholders.
// preg_replace is necessary to ensure the replacement does not affect
// placeholders that start with the same exact text. For example, if the
// query contains the placeholders :foo and :foobar, and :foo has an
// array of values, using str_replace would affect both placeholders,
// but using the following preg_replace would only affect :foo because
// it is followed by a non-word character.
$query = preg_replace('#' . $key . '\b#', implode(', ', array_keys($new_keys)), $query);

// Update the args array with the new placeholders.
unset($args[$key]);
$args += $new_keys;

$modified = TRUE;
}

return $modified;
}

The function assumes that it is called with an array which has no keys. Example:

db_query("SELECT * FROM {users} where name IN (:name)", array(':name'=>array('user1','user2')));

Which results in this SQL Statement

SELECT * from users where name IN (:name_0, :name_1)

with the parameters name_0 = user1 and name_1 = user2.

The Problem occurs, if the array has keys, which are no integers. Example:

db_query("SELECT * FROM {users} where name IN (:name)", array(':name'=>array('test -- ' => 'user1','test' => 'user2')));

this results in an exploitable SQL query:

SELECT * FROM users WHERE name = :name_test -- , :name_test AND status = 1

with parameters :name_test = user2.

Since Drupal uses PDO, multi-queries are allowed. So this SQL Injection can
be used to insert arbitrary data in the database, dump or modify existing data
or drop the whole database.

With the possibility to INSERT arbitrary data into the database an
attacker can execute any PHP code through Drupal features with callbacks.

Patch:

$new_keys = array();
foreach (array_values($data) as $i => $value) {
// This assumes that there are no other placeholders that use the same
// name. For example, if the array placeholder is defined as :example
// and there is already an :example_2 placeholder, this will generate
// a duplicate key. We do not account for that as the calling code
// is already broken if that happens.
$new_keys[$key . '_' . $i] = $value;
}

Proof of Concept:

SektionEins GmbH has developed a proof of concept, but was asked by
Drupal to postpone the release.

Disclosure Timeline:

16. Sep. 2014 - Notified the Drupal devs via security contact form
15. Okt. 2014 - Relase of Bugfix by Drupal core Developers

Recommendation:

It is recommended to upgrade to the latest version of Drupal.

Grab your copy at:
https://www.drupal.org/project/drupal

CVE Information:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2014-3704 to this vulnerability.

GPG-Key:

pub 2048D/7830F25D 2014-08-12 Stefan Horst
Key fingerprint = 380D 2FEE 62E6 83AE 6A5C 7267 6AE5 40BE 7830 F25D

Copyright 2014 SektionEins GmbH. All rights reserved.


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close