Drupal Patches Critical Remote Code Execution Flaws

The popular Drupal content management system received fixes for five serious vulnerabilities that allow for remote code execution and could help hackers break into websites.

Two of the patched vulnerabilities are rated critical. One is located in the DefaultMailSystem::mail() function and affects both Drupal 7 and 8, while the other is located in the Contextual Links module and only affects websites running on Drupal 8.

“When sending email some variables were not being sanitized for shell arguments, which could lead to remote code execution,” the Drupal security team said in an advisory. “The Contextual Links module doesn’t sufficiently validate the requested contextual links,” it added.

The impact of the Contextual Links vulnerability is limited because exploiting it requires a role with the “access contextual links” permission.

Two other vulnerabilities, rated as moderately critical, generate open redirect conditions and could allow attackers to create links that redirect users to malicious websites. This type of flaw can be exploited to create credible phishing attacks.

The first open redirect flaw is in the path module which lets legitimate users to create “pretty” URLs for their content. By modifying the path in certain ways, users with the “administer paths” permission can generate URLs that redirect visitors to malicious pages. This affects both Drupal 7 and 8.

The second issue is more general and has been publicly documented. In involves abusing the “destination” query string parameter in URLs to redirect users to a new destination after they complete an action on the current page. This has been fixed in Drupal 8 by removing the RedirectResponseSubscriber event handler.

“If you have extended that class or are calling that method, you should review your implementation in line with the changes in the patch,” the Drupal security team said. “The existing function has been removed to prevent a false sense of security.”

The fifth vulnerability can lead to access bypass and has also been rated moderately critical. It stems from the content moderation feature failing to properly check users’ access to use certain transitions.

More importantly, the fix required several changes to the content moderation services and user permissions that break backwards compatibility with previous releases. Therefore, website developers and third-party module creators should review these changes and adapt their code.

Drupal is the third most popular CMS after WordPress and Joomla and is used by many businesses, government agencies and universities. This makes it an attractive target for hackers and widespread attacks that exploit vulnerabilities in Drupal are common.

Researchers Identify Suspected NSA Implant DarkPulsar

Researchers from antivirus Kaspersky Lab have found the malware implant known in the security industry as DarkPulsar and identified around 50 victims in Russia, Iran and Egypt.

DarkPulsar was included in the cache of cyberattack tools supposedly stolen from the U.S. National Security Agency and dumped online in March 2017 by a group called the Shadow Brokers. That data dump also contained the EternalBlue and EternalRomance exploits that were later used to launch global ransomware attacks.

The archive released by the Shadow Brokers contained two cyberespionage frameworks dubbed DanderSpritz and FuzzBunch. The latter supports various plug-ins including post-exploitation backdoors called implants.

One of the implants named in the leak was DarkPulsar, but only the administrative module used to control the implant was present in the data dump. Information contained in the admin module’s code allowed the Kaspersky Lab researchers to create signatures and track down the actual backdoor on real world computers.

“We found around 50 victims located in Russia, Iran and Egypt, typically infecting Windows 2003/2008 Server,” they said in a blog post. “Targets were related to nuclear energy, telecommunications, IT, aerospace and R&D.”

The researchers believe these victims are the leftovers of a much larger campaign because the DarkPulsar implant has a command to delete itself and it was likely activated by its creators after the toolset was publicly exposed.

DarkPulsar can be used to execute arbitrary shellcode and to deploy DanderSpritz payloads directly into an infected computer’s memory. It can also disable NTLM protocol security, which allows the malware’s operators to bypass authentication and execute code with any username and password.

“We think that after the ‘Lost In Translation’ leakage the espionage campaign was stopped, but that doesn’t mean that all computers are rid of this backdoor infection,” Kaspersky Lab said on a FAQ page about the threat. “Note that to exploit this backdoor on infected victims, the attackers need to know the private RSA key which pairs to the public key embedded in the backdoor. It means that no one except real DarkPulsar’s managers can exploit compromised systems.”

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin