Drupal 7.X Services Module Unserialize Vulnerability

An advisory has been published regarding a critical 0-day unauthenticated RCE (Remote Code Execution) vulnerability in the Drupal System. Drupal is a free and open source content-management framework written in PHP, and it provides a back-end framework for at least 2.2% of all Web sites worldwide.

The vulnerability resides in the services module of Drupal which is a popular solution for building API’s in order to allow external clients to communicate with Drupal.

Drupal’s services module allows enabling the /user/login resource to allow login via JSON or XML.

One of the features of Drupal’s services module is that it supports multiple input formats, which the user can specify by setting the Content-Type header of the HTTP request. One of those formats is “application/vnd.php.serialized” which means the user is allowed to send his credentials in a serialized PHP object, which will get unserialized by the Drupal services module.

By sending a specially crafted serialized object attackers may trigger a SQL Injection vulnerability, which may later lead to Remote Code Execution.

Mitigation with Big-IP ASM

ASM customers are already protected against this vulnerability.

While exploiting this vulnerability, attackers will try to send a malicious PHP serialized object which contains a SQL Injection payload. The exploitation attempt will be detected by multiple existing PHP Object Serialization and SQL Injection  attack signatures.

Figure 1: Exploit blocked with Attack Signature (200004188) 

Figure 2: Exploit blocked with Attack Signature (200000073) 

Figure 3: Exploit blocked with Attack Signature (200000082)