Highly Critical SQL Injection Vulnerability Patched in Drupal Core

The Drupal team just released a security update for Drupal 7.x to address a highly critical SQL injection vulnerability. This bug can be exploited remotely by non-authenticated users and was classified as “Highly Critical” by the Drupal Security team. More information is available in their public advisory:

Posted by Drupal Security Team on October 15, 2014 at 4:02pm
Advisory ID: DRUPAL-SA-CORE-2014-005
Version: 7.x
Date: 2014-Oct-15
Security risk: 20/25 ( Highly Critical) AC:Basic/A:None/CI:All/II:All/E:Theoretical/TD:All
Vulnerability: SQL Injection

Users on the Drupal 7.x branch need to update to the version 7.32 immediately. The good news for our clients is that if you are leveraging our Website Firewall (CloudProxy) product you have been proactively patched against this vulnerability. If you can not patch your installation, we recommend applying their patch manually or adding your site behind a proper website firewall. You should also scan your Drupal installation for hacks and can follow our guide to fix the compromise if needed.

Understanding the SQL Injection

The team behind SektionEins identified this vulnerability and disclosed responsibly to the Drupal team last month. They too provided an advisory with the technical details, recommend reading if you’re a developer or system administrator.

Cliff-note version: They found a way to bypass the protection that Drupal has in place when creating the prepared statements for the SQL queries. Where a query would look like:

 SELECT * FROM {users} WHERE name IN (:name_0, :name_1)

The attacker could manipulate it to look like:

 SELECT * FROM {users} WHERE name IN (:name_test) OR name = 'Admin' -- , :name_test)

The scariest part of this vulnerability is that since Drupal uses PDO, this vulnerability is not only limited to SELECT statements, an attacker is able to able to insert or modify arbitrary data in the database.

Severity, coupled with it’s simplicity is a recipe for disaster. It’s a matter of time before it’s integrated into the latest toolsets and attacks are actively detected.

2014/10/15 18:17 – Update 1: There are POC (proofs of concepts) being shared on many underground forums. Won’t be long before we start to see exploitation attempts.

Craig A

This looks really bad. It looks like it won’t be difficult to find an exploitable location. “The problem occurs, if the array has keys, which are no integers.”

Example:

db_query(“SELECT * FROM {users} where name IN (:name)”, array(‘:name’=>array(‘test — ‘ => ‘user1′,’test’ => ‘user2’)));
- Craig A
  
  Drupal owners are going to have a really bad day. I just tested a POC against Drupal 7.31 to reset the uid 1 password pre-auth.
  - FK
    
    where did you foind the poc?
  - vinicius
    
    it’s not that hard, even if someone can’t update to Drupal 7.32, the fix is a one line change on file includes/database/database.inc: http://cgit.drupalcode.org/drupal/patch/?id=26a7752c34321fd9cb889308f507ca6bdb777f08&SA-CORE-2014-005 and can be applied manually on most (all?) Drupal 7 installs
Guest

This was found more than a year ago, and fixed: https://www.drupal.org/node/2146839
David Garcia Garcia

Great, I found this more than a year ago… https://www.drupal.org/node/2146839
damnthatonelinepatch

Yup they’re in the wild, blocked the ip, cleaned the server and site and updated to 7.32… damn those bstrds
CTS

Can you refresh this post to the new update. Did something change?

Understanding the SQL Injection

About Daniel Cid