mcdruid.co.uk: A persistent Drupal 7 exploit using a pluggable variable

A couple of years ago I was asked to take a look at a Drupal 7 site that was performing poorly where a colleague had spotted a strange function call in an Application Performance Management (APM) system.

The APM traces we were looking at included a __lamda_func under which was a class called Ratel. Under those were some apparent external calls to some dodgy looking domains.

One of my very excellent colleagues had done some digging and found some more details about the domains which confirmed their apparent dodginess.

They had also come across a github gist which looked relevant – it had the PHP source code for a Ratel class which appears to be an SEO spam injection tool:

https://gist.github.com/isholgueras/b373c73fa1fba1e604124d48a7559436

This gist included encoded versions of the dodgy URLs we’d seen when trying to analyse what was slowing the site down.

However it wasn’t immediately obvious how this code was running within the infected Drupal site.

We’d grepped the file system and not found any signs of this compromise. One trick that’s sometimes useful is to search a recent database dump.

Doing so turned up a reference to the Ratel class within the cache tables, but when we took a closer look inside the cache there wasn’t much more info to go on:

$ drush ev 'print_r(cache_get("lookup_cache", "cache_bootstrap"));'
stdClass Object
(
    [cid] => lookup_cache
    [data] => Array
        (
 
[...snip...]
 
            [cRatel] => 
            [iRatel] => 
            [tRatel] => 

So this was more evidence that the malicious code had been injected into Drupal, but didn’t tell us how.

I took a closer look at the malicious source code and noticed something it was doing to try and hide from logged in users:

  if (function_exists('is_user_logged_in')) {
    if (is_user_logged_in()) {
      return FALSE;
    }
  }

Being so used to reading Drupal code, I think I’d initially thought this was a Drupal API call.

However, on closer inspection I realised it’s actually a very similarly named WordPress function.

That meant that the function almost certainly would not exist in this Drupal site, and that gave me a way to hook into the malicious code and find out more about how it had got into this site.

I temporarily added a definition for this function to the site’s settings.php within which I output some backtrace information to a static file – something like this:

function is_user_logged_in() {
  $debug = debug_backtrace();
  file_put_contents('/tmp/debug.txt', print_r($debug, TRUE), FILE_APPEND);
  return FALSE;
}

This quickly yielded some useful info – along the lines of:

$ cat debug.txt 
Array
(
    [0] => Array
        (
            [file] => /path/to/drupal/sites/default/files/a.jpg(9) : runtime-created function
            [line] => 1
            [function] => is_user_logged_in
            [args] => Array
                (
                )
 
        )
 
    [1] => Array
        (
            [file] => /path/to/drupal/sites/default/files/a.jpg
            [line] => 10
            [function] => __lambda_func
            [args] => Array
                (
                )
 
        )
 
    [2] => Array
        (
            [file] => /path/to/drupal/includes/bootstrap.inc
            [line] => 2524
            [args] => Array
                (
                    [0] => /path/to/drupal/sites/default/files/a.jpg
                )
 
            [function] => require_once
        )

Wow, so it looked like the malicious code was hiding inside a fake jpg file in the site’s files directory.

Having a look at the fake image, it did indeed contain a copy of the code we’d been looking at in the gist, albeit one that was further wrapped in obfuscation.

$ file sites/default/files/a.jpg    
sites/default/files/a.jpg: PHP script, ASCII text, with very long lines, with CRLF line terminators

The malicious Ratel code had been encoded and serialized, and the fake image file was turning that obfuscated string back into executable code and creating a dynamic function from it:

$serialized = '** LONG STRING OF OBFUSCATED CODE **';
$rawData = array_map("base64_decode", unserialize($serialized));
$rawData = implode($rawData);
$outputData = create_function(false, $rawData);
call_user_func($outputData);

That’s where the lamda function we’d been seeing had come from.

The final piece of the puzzle was how this fake image file was actually being executed during the Drupal bootstrap.

The backtrace we’d extracted gave us the answer; the require_once call on line 2524 of bootstrap.inc was this:

2523         case DRUPAL_BOOTSTRAP_SESSION:
2524           require_once DRUPAL_ROOT . '/' . variable_get('session_inc', 'includes/session.inc');
2525           drupal_session_initialize();
2526           break;

So the attacker had managed to inject the path to their fake image into the session_inc Drupal variable.

This was further confirmed by the fact that the malicious code in the fake image actually included the real Drupal session code itself, so as not to interfere with Drupal’s normal operation.

require_once('includes/session.inc');

So although the Ratel class had perhaps initially been put together with WordPress in mind, the attacker had tailored the exploit very specifically to Drupal 7.

Drupal has a mechanism to disallow uploaded files from being executed as PHP but that didn’t help in this case as the code was being included from within Drupal itself.

At some point there must have been something like a Remote Code Execution or SQL Injection vulnerability on this site which allowed the attacker to inject their variable into the database.

It’s possible that was one of the notorious Drupal vulnerabilities often referred to as Drupalgeddon 1 and 2, but we don’t know for sure. We believe that the site was most likely infected while at a previous host.

This technique doesn’t represent a vulnerability in itself, as the attacker needed to be able to upload the fake image and (most importantly) inject their malicious variable into the site.

It was, however, quite an interesting technique for achieving persistence within the Drupal site.

Once we’d uncovered all of these details, cleaning up the infection was as simple as deleting the injected variable and removing the malicious fake image file.

What could the site have done to defend itself against this attack?

Well the injection of variable was mostly likely done via an exploit of an unpatched vulnerability on the site. Keeping up-to-date with patches from the Drupal Security Team is always advisable.

Other than that, something like the mimedetect module might have been able to prevent the upload of the fake image file. Note that newer versions of Drupal have this capability built-in.

A manual review of the variables in the site’s database could have caught this; there are a handful of variables that provide “pluggability” in D7 but session_inc is probably one of the most attractive from an attacker’s point of view as it’s typically invoked on most bootstraps unlike some of the others:

drupal-7.x$ grep -orh "variable_get.*.inc')" includes modules | sort | uniq
 
variable_get('lock_inc', 'includes/lock.inc')
variable_get('menu_inc', 'includes/menu.inc')
variable_get('password_inc', 'includes/password.inc')
variable_get('path_inc', 'includes/path.inc')
variable_get('session_inc', 'includes/session.inc')

A simple drush command can show whether any of these variables are set:

$ drush vget _inc
No matching variable found.

Once we knew what had happened to the site we found a couple of references online to similar exploits:


Go to Source
Author:

Sooper Drupal Themes: What is Drupal used for?

What is Drupal user for?
As the world goes digital, marketers and entrepreneurs are searching for ways to increase their online presence.  One of the best ways to go about this is having a website that stands out from the crowd.  After all, it is the first thing that visitors notice about your brand before doing business with you. 

Even though you can never run out of options whenever you want to build and maintain websites, not many outdo Drupal.  Open-source software made available under the GNU Public License, Drupal will come in handy when looking forward to building and maintaining your website globally.

There is a huge chance you have used Drupal before without your knowledge. That is because many top businesses, Fortune 500 companies, nonprofits, and government organizations leverage Drupal.  But before you join the bandwagon and give it a try, it is in your best interest that you know what Drupal is and why you should give it a try. 

Fortunately, that is what this guide will help you unearth today. Continue reading to find out more about Drupal and why you should consider giving it a try!

What is Drupal?

First things first, what is Drupal?  This is one of the questions you need to ask yourself to understand the system and unleash its potential.  In a nutshell, Drupal is a free and Open Source Content Management System (CMS) that allows users to create and manage content over one or multiple websites. 

Being open-source software, anyone can download Drupal, work on it, and share it with others hassle-free.  Furthermore, it boasts of numerous inherent benefits including, accountability, security, and flexibility. No wonder it is among the most popular CMS’ currently available at your disposal.

You might wonder what makes Drupal way more superior compared to other content management systems out there.  In a nutshell, many users find Drupal easy to use when creating a more customized website, unlike other free CMS systems like WordPress.  Better, Drupal tends to be versatile, giving you the freedom you need to build and maintain your website.

What makes Drupal worth leveraging as opposed to other CMS’ is that almost anyone can contribute to the site with no HTML experience. Things are not any different for editors, writers, and website administrators without any coding experience.  That is possible thanks to the What You See is What You Get (WYSIWYG) feature that enables writing, editing, and adding content without the hassle. 

Why Drupal Shines as CMS

Now that you know what it entails, you need to understand what is Drupal used for and what makes it shine as a CMS.  With Drupal, you no longer have to go through a lot to create and publish your content. That’s because it allows users the chance of pulling this off without the hassle. 

But how is this even possible in the first place?  The CMS platform is popular for accommodating unlimited content types.  Some of the most popular ones include media and text available in highly customizable forms.  To ensure users have a remarkable digital experience, Drupal retrieves, filters, and presents the content in powerful, but simple-to-use tools. 

Furthermore, Drupal contains intuitive content creation tools and powerful in-place editing tools that ensure you get things done without the hassle. To give you the tip of the iceberg, Drupal is full of features and highly customizable, unlike other CMS systems out there.  Either way, you should be aware of what is Drupal used for before you finally give it a try.  

Top Advantages of Drupal over Other Content Management Systems


Before we dive deeper into what does Drupal do, it is essential that you know about the advantages it boasts over other Content Management Systems. After all, this is the only way you stand a good chance of reaping maximum benefits from the system.  With that in mind, below are some of the most notable benefits Drupal brings to your business or organization.

Flexible Integration  

One of the biggest selling points of Drupal is the ability to help users create and manage a host of content types.  Some of the most popular content types include statistics, podcasts, blogs, videos, and many more. For this reason, you will have an easy ride when looking forward to creating content-rich websites for different markets such as commerce and media. 

Security 

CMS security is something that you can’t risk skimping at any given time. Drupal does not disappoint in this regard as it offers unshakable security to all users.  To guarantee maximum user satisfaction, Drupal is highly secure and provides regular patches.  That explains why it works wonders for enterprise clients.

However, you need to implement and maintain it properly to serve you as the most secure CMS. The good news is that Drupal happens to have the best security team you can count on, not forgetting advanced hosting providers.  For this reason, it is common to come across large organizations that leverage Drupal as the main CMS for powering their web applications or websites. 

Scalability 

Scalability is undeniably one of the tremendous strengths of Drupal over other Content Management Systems out there. As long as you have an idea of what does Drupal do, you will have an easy time growing the number of your web pages without the need to change anything.  Better, it serves you perfectly whenever you want to alternate between periods of high traffic spikes. 
Current Version Features 

Drupal 9 provides a host of features that make it way easier to use than was the case with its predecessors.  For instance, users can now take advantage of the new field locations and new fields.  If this is not enough, it relies on the CKeditor to make posting content similar to editing a document on Word.  Other popular features that will make you fall in love with Drupal 9 include the Quick Edit feature, helpful Tour button, and additional four key modules. 

Ways Marketers Can Leverage Drupal

Drupal 9 has undeniably turned into a marketer’s dream thanks to the new features and core enhancements it offers. And this doesn’t come as a surprise as it allows marketers the chance of personalizing content based on their target audience, device type, and language.  Keep in mind content is king when looking forward to improving SEO, driving organic traffic to your website, and creating leads.

If you have done your homework on what is Drupal used for, you probably know that it draws on the innovations of thousands of marketers, designers, and developers.  With that in mind, below are some of the ways marketers can leverage Drupal to their advantage.

Mobile Responsiveness  

The responsiveness of your website or web applications on mobile devices speaks volumes on whether or not you’ll attain your digital marketing goals.  Not only does it impact Google rankings, but it also helps drive immense traffic to your website. That does not come as a surprise since more and more people now use smartphones for almost everything in their personal lives. 

Fortunately, this is something that won’t give you sleepless nights since Drupal takes mobile seriously.  You might be wondering what does Drupal do when it comes to mobile responsiveness?  In a nutshell, Drupal comes with built-in themes that are mobile responsive together with web services built into the core. Thanks to these new features, users can access content from any device of choice. 

Creative Freedom 

Business competition will always exist regardless of the industry you choose.  To win over a huge share of the market and drive business growth, you must make an effort to stand out from the crowd.  And this not only implies how you do business, but it also refers to the way you run your marketing campaigns.

With Drupal, you won’t worry about giving your competition a run for their money.  That is because it seamlessly incorporates the existing marketing and sales technologies of your venture.  That’s possible since the cutting-edge Drupal modules give your marketing team creative freedom to handle tasks at their desired pace and convenience. 

As long as you have a good understanding of Drupal’s architecture, you can launch your website with ease when compared to other CMS’ out there.  That’s what your marketing team needs to lay the foundation of a strong digital marketing strategy. Before you know it, your business is a force to be reckoned with in the industry.

Makes Your Website Faster 

The vast majority of businesses lose visitors to their website due to speed. Keep in mind many web users expect your website to load in 2 seconds. If your website takes longer than this to load, be rest assured you will lose conversions from visitors to your website. In short, faster pages make money for your business. 

That’s where Drupal proves beneficial to marketers as it makes websites faster. Of course, this is without the need to bring in a lot of technical expertise.  If you only know what is Drupal but have no idea about its working mechanism, then it might prove difficult to understand this. 

To help clear some of the doubts in your mind, Drupal makes use of Cache Tags to make caching way more efficient. Furthermore, it allows for context-based caching thanks to its Cache Content API feature.  For this reason, your website will load faster while making sure visitors only make do with the latest version of your site. 

Cost of Drupal

Now that you know what does Drupal do and the numerous benefits it will bring to your organization, it is time to give it a try.  But before you make the switch, it is also essential that you find out the average cost of the structure. After all, you don’t want to take a toll on your business finances just because you want to use Drupal.

The good news is that you don’t have to break the bank to take advantage of Drupal. Either way, it depends on the type and size of the business you’re running.  For large enterprise sites, you will have to spend way more when compared to medium-sized websites.  Remember, the average cost structure of a Drupal build include strategy, design, and implementation. 

The Bottom Line 

There you have it; some of the things that touch on what is Drupal used for.  Keep in mind there is more to Drupal than meets the eye. That’s why you should never make the mistake of creating a Drupal website without having the slightest idea of what it entails. Most business leaders and marketers who do that end up regretting their decision in the long run. 

But what if you’re struggling to build pages on your Drupal Site? In this case, there is nothing to worry about since you’re not alone. Most marketers have no idea on whether to wait for a developer to help them out or try to build with Drupal single-handedly. Luckily, you don’t have to assign that webpage to a busy designer since some service providers allow users to unleash their creativity instantly.

Before you build whatever you want, ensure you know what is Drupal and how it can help change your company or organization for the better. That way, you can build sites faster and easier without leaving any room for mistakes. So, what are you waiting for before you finally leverage Drupal!
 


Go to Source
Author:

Tag1 Consulting: Fred Plais Talks Commerce in Drupal

Fred Plais is a long standing, well known member of the Drupal community. From AF83, to a founder and CEO of Commerce Guys (now Centarro) and Platform.sh, Fred is no stranger to the business side of what makes Drupal a successful platform, how businesses use Drupal, and the critical nature of commerce infrastructure.

lynette@tag1co…
Wed, 11/10/2021 – 07:30


Go to Source
Author:

Drupal Association blog: Meet one of our 2021 Discover Drupal Students, Devon Ek

Throughout our pilot Discover Drupal program year, we introduce our students to the Drupal community; this month, we welcome Devon Ek!

Devon was referred to the program by Genesys Works and is entirely new to Drupal. He currently lives in the Twin Cities, in Minnesota.

Tell us a little about you.  What are your hobbies and interests?

My hobbies are shooting videos and taking photographs in my free time. I also am into building PCs and mechanical keyboards.

What is your ultimate goal in learning Drupal?

My ultimate goal in learning Drupal is to develop a knowledge base of its front-end and back-end side and build useful web experiences.

What are you most excited about regarding this program?

I am most excited to connect with my peers and mentors along with working on projects. I’m hoping to eventually land a job in Drupal back-end development. I aspire to become a web developer someday and also give back to the community and empower others to explore their journey into technology as well. I want to help create digital experiences that are relevant and reflective of people who come from underrepresented backgrounds. Being accepted into Discover Drupal would greatly help me explore my interest in web technologies and connect me to a community of people who also come from underrepresented groups.

If you see Devon online in Drupal Slack or at any upcoming Drupal events, please give him a warm welcome.  His Slack user name is Devon Ek.

Our Discover Drupal sponsors will have access to directly recruit the students for internships or other employment near the completion of the program.

Thank you to our Partners and Volunteers
We are grateful to AmyJune Hineline and Mike Herchel, who has led our team of mentors and provided valuable insight into improving the program. Thank you.

We want to thank our founding partner, Kanopi Studios, and especially Allison Manley for her continued hard work and dedication to the program.  We also want to thank our platinum sponsors: Lullabot and Elevated Third, for the financial support that has been instrumental in launching this program.  Finally, thank you to our excellent training partners, Drupal Easy, Evolving Web, Mediacurrent, and Drupalize.me .

If you’d like more information about the program or would like to become a supporting donor, please reach out to us a drupaltalent@association.drupal.org.


Go to Source
Author:

Drupal Core News: New provisional Drupal core committers facilitator: Yash Marwaha

I’m pleased to announce that Yash Marwaha (yashm) has accepted our invitation to become a provisional Drupal core Committer Team Facilitator!

Yash is based in India and has been working as a Project Manager for OpenSense Labs for the last four years. His experience with technical team management and release management, as well as his experience working with Drupal projects, make him a great fit for this role. His passion for Drupal and enthusiasm to contribute stood out and his communication skills will be a great addition to the team.

Yash will work closely with our other Core Committer Team Facilitator, Pamela Barone (pameeela), on our release process, communications, and team decision-making.

Please join me in welcoming Yash to our Core Committer Team!


Go to Source
Author:

Talking Drupal: Talking Drupal #320 – Drupal 8 End of Life

Today we are talking about Drupal 8 End of Life with Gábor Hojtsy.

TalkingDrupal.com/320

Topics

  • John – NEDCamp is in two weeks
  • April – Planning Drupal Camp Asheville in person next year
  • Gábor – Thinking of all versions of Drupal
  • Nic – Vacation was great – visited Salem
  • What End of Life (EoL) means
  • Statistics on number of sites
  • Why D8 EoL is before D7
  • What can people do to continue using D8
  • Does the new release schedule and EoL schedule improve the platform
  • Improvements to the process
  • Process expected for D9 and D10
  • D8 -> D9 migration process affect on adoption
  • Expected differences with D7 EoL
  • Current Projects
  • Contributions
  • Next big thing
  • Core committer experience over the years
  • Initiative lead, lead
  • Merge request support with gitlab
  • Making core committer’s life easier

Resources

commit 62f939944f9ecdff0cfb84e1eb057237ad3d52ed Author: Dries Buytaert Date: Tue Sep 16 17:35:02 2003 +0000 – Added ‘escape HTML’ option to the filters. Patch by Gabor Hojtsy. commit 069e1bb87b9971f160f8ddccfe95335986dd17e0 Author: Dries Buytaert Date: Sun Sep 28 17:07:46 2003 +0000 – More translation fixes for the menu items. Patch by Gabor. commit bcfa6dca1e6646a50f12f617425c6087cae97ac8 Author: Dries Buytaert Date: Sun Sep 28 18:23:13 2003 +0000 – Translation improvements for the block module help. Patch by Gabor. commit 7531e82969cda841d2e03a736c2b0568ed2647e7 Author: Dries Buytaert Date: Mon Sep 29 18:35:46 2003 +0000 – Made sure non US-ASCII mails are sent out properly. Patch by Gabor. TODO: rename user_mail() to drupal_mail() and move it to common.inc. Other modules, such as the project module, should use this as well or they risk to send out /invalid/ mails. Guests

Gábor Hojtsy – www.hojtsy.hu @gaborhojtsy

Hosts

Nic Laflin – www.nLighteneddevelopment.com @nicxvan John Picozzi – www.epam.com @johnpicozzi April Sides – @weekbeforenext

MOTW

Views AJAX History Enable bookmaking of AJAX views. Supports filters and paging.


Go to Source
Author: