cbcvebase.
CVE-2018-7600
published 2018-03-29

CVE-2018-7600: Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue…

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
99.99%
100.0th percentile
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.

Affected

18 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debiandebian_linux
drupalcore>= 7.0 < 7.587.58
drupalcore>= 8.0 < 8.3.98.3.9
drupalcore>= 8.0.0 < 8.3.98.3.9
drupalcore>= 8.4.0 < 8.4.68.4.6
drupalcore>= 8.5.0 < 8.5.18.5.1
drupaldrupal<= 7.57
drupaldrupal
drupaldrupal>= 7.0 < 7.587.58
drupaldrupal>= 8.0 < 8.3.98.3.9
drupaldrupal>= 8.0.0 < 8.3.98.3.9
drupaldrupal>= 8.4 < 8.4.68.4.6
drupaldrupal>= 8.4.0 < 8.4.68.4.6
drupaldrupal>= 8.5 < 8.5.18.5.1
drupaldrupal>= 8.5.0 < 8.5.18.5.1
drupaldrupal_core

Detection & IOCsextracted from sources · hover to see the quote

path/user/password
  • Inspect POST body (both application/x-www-form-urlencoded and multipart/form-data) for the presence of '#post_render', '#pre_render', '#access_callback', or '#lazy_builder' keys, which are the four exploitable Form API functions.
  • Initial PoC exploited the mail[] array with #post_render calling PHP exec(). Screen HTTP requests to /user/register for mail[] parameters containing PHP function names (exec, system, passthru, eval, shell_exec, etc.).
  • A second PoC targets the timezone form field using #lazy_builder; the server returns HTTP 500 even on successful exploitation — do not rely on HTTP response code to determine exploitation success.
  • Drupal 7.x exploitation via /user/password requires two sequential HTTP requests and targets the _triggering_element_name form field. Correlate pairs of requests to this endpoint.
  • Screen for dangerous PHP functions in request parameters: exec, system, passthru, eval, shell_exec, popen, pcntl_exec, preg_replace, create_function, proc_open, assert, include, require, include_once, require_once, and backtick operator.
  • Palo Alto Networks Threat Prevention Signature 40627 identifies HTTP requests containing the CVE-2018-7600 exploit code.
  • Wild exploit payloads use wget, curl, and second-stage download mechanisms. Alert on outbound wget/curl calls originating from the web server process after requests to /user/register or /user/password.
  • ·The /user/register exploit path is effective against Drupal 8.x by default. Drupal 7.x requires a different endpoint (/user/password) due to differing default configurations.
  • ·The vulnerability affects default and common module configurations across multiple Drupal subsystems — not just a single optional module — making virtually all default Drupal deployments vulnerable.
  • ·No authentication is required to exploit this vulnerability; anonymous users can trigger RCE simply by visiting an affected endpoint.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_ubuntu3.5LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.