Drupalgeddon 3 in retrospect

As you know, recently we’ve released multiple security patches for the Drupalgeddon vulnerabilities. The last one was Drupal Remote Code Execution – SA-CORE-2018-004, CVE-2018-7602, patched only 2 days after it was first discovered. We’re very proud of our quick reaction time and would like to share some statistics with you about the attacks that were prevented since then – with the help of BitNinja.

The data from the first incident that we’ve caught looks like this (the URL is masked for privacy purposes):

Url: [###.hu//]
Headers: [array (
'User-Agent' => 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31',
'Host' => '###.hu',
'Connection' => 'TE, close',
'TE' => 'deflate,gzip;q=0.3',
0 => 'application/json',
'Content-Length' => '88',
'Content-Type' => 'application/x-www-form-urlencoded',
)]
Get: ['?q=node/99/delete&destination=node?q[%2523][]=passthru%26q[%2523type]=markup%26q[%2523markup]=id;uname+-a']
Post: ['form_id=node_delete_confirm&_triggering_element_name=form_id&form_token=%5BCSRF-TOKEN%5D']
Matched: [
ModSecurity id: [402003] revision []
msg [Drupal Remote Code Execution - SA-CORE-2018-004: Block all destination q[#]
logdata [Matched "Operator `Rx' with parameter `(?q[(#|(%(25)*23))|(&|%(25)*26)q[(%(25)*23))' against variable `ARGS:destination' (Value: `node?q[%23][]=passthru&q[%23type]=markup&q[%23markup]=id;uname -a' )]
severity [CRITICAL]

ModSecurity id: [1010035] revision []
msg [Pattern [59d625d65df0bd004c1dcdf1]]
logdata [Matched "Operator `Gt' with parameter `0' against variable `TX:BN_INBOUND_FOUND' (Value: `1' )]
severity [EMERGENCY]

You can see that both the GET and POST data fields contain urlencoded characters (%2523). After urldecoding the data in the GET request, we get this:

[‘?q=node/99/delete&destination=node?q[#][]=passthru&q[#type]=markup&q[#markup]=id;uname -a’]

On the chart below you can see that the frequency of the Drupalgeddon 3 attacks doesn’t seem to decrease: BitNinja has caught 89 incidents of this type (until 11th June) since we’ve released the security patch:

So if you’d like to be protected too, you only need to enable our WAF module, and utilize the BitNinja safe minimum ruleset template. We’ve named the Drupalgeddon rules “Drupal Remote Execution Protection”, and it’s part of the BitNinja safe minimum ruleset template in the BitNinja Ruleset section. It’s rule number is 402003.

Do you have any questions? Please contact us or write a comment!