When a team of researchers from Ambionics audited the Service module of Drupal, they found an insecure use of unserialize(). Using this vulnerability the exploiters could easily exploit SQL injection and, remote code execution.
The module, Services is a "standardized solution for building API's so that external clients can communicate with Drupal," it allows you to create different endpoints with different resources, which helps them to send and fetch information in several output formats. It is currently being used with around 45,000 active websites, and it is the 150th most used plugin of Drupal.
Among the other features, one of the main features is that one can control the format of the input/output by just changing the Content-Type/Accept headers. By default, you can only use the following input formats: application/XML, application/JSON, multipart/form-data, application/vnd.php.serialized.
According to the Ambionics website the source and sinks of the exploitation is, "Even if Drupal lacks straightforward unserialize() gadgets, the numerous endpoints that are available in Services, combined with the ability to send serialized data, provides a lot of ways to exploit the vulnerability: user-submitted data can be used in SQL queries, echoed back in the result, etc. Our exploitation focuses on /user/login, since it was the most used endpoint amongst our clients. It is nonetheless possible to construct an RCE payload that works on any URL, as long as the PHP deserialization is activated."
The security team at the Drupal took 40 minutes to review the reports presented by the Ambionics, and propose a correct patch. They released an advisory along with a new version were published on 03/08/2017 (Services - Critical - Arbitrary Code Execution - SA-CONTRIB-2017-029).
It is strongly recommend to disable application/vnd.php.serialized in Drupal Services settings and update your version as soon as possible.
The module, Services is a "standardized solution for building API's so that external clients can communicate with Drupal," it allows you to create different endpoints with different resources, which helps them to send and fetch information in several output formats. It is currently being used with around 45,000 active websites, and it is the 150th most used plugin of Drupal.
Among the other features, one of the main features is that one can control the format of the input/output by just changing the Content-Type/Accept headers. By default, you can only use the following input formats: application/XML, application/JSON, multipart/form-data, application/vnd.php.serialized.
According to the Ambionics website the source and sinks of the exploitation is, "Even if Drupal lacks straightforward unserialize() gadgets, the numerous endpoints that are available in Services, combined with the ability to send serialized data, provides a lot of ways to exploit the vulnerability: user-submitted data can be used in SQL queries, echoed back in the result, etc. Our exploitation focuses on /user/login, since it was the most used endpoint amongst our clients. It is nonetheless possible to construct an RCE payload that works on any URL, as long as the PHP deserialization is activated."
The security team at the Drupal took 40 minutes to review the reports presented by the Ambionics, and propose a correct patch. They released an advisory along with a new version were published on 03/08/2017 (Services - Critical - Arbitrary Code Execution - SA-CONTRIB-2017-029).
It is strongly recommend to disable application/vnd.php.serialized in Drupal Services settings and update your version as soon as possible.