Drupal 7.32 Security Vulnerability

1. Hong Kong Drupal User Group
Drupal 7.32 Security Vulnerability
Edison Wong
2014 Nov 08th

2. Edison Wong
● CEO, PantaRei Design
– hswong3i@pantarei-design.com
● Drupal developer & contributor
– https://drupal.org/user/33940
● HKDUG Co-founder
– https://groups.drupal.org/drupalhk
● Startup founder
– 2009 - PantaRei Design founded
– 2010 - YBHK applicant
– 2011 - ITF SERAP applicant
– 2011 - HKSTP Incu-Tech applicant

3. PantaRei Design
● Hong Kong based Free and Open Source Software (FOSS) service
provider
– Content Management System (CMS) with Drupal
– Cloud hosting with Amazon Web Services (AWS)
● Business Partnership
– 2012 - AWS Consulting Partner
– 2013 - Acquia Partner
– 2013 - Atlassian Experts
– 2014 - Rackspace Hosting Partner
● FOSS Contributor
– 2008 - Hong Kong Drupal User Group Co-founder
– 2012 - Drupal Services Provider

9. Outline
● What's Happened with Drupal 7.32?
● Technical Details
● OMG! So What Should I Do for It?
● How to Restore My (Hacked) Drupal Site?
● How to Update My Drupal Site?
● Any Follow Up Action Required?
● Is Drupal Secure?
● Security Tips

10. What's Happened with Drupal
7.32?
● Vulnerability: SQL Injection
● Security risk: 25/25 (Highly Critical)
● Unless updated or patched to Drupal 7.23 before 2014 Oct
15th, 23:00 UTC (i.e. 7 hours after the announcement), you
should assume your sites was compromised.
● Simply updating to Drupal 7.32 will NOT remove backdoors.
● Attackers may have copied all data out of your site and
could use it maliciously.
● There may be no trace of the attack.

12. Technical Details
● Drupal uses prepared statements in all its SQL queries.
To handle IN statements there is an expandArguments()
function to expand arrays.
● The function assumes that it is called with an array
which has no keys. Example:
– db_query("SELECT * FROM {users} where name IN
(:name)", array(':name'=>array('user1','user2')));
● Which results in this SQL Statement with the parameters
name_0 = user1 and name_1 = user2:
– SELECT * from users where name IN (:name_0, :name_1)

13. Technical Details (cont.)
● The Problem occurs, if the array has keys,
which are no integers. Example:
– db_query("SELECT * FROM {users} where name IN
(:name)", array(':name'=>array('test -- ' =>
'user1','test' => 'user2')));
● This results in an exploitable SQL query with
parameters :name_test = user2:
– SELECT * FROM users WHERE name =
:name_test -- , :name_test AND status = 1

14. Technical Details (cont.)
● Since Drupal uses PDO, multi-queries are allowed. So this
SQL Injection can be used to insert arbitrary data in the
database, dump or modify existing data or drop the whole
database.
● With the possibility to INSERT arbitrary data into the
database an attacker can execute any PHP code through
Drupal features with callbacks.
● Attackers may have created access points for themselves
(sometimes called “backdoors”) in the database, code, files
directory and other locations. Attackers could compromise
other services on the server or escalate their access.

16. OMG! So What Should I Do for It?
● Removing a compromised website’s backdoors
is difficult because it is not possible to be
certain all backdoors have been found.
● The Drupal security team recommends that you
consult with your hosting provider. If they did
not patch Drupal for you or otherwise block the
SQL injection attacks within hours of the
announcement of Oct 15th, 4pm UTC, restore
your website to a backup from before 15
October 2014.

17. How to Restore My (Hacked)
Drupal Site?
● Take the website offline by replacing it with a static HTML
page
● Notify the server’s administrator emphasizing that other sites
or applications hosted on the same server might have been
compromised via a backdoor installed by the initial attack.
● Consider obtaining a new server, or otherwise remove all the
website’s files and database from the server. (Keep a copy
safe for later analysis.)
● Restore the website (Drupal files, uploaded files and
database) from backups from before 15 October 2014

18. How to Update My Drupal Site?
● Update or patch the restored Drupal core code, e.g.
– cd public_html
– curl -sL https://www.drupal.org/files/issues/SA-CORE-
2014-005-D7.patch | patch -p1
● Put the restored and patched/updated website back
online.
● Manually redo any desired changes made to the
website since the date of the restored backup.

19. Any Follow Up Action Required?
● Audit anything merged from the compromised
website, such as custom code, configuration,
files or other artifacts, to confirm they are
correct and have not been tampered with.
● While recovery without restoring from backup
may be possible, this is not advised because
backdoors can be extremely difficult to find. The
recommendation is to restore from backup or
rebuild from scratch.

20. Is Drupal Secure?
● All software has security vulnerabilities and Drupal is no
exception. In a study by WhiteHat Security, 86% of websites
across a variety of platforms both Open Source and proprietary
had a serious vulnerability.
● Drupal aims to provide a framework with built-in security features
that make it easier for site-builders and developers to build a
secure website.
● Over the years the mix of security issues found in Drupal has
changed. The OWASP project lists injection issues such as SQL
Injection as the #1 issue based on how often it is found and the
risk exposure. By providing rich APIs and developer education,
Drupal has reduced the frequency of SQL Injection vulnerabilities.

22. Security Tips
● Keep Your Drupal Install Updated
● Always Keep Maintained Plug-ins And Modules
● Making Strong Passwords
● Authorize Website Accounts
● Setup Firewall Settings
● Make A Security Strategy For Your Independent Modules
● Think Like A Hacker
● Audit Your Drupal Security
● Get In Touch With the Drupal Community And Security Team

23. References
● https://www.drupal.org/drupalsa05FAQ
● https://www.drupal.org/SA-CORE-2014-005
● https://www.drupal.org/PSA-2014-003
● https://www.drupal.org/files/issues/SA-CORE-2014-005-D7.patc
h
● https://www.drupal.org/node/2365547
● https://www.sektioneins.de/en/advisories/advisory-012014-drupal-pre-
auth-sql-injection-vulnerability.html
● http://drupal.stackexchange.com/questions/133795/what-kind-of
-attacks-does-the-patch-for-sa-core-2014-005-drupal-7-32-prev
ent

24. Q & A

25. I Need More Help!
● Read documents from Drupal Community
– https://drupal.org/documentation
● Join Hong Kong Drupal User Group
– Event organizing: http://www.meetup.com/drupalhk
– Technological discussion: https://groups.drupal.org/drupalhk
– Business connection:
http://www.linkedin.com/groups/?gid=6644792
– General sharing: https://www.facebook.com/groups/drupalhk
● Contact us for one (1) month free-trial support service
– http://pantarei-design.com/services/support/#support-service-plan
s

26. Thank You
● Please feel free to contact us:
– Unit 207, 2/F IC Development Centre, No.6 Science
Park West Avenue, Hong Kong Science Park,
Shatin, N.T.
– +852 3576 3812
– http://pantarei-design.com/
– sales@pantarei-design.com