CVE-2024-55636 - Deserialization of Untrusted Data Vulnerability in Drupal Core Leads to Object Injection and Potential Remote Code Execution

In this post, we will discuss an important and critical vulnerability (CVE-2024-55636) in several versions of Drupal Core that can lead to the deserialization of untrusted data and potentially allow for remote code execution. This vulnerability affects versions from 8.. to 10.2.10, 10.3. to 10.3.8, and 11.. to 11..7.

The root cause of this vulnerability is that Drupal Core contains a series of methods (a gadget chain) that can be exploited when an insecure deserialization vulnerability exists on the website. While this gadget chain in itself does not pose a direct threat, it is a vector that attackers can use to achieve remote code execution if the application deserializes untrusted data due to another vulnerability.

Exploit Details

To understand the exploit, it is essential to know some basics of the PHP Object Injection. PHP Object Injection occurs when user input flows into the unserialize() function, allowing an attacker to serialize a crafted object with custom properties that can put the application at risk.

The vulnerable code snippet from Drupal

function _drupal_verify_install_profile(&$install_state) { 
    $profile = $install_state['parameters']['profile'];
    $file = $install_state['profiles'][$profile]['filename'];
    // If the install profile does not have a .profile extension, append it.
    if (!preg_match('/\.profile$/', $file)) {
      $file .= '.profile';
    }
    // Attempt to unserialize the file contents.
    $data = @file_get_contents($file);
    if ($data && ($info = @unserialize($data)) !== false) {
      $install_state['profiles'][$profile]['info'] = $info;
      $install_state['profiles'][$profile]['dir'] = dirname($file);
    }
  }

In the above code, the unserialize() function is used to load the contents of a file from the profiles directory. If an attacker can control the name of the loaded file, they can inject arbitrary code by crafting a serialized PHP object that triggers the vulnerability.

Links to original references

- Drupal Security Advisory: https://www.drupal.org/sa-core-2024-007
- NVD Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-55636

How to Fix

To fix this vulnerability, it is essential to update your Drupal Core to the following secure versions:

If you are on Drupal 11.. to 11..7, update to 11..8

You can find the latest version of Drupal Core on the official Drupal website at https://www.drupal.org/project/drupal.

Conclusion

Insecure deserialization vulnerabilities are a severe threat to web applications. As seen in CVE-2024-55636 for Drupal Core, these vulnerabilities can allow attackers to craft and inject harmful objects that can lead to remote code execution. It is essential to stay updated with your Drupal Core versions and apply the necessary patches to mitigate the risk of this critical vulnerability.

Remember, prevention is better than a cure. Always make sure to keep your web applications secure and up to date with the latest security guidelines and best practices.

Timeline

Published on: 12/10/2024 00:15:22 UTC
Last modified on: 12/16/2024 18:15:11 UTC