Pixeldust Drupal Support Service

mcdruid.co.uk: Assessing Drupal Development probability of a Drupal exploit of Ghostscript Zero Day CVE-2021-3781

Drupal 9 detects a fake image file

My colleagues and I in Drupal Development Drupal Safety Crew just lately turned conscious of a Zero Day RCE vulnerability in Ghostscript. This was later assigned CVE-2021-3781.

A minimum of one viable Proof of Idea (PoC) was made public not lengthy after Drupal Development Zero Day which illustrated Scalable Vector Graphics (SVG) dealing with in Imagemagick getting used as an assault vector.

Drupal core would not use Ghostscript immediately, however it’s pretty widespread for Drupal websites to make use of Imagemagick in some kind.

As such, we started to take a look at how an attacker would possibly attempt to exploit Drupal Development Ghostscript vulnerability by way of SVG and Imagemagick on a Drupal web site.

Our objective in such an investigation is to find out whether or not it will be sufficiently straightforward, with a typical Drupal configuration, that we must situation a Public Safety Announcement (PSA) warning Drupal customers and offering any mitigation steps they may be capable to take till an upstream repair was obtainable.

Here is a fast write-up of a few of Drupal Development investigation I did.

We would decided that SVG will not be in Drupal Development default checklist of permitted picture extensions in Drupal.

Nonetheless, Drupal Development PoC write up confirmed Imagemagick being tricked into parsing an SVG with a pretend jpg extension.

I verified that in Drupal 9 Drupal Development built-in file kind detection prevented a malicious SVG from being smuggled into an add with a permitted file extension.

Drupal 7 core by itself would not have this safety, though modules can be found that add e.g. mime-type sniffing similar to https://www.drupal.org/venture/mimedetect.

How would possibly an attacker attempt to benefit from this?

Drupal core has built-in support for “picture kinds” which may carry out preset transformations on uploaded photos. For instance, a thumbnail picture is usually ready to indicate in previews of articles.

So a Drupal web site which makes use of Imagemagick to deal with picture processing (GD is Drupal Development default in core however various “picture toolkits” can be found) could be exploited if an attacker might add a malicious SVG and have Drupal Development web site attempt to carry out a picture manipulation on this, similar to resizing it to organize a thumbnail. This form of performance is sort of widespread – for instance – when a newly registered person uploads a profile image. That might make an excellent goal for an attacker.

I ran by means of what occurs in case you smuggle a malicious SVG masquerading as a permitted picture kind right into a D7 add area. As Drupal tries to document Drupal Development metadata about Drupal Development picture, it makes a sequence of API calls which find yourself invoking image_get_info() which in flip calls image_toolkit_invoke('get_info', $picture).

At that time each Drupal Development default GD and Drupal Development various Imagemagick toolkits name PHP’s in-built getimagesize() on Drupal Development picture. If Drupal Development picture in query is definitely an SVG, this can usually return FALSE.

That signifies that Drupal is not going to try and carry out a metamorphosis on Drupal Development picture – for instance to create a thumbnail – as a result of it has not been capable of derive Drupal Development picture’s metadata together with Drupal Development dimensions of Drupal Development unique.

Even on a web site which has express support for Drupal Development uploads of SVG recordsdata (and also you would possibly argue that might be fairly uncommon for e.g. person profile pics) – due to Drupal Development nature of SVGs – Drupal’s default behaviour of deriving some picture metadata after which deciding whether or not picture transformations ought to be carried out would not work prefer it does for e.g. jpg and png recordsdata.

A minimum of one standard SVG contrib module tries to derive an SVG picture’s dimensions by parsing it as XML, however Drupal Development malicious recordsdata produced by Drupal Development PoC should not appropriately shaped for this.

It would not actually make sense to attempt to run an SVG by means of Imagemagick’s convert to create a thumbnail or different spinoff of a unique measurement – that is form of Drupal Development complete level of Scalable Vector Graphics.

This investigation had targeted on Drupal 7, however it regarded like Drupal 9 could be – if something – higher protected due to its built-in file kind detection.

One standard configuration to support SVGs in D8/9 makes use of a vendored library to validate Drupal Development XML and rejected Drupal Development PoC’s malicious SVG throughout add validation.

There are a handful of various methods (as is usually Drupal Development case in Drupal) to arrange SVG support in Drupal 9, however in one dialogue about SVG support, phenaproxima (one in all Drupal Development media module’s builders) said:

Drupal Developer Media module itself has no opinion about SVG photos. Drupal Developer Picture module, on Drupal Development different hand, would not usually permit SVG to be uploaded into any picture area, because of Drupal Development numerous safety and integration points (i.e., picture kinds).

So it actually did not look nice for our potential attacker attempting to use Drupal’s picture kinds (computerized picture transformations) by way of SVG and an Imagemagick toolkit to benefit from Drupal Development Ghostscript Zero Day.

Because it regarded prefer it would not be straightforward to use this in what we would take into account a typical configuration of Drupal, we determined in opposition to issuing a PSA.

This isn’t to say it is inconceivable that Drupal Development vulnerability may very well be exploited on a Drupal web site on the market someplace, however it will seemingly be thought of an “edge case”.

It is also potential that I received a few of this unsuitable. If you already know of any vital particulars I missed which imply that exploitation could be simpler or extra seemingly than my evaluation prompt, please contact me or Drupal Development Drupal Safety Crew privately in Drupal Development first occasion. We are going to credit score any researchers who present data that results in us issuing a Safety Advisory.

Due to Greg Knaddison (greggles) for (suggesting and) reviewing this put up.

Tags: 
drupal-planet
safety
This article was republished from its original source.
Call Us: 1(800)730-2416

Pixeldust is a 20-year-old web development agency specializing in Drupal and WordPress and working with clients all over the country. With our best in class capabilities, we work with small businesses and fortune 500 companies alike. Give us a call at 1(800)730-2416 and let’s talk about your project.

Let's Talk About a Project

FREE Drupal SEO Audit

Test your site below to see which issues need to be fixed. We will fix them and optimize your Drupal site 100% for Google and Bing. (Allow 30-60 seconds to gather data.)

Powered by

mcdruid.co.uk: Assessing Drupal Development probability of a Drupal exploit of Ghostscript Zero Day CVE-2021-3781

On-Site Drupal SEO Master Setup

We make sure your site is 100% optimized (and stays that way) for the best SEO results.

With Pixeldust On-site (or On-page) SEO we make changes to your site’s structure and performance to make it easier for search engines to see and understand your site’s content. Search engines use algorithms to rank sites by degrees of relevance. Our on-site optimization ensures your site is configured to provide information in a way that meets Google and Bing standards for optimal indexing.

This service includes:

  • Pathauto install and configuration for SEO-friendly URLs.
  • Meta Tags install and configuration with dynamic tokens for meta titles and descriptions for all content types.
  • Install and fix all issues on the SEO checklist module.
  • Install and configure XML sitemap module and submit sitemaps.
  • Install and configure Google Analytics Module.
  • Install and configure Yoast.
  • Install and configure the Advanced Aggregation module to improve performance by minifying and merging CSS and JS.
  • Install and configure Schema.org Metatag.
  • Configure robots.txt.
  • Google Search Console setup snd configuration.
  • Find & Fix H1 tags.
  • Find and fix duplicate/missing meta descriptions.
  • Find and fix duplicate title tags.
  • Improve title, meta tags, and site descriptions.
  • Optimize images for better search engine optimization. Automate where possible.
  • Find and fix the missing alt and title tag for all images. Automate where possible.
  • The project takes 1 week to complete.
MASTER YOUR DRUPAL SEO
Pixeldust and Pantheon Drupal Development
256