Drupal Security

Various attacks and ways to protect site

Presents by Vasily Kraev
Drupal Camp Msk 2014

About me

and disclaimer  :)

Sword and shield

  • Everything is hackable
  • Sometimes has expensive "hack"-cost
  • Don't be paranoid, try to balance

The foundation

Process

  • Gathering info about target
  • Attack
  • Maybe: backdoor/rootkit
  • PROFIT!!!!11

Gathering info

Gathering info

  • Google dorks
  • HTML source code
  • README.txt / INSTALL.txt
    *.txt / css / js indahouse in module
  • nmap,  Havij, 
    MetaSploitFramework

Dorks

inurl:CHANGELOG.txt intext:drupal 
intext:"SA-CORE" -intext:7.32 
-site:github.com -site:drupal.org
$databases['default']['default'] = array( password

nmap example on vestaCP

Scanning blablabla.net (xxx.xxx.xxx.xxx) [1000 ports]
Discovered open port 587/tcp on xxx.xxx.xxx.xxx
...
Discovered open port 8443/tcp on xxx.xxx.xxx.xxx
Completed SYN Stealth Scan at 08:40, 1.56s elapsed (1000 total ports)
Initiating OS detection (try #1) against blablabla.net (xxx.xxx.xxx.xxx)
Retrying OS detection (try #2) against blablabla.net (xxx.xxx.xxx.xxx)
Nmap scan report for blablabla.net (xxx.xxx.xxx.xxx)
Host is up (0.058s latency).
Not shown: 989 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
465/tcp  open  smtps
587/tcp  open  submission
2525/tcp open  ms-v-worlds
3306/tcp open  mysql
8080/tcp open  http-proxy
8083/tcp open  us-srv
8443/tcp open  https-alt
Device type: general purpose|WAP|storage-misc|broadband router|media device|phone
Running (JUST GUESSING): Linux 3.X|2.6.X|2.4.X (96%), Asus Linux (93%), HP embedded (91%), Linksys Linux 2.4.X (90%), ......

Attack

You must protect whole server...

Attack

... and human resources too

Attack

  • Drupal-specific
  • DoS: RAM / HDD / DB
  • DDoS
  • Non-standart

Drupal bad practice

print "<a href='/node/" . $node->nid . 
      "'>" . $node->title . "</a>";

$result = db_query("UPDATE status FROM {node} 
SET status = " . $status . " WHERE nid = " . $nid);

$nomer = $node->field_nomer['und'][0]['value'];

much better

print l(t('Title:') . check_plain($node->title), $node->path);

$result = db_update('node')
  ->fields(array('status' => 1))
  ->condition('nid', 123)
  ->execute();

Hey, I khow the wrappers!

$wrapper = entity_metadata_wrapper('node', $node);
$title = $wrapper->title->value();
$number = $wrapper->field_number->raw(); 

Use wrappers right!

$wrapper = entity_metadata_wrapper('node', $node);

$title = $wrapper->title->value(array('sanitize' => TRUE));

XSS Risk

  • echo() print()
  • theme()
  • t() and l() without % @
  • var_dump() dpm()
  • console.log()
  • watchdog()
  • drupal_set_title() drupal_set_message()
  • $form_state values
  • Templates (.tpl.php)
  • Theme's code
  • Preprocess functions
  • Validation messages

Remember!

XSRF

  • Inspect hook_permissions()
  • Get permission names
  • Check access_callback in hook_menu()
  • if(user_access('something'));
  • $_GET, $_POST, or not use secure tokens? XSRF is possible
  • Inspect hook_menu() & AJAX callbacks

Access bypass

How fix ?

  • user_access for permissions
  • node_access
  • entity_access
  • $query->addTag('node_access');
  • Use FormAPI
  • Send & validate tokens

Modules for security

  • Secure login
  • Password policy
  • Paranoia
  • Hacked!
  • Permissions Lock
  • Secure Login
  • Security Review
  • Two Factor Authentication

Enhancing security

DoS

DoS

RAM
1 color png 10000x10000px ~ 215 kb

resizing this to thumbnail 200x200px  ~ 2Gb RAM

HDD
ZipBomb

Misconfig

  • Not closed ports
  • One user for apache+php / all sites
  • Wrong perms on dirs / config file or .htaccess (iframe, traff redirect, shell)
    AddType application/x-httpd-php .jpg
    Redirect 301 / http://very-bad-site.com/
    
    
    

Wrong configuration (docs nginx linode) 
drupal modules, etc

DDoS

PentagonComp: Yes, my password is "MaoZedong"

Crouching tiger hidden dragon

How hackers hide shells?

php block in DB

jpg.php (+ htaccess)

obfuscation

git (hooks make shell at pull) :)

?

skype: vasilykraev
vk@vkraev.ru