This report was fully disclosed on 23 August 2018

Summary

On 9 July 2018 I notified caamanitoba.com of a Remote Code Execution vulnerability caused by CVE-2018-7600 aka Drupalgeddon 2. At the time I also indicated that I had evidence that this vulnerability had likely already been exploited by a malicious party.

Proof of Concept

As I did not wish to actually exploit the RCE and only verify its existence, I used the tool Drupwn by the ImmunIT Team to confirm my findings.

$ drupwn exploit https://caamanitoba.com

[-] Version not specified, trying to identify it

[+] Version detected: 7.0

Commands available: list | quit | check [CVE_NUMBER] | exploit [CVE_NUMBER]

Drupwn> list
+---------------+----------------------------------------+------------------------+
|      CVE      |              Description               |   Versions affected    |
+---------------+----------------------------------------+------------------------+
| CVE-2018-7600 |        Remote Command Execution        | 7.x < 7.58 & 8.x < 8.1 |
| CVE-2018-7602 | Authenticated Remote Command Execution |      7.x <= 7.58       |
+---------------+----------------------------------------+------------------------+

Drupwn> check CVE-2018-7600

[+] Application vulnerable

Drupwn> exit

Evidence of Previous Compromise

This issue was originally discovered due to a sudden increase of CRA (Canada Revenue Agency) phishing emails originating from opac-cornouaille.fr. Later it was confirmed that a number of recipients of this phishing campaign had also been caamanitoba.com customers.

The headers in the phishing email indicate it was sent from opac-cornouaille.fr 185.183.60.228. The email header also includes the following line X-Php-Originating-Script: 33:eb.php, which lists the UID 33 www-data and the script eb.php.

Upon further investigation it appeared that opac-cornouaille.fr was also vulnerable to CVE-2018-7600, however they patched their installation within hours of initial discovery.


In one instance, a unique email address that had been used during signup to caamanitoba.com on 06 June 2018 had been sent the aforementioned phishing email. The email address in question – a unique email forwarder – consisted of a 24 character string (similar to ███-███████[email protected]) and had not been provided to any other service. Since then this forwarder has not seen any other emails, spam or otherwise.

At the time of writing this, none of those same users had reported fraudulent transactions on credit cards they had provided to caamanitoba.com, however it is still possible that attackers could have stolen that information.

  • Updated the Drupal to the latest version
  • Change credentials of users and database
  • Investigate the extent of the breach
  • Notify customers of the breach

Remediation Status

At the time of publishing this report the reported issue has been resolved.

Response From Affected Party

Response from [email protected] 20 Aug 2018

Hello,

We are now patched. Thanks for the notification.

https://glitchwitch.io/reports/

George

Please consider the environment before printing this e-mail. WARNING - CONFIDENTIALITY NOTICE This e-mail and any attachments may contain confidential and privileged information. Any use, disclosure, copying or dissemination of this information by a person other than an intended recipient is not authorized and may be illegal. If you are not an intended recipient, please notify the sender immediately by return e-mail, delete this e-mail and destroy any copies.

Timeline

  • 9 July 2018: Affected Party Notified
  • 20 August 2018: Affected Party Released Patch (+42 days)
  • 23 August 2018: Report Published (+45 days)