Drupal/FD2 for the AI module

[mcdruid]

This is an FD gadget in the AI module.

Unusually it can be escalated to RCE if you get a command injection payload into a path that passes a file_exists() check in the destructor.

As this is in a module (included in Drupal CMS but not Drupal core), you could put it into a different namespace / directory.

[nollium]

Thank you for the submission !

FYI, I just spent some time researching reliable ways for upgrading this to full command injection, and found some that seem good enough:

• ftp://anonymous:$(id)@archive.ubuntu.com/ubuntu

  • requires network access to archive.ubuntu.com

• phar:///usr/bin/phar.phar/$(id)/../

  • only requires /usr/bin/phar.phar to exist

  I plan to add those two as RCE gadgets. In case you have more reliable payload ideas, I'd be glad to add them instead.

[mcdruid]

Some details about how I exploited this using filenames that Drupal (currently) accepts:

https://www.mcdruid.co.uk/article/hacking-ai-module-drupal-cms

tl;dr you can embed a command injection payload into a filename that Drupal will allow you to create / upload. That should be fixed in a future Drupal release, but the change hasn't landed yet: https://www.drupal.org/project/drupal/issues/3516706