CVE-2018-7602 Exploitation Attempt

Aug 21, 2020 ·

Detecting a potentially high Remote Code Execution vulnerability

Sigma rule (View on GitHub)

 1title: CVE-2018-7602 Exploitation Attempt
 2id: 1ce01364-ccd0-442f-8ab5-cb9e34508ac8
 3status: experimental
 4description: Detecting a potentially high Remote Code Execution vulnerability
 5author: Loginsoft Research Unit
 6references:
 7    - https://devcentral.f5.com/s/articles/drupal-core-remote-code-execution-cve-2018-7602-31167
 8date: 2020/08/17
 9logsource:
10  product: drupal
11  category: application
12detection:
13    selection_base:
14      cs-method: 'POST'
15      c-uri-query|contains:
16        - 'destination*[#post_render][]'
17        - 'destination*[%23post_render][]'
18    selection_markup:
19      c-uri-query|contains:
20        - '[#markup]='
21        - '[%23markup]='
22    condition: selection_base and selection_markup
23falsepositives:
24  - Unknown
25level: critical```

References

Drupal Core Remote Code Execution (CVE-2018-7602) | DevCentral

A new critical Remote Code Execution vulnerability in Drupal core was published. This new vulnerability is similar to CVE-2018-7600, also known as...

Read More

CVE-2018-7602 Exploitation Attempt

Sigma rule (View on GitHub)

References

Drupal Core Remote Code Execution (CVE-2018-7602) | DevCentral