CVE-2019-6340 Exploitation Attempt

Aug 21, 2020 ·

Detecting the attempt of Remote Code Execution (RCE) in Drupal REST Module

Sigma rule (View on GitHub)

 1title: CVE-2019-6340 Exploitation Attempt
 2id: 2fd9814b-8ba9-4a13-8e66-308945f0f4e1
 3status: experimental
 4description: Detecting the attempt of Remote Code Execution (RCE) in Drupal REST Module
 5references:
 6    - https://www.exploit-db.com/exploits/46510
 7author: Loginsoft Research Unit 
 8date: 2020/08/18
 9logsource:
10    product: drupal
11    category: application
12detection:
13    selection:
14      cs-method: 'POST'
15      c-uri|contains: '/node'
16      c-uri-query|contains: '_format=hal_json'
17      sc-status:
18        - 401
19        - 500
20    keywords:
21      - 'Uncaught PHP Exception LogicException: "The generic FieldItemNormalizer cannot denormalize string values for "options" properties of the "link" field'
22    condition: selection or keywords
23falsepositives:
24  - Unknown
25level: critical```

References

OffSec’s Exploit Database Archive

Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit). CVE-2019-6340 . remote exploit for PHP platform

Read More

CVE-2019-6340 Exploitation Attempt

Sigma rule (View on GitHub)

References

OffSec’s Exploit Database Archive