ArchivesTagged Articles |
Thursday, May 3. 2012New PHP-CGI exploit: CVE-2012-1823, PoC exploitThis article contains various edits to account for recent developments. Stay tuned. Some folks found an interesting bug while playing CTF at Nullcon 2012. If you run PHP as a plain CGI or via mod_cgid (not FastCGI), you can pass command-line arguments like the “-s” switch (“show source”) to PHP via the query string. For example, for any PHP-CGI script on your machine, you could see the source via “http://localhost/test.php?-s”. In this case, your web server’s access restrictions still apply. There is more parameters in the PHP-CGI binary (try “php-cgi -h” for a list) which can be used. Some are not available directly (for example, the infamous “-r” parameter that allows to directly pass code for execution doesn’t work), but others are ready for (ab-)use. This constitutes an easy way to do the following:
Remote Code execution is universally possible and not mitigated by any current security setting or extension. There are workarounds (see below). As the authors of the advisory point out, several months have passed since initial reporting. The PHP team does not currently seem to have a universally compatible fix, so there are several external ways for mitigation (also mentioned in the advisory). However, emergency releases are scheduled for tomorrow, May 4th, according to well-informed sources. It’s not quite clear why the fix took so long (and if the disclosure timeline in the advisory accurately reflects both sides of the incident), but the fact that someone accidentially disclosed the bug on reddit sure didn’t help.
Update: As there has been a Metasploit Release for CVE 2012-1823 including remote command shell capabilities, I see no reason to hold back more detailed information.
There are variations of the RCE bug that use php://input or /proc/self/environ and a faked user-agent, but essentially this is it.
Posted by Christopher Kunz
Comment (1) Trackbacks (7) Defined tags for this entry: 5.2, 5.4, CGI, CVE-2012-1823, exploit, PHP, PoC, proof of concept, remote code execution, source disclosure, vulnerability
|
|
Powered by s9y - Design by Lordcoffee
There is a new PHP bug that just became public today (leaked accidentially, it seems...). A flaw in the PHP CGI’s input sanitation process allows attackers to set command-line options via the query string.This behavior seems to be an oversight / mis
Tracked: May 03, 17:44
So PHP 5.4.2 and 5.3.12 do not fix the security issue reported in CVE-2012-1823 and discussed here earlier. The original advisory has a number of mitigation opportunities and an additional patch, and PHP.net has a RewriteRule online as a hotfix. I want
Tracked: May 04, 08:47
So PHP 5.4.2 and 5.3.12 do not fix the security issue reported in CVE-2012-1823 and discussed here earlier. The original advisory has a number of mitigation opportunities and an additional patch, and PHP.net has a RewriteRule online as a hotfix. I want
Tracked: May 04, 08:47
So PHP 5.4.2 and 5.3.12 do not fix the security issue reported in CVE-2012-1823 and discussed here earlier. The original advisory has a number of mitigation opportunities and an additional patch, and PHP.net has a RewriteRule online as a hotfix. I want
Tracked: May 04, 08:47
Tracked: May 05, 18:25
Eine neue Lücke, die letzte Woche zufällig (lies: unabsichtlich) veröffentlicht wurde, hält derzeit die PHP-Entwickler in Atem. Der Fehler, der seit mindestens 2004 existiert, ist auf eine fehlerhafte Implementierung der CGI-Spezifikation zurückzuführen.
Tracked: May 08, 10:10
Tracked: May 09, 13:20