PHP-CGI vulnerability CVE-2012-1823

FanJ · May 3, 2012

http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/

This is a detailed discussion of the generic PHP-CGI remote code execution bug we found while playing Nullcon CTF. We found that giving the query string ‘?-s’ somehow resulted in the “-s” command line argument being passed to php, resulting in source code disclosure. We explored this bug further and managed to improve our exploit to remote code execution, and trace the bug to a PHP commit in 2004.

PHP has been working on a patch for this for quite a while. We have been waiting to post this blog entry until a fix was released, but today the bug was posted to reddit because it was apparently accidentally marked public.

Executive summary:
- PHP-CGI installations are vulnerable to remote code execution
- There is no official fix, but we provide some workarounds in the ‘mitigation’ section
- FastCGI installations are not vulnerable
- The vulnerability can only be exploited if the HTTP server follows a fairly obscure part of the CGI spec. Apache does this, but many other servers do not.
Click to expand...

FanJ · May 3, 2012

The above quoted Executive summary has been edited in the meanwhile:

Executive summary:
- PHP-CGI installations are vulnerable to remote code execution
- There is no official fix, but we provide some workarounds in the ‘mitigation’ section
- The PHP bug report is now public and contains an official patch and a mod_rewrite based workaround
- FastCGI installations are not vulnerable
- The vulnerability can only be exploited if the HTTP server follows a fairly obscure part of the CGI spec. Apache does this, but many other servers do not.
Click to expand...

And an update has been posted below the Disclosure Timeline:

UPDATE: The PHP bug report is now public again and is marked as closed. Go there for information on the patch and a mod_rewrite based workaround. Do NOT rely on the homebrew workarounds in the comments below, they do not provide adequate protection!
Click to expand...

Go here for the fix.

FanJ · May 3, 2012

In the meanwhile there have been more updates posted about the topic at http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/

I leave it now as I suppose sys-admins will find their way on the net about it

FanJ · May 4, 2012

The original patch was buggy. There was a new patch.
See https://bugs.php.net/bug.php?id=61910
Whether that new fix is not buggy, I don't know yet.

See also again http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/

FanJ · May 4, 2012

If you want to read some more about it, a few links:

http://www.h-online.com/security/news/item/PHP-patch-quick-but-inadequate-1568454.html

https://threatpost.com/en_us/blogs/serious-remote-php-bug-accidentally-disclosed-050312

http://www.php-security.net/archives/9-New-PHP-CGI-exploit-CVE-2012-1823,-PoC-exploit.html

http://www.php-security.net/archives/11-Mitigation-for-CVE-2012-1823-CVE-2012-2311.html

ronjor · May 8, 2012

[08-May-2012]

The PHP development team would like to announce the immediate availability of PHP 5.4.3 and PHP 5.3.13. All users are encouraged to upgrade to PHP 5.4.3 or PHP 5.3.13
Click to expand...

http://www.php.net/archive/2012.php#id2012-05-08-1

FanJ · May 8, 2012

Thanks Ron !!

If you would allow me one more quote from the link you just posted:

The releases complete a fix for a vulnerability in CGI-based setups (CVE-2012-2311).
Click to expand...

Since the bug, found in the fix for CVE-2012-1823, was filed as CVE-2012-2311, the release of these updates just posted by you should finally fix CVE-2012-1823.

I hope that I summerized it right.

Log in or Sign up

PHP-CGI vulnerability CVE-2012-1823

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

ronjor Global Moderator

FanJ Updates Team

Log in or Sign up

PHP-CGI vulnerability CVE-2012-1823

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

FanJ Updates Team

ronjor Global Moderator

FanJ Updates Team

Useful Searches