Zero-day vulnerability in PHP

OS command injection
CVE-2012-2311

Also known as CVE-2012-1823.The patch for the original vulnerability CVE-2012-1823 was accidentally disclosed before the official release however did not fix the issue. The vulnerability became widely discussed in the public and used in real-world attacks. It took several days for the developers to issue a proper security patch.

The vulnerability was being exploited by Linux worm (Linux.Darlloz) in 2013 to target the Internet of things (IoT) devices.


Known malware:

Linux.Darlloz

Vulnerability details

Advisory: SB2012050601 - Remote command injection in PHP

Vulnerable component: PHP

CVE-ID: CVE-2012-2311

CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Description:

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to error when parsing QUERY_STRING parameters within PHP-CGI-based application (sapi/cgi/cgi_main.c). A remote attacker can send specially crafted HTTP request with query string, contain a %3D sequence but no = (equals sign) character, inject and execute arbitrary OS commands on vulnerable system with privileges of the web server.

Successful exploitation of the vulnerability results in denial of service or arbitrary code execution on the vulnerable system.

This vulnerability is a result of an incomplete fix for SB2012050301.

Note: the vulnerability was being actively exploited.

Public Exploits:

- Apache + PHP < 5.3.12 / < 5.4.2 - Remote Code Execution (Multithreaded Scanner) [Exploit-DB]

- Apache + PHP < 5.3.12 / < 5.4.2 - cgi-bin Remote Code Execution [Exploit-DB]

- PHP < 5.3.12 / < 5.4.2 - CGI Argument Injection [Exploit-DB]

- PHP 5.3.12/5.4.2 - CGI Argument Injection (Metasploit) [Exploit-DB]

External links:

https://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
http://www.computerworld.com/article/2504068/malware-vulnerabilities/php-patches-actively-exploited-...
https://threatpost.com/php-group-set-release-another-patch-cve-2012-1823-flaw-050812/76537/
http://www.php.net/ChangeLog-5.php#5.4.2
https://www.trustwave.com/Resources/Library/Documents/2013-Trustwave-Global-Security-Report/?dl=1
http://www.php.net/archive/2012.php#id2012-05-03-1
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27798
https://www.symantec.com/connect/blogs/linux-worm-targeting-hidden-devices
http://www.primalsecurity.net/0xe-python-tutorials-use-case-cve-2012-1823/
http://eromang.zataz.com/2012/05/06/cve-2012-1823-php-cgi-argument-injection-metasploit-demo/
http://websec.ca/blog/view/detecting-and-exploiting-php-cgi
https://pen-testing.sans.org/blog/2012/06/04/tips-for-pen-testers-on-exploiting-the-php-remote-execu...
https://isc.sans.edu/diary/PHP+vulnerability+CVE-2012-1823+being+exploited+in+the+wild/13312#__utma=...
http://commandline.ninja/2012/05/08/php-updated-cve-2012-1823-cve-2012-2311/
https://bobcares.com/blog/php-cgi-severe-vulnerability-cve-2012-1823/
https://blog.cloudpassage.com/2013/10/31/cve-2012-1823-apache-php5-x-remote-code-execution-exploit/
https://www.symantec.com/security_response/writeup.jsp?docid=2013-112710-1612-99&tabid=2
http://www.pcworld.idg.com.au/article/424083/php_patches_actively_exploited_cgi_vulnerability/


About zero-day vulnerabilities

Zero-day vulnerability is an undisclosed vulnerability in software that hackers can exploit to compromise computer programs, gain unauthorized access to sensitive data, penetrate networks, etc. We consider vulnerability a zero-day when there is no solution provided from software vendor and the vulnerability is being actively exploited by malicious actors.

Zero-day candidate is a potential zero-day vulnerability in software which might have been used in targeted attacks, however there is no evidence to support this suggestion.