Vulnerability ID 5319

PHP up to 5.3.12/5.4.2 sapi/cgi/cgi_main.c $_SERVER['QUERY_STRING'] privilege escalation

CVSSv3 Temp ScoreCurrent Exploit Price (≈)
6.6$2k-$5k

A vulnerability classified as very critical has been found in PHP up to 5.3.12/5.4.2. This affects an unknown function of the file sapi/cgi/cgi_main.c. The manipulation of the argument $_SERVER['QUERY_STRING'] with the input value -s leads to a privilege escalation vulnerability. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the d case.

The bug was discovered 01/13/2012. The weakness was shared 05/03/2012 by De Eindbazen as confirmed blog post. The advisory is shared for download at eindbazen.net. The vendor cooperated in the coordination of the public release. This vulnerability is uniquely identified as CVE-2012-1823 since 03/21/2012. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Technical details and a public exploit are known. Due to its background and reception, this vulnerability has a historic impact.

A public exploit has been developed by metasploit (rayh4c) in C and been published 1 days after the advisory. It is declared as proof-of-concept. The exploit is shared for download at exploit-db.com. The vulnerability was handled as a non-public zero-day exploit for at least 111 days. During that time the estimated underground price was around $50k-$100k. The vulnerability scanner Nessus provides a plugin with the ID 74630 (openSUSE Security Update : php5 (openSUSE-2012-288)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family SuSE Local Security Checks, running in the context local and relying on port 0.

Upgrading to version 5.4.2 or 5.3.12 [first official Patch not working!] eliminates this vulnerability. Applying the patch CVE-2012-1823-mitigation.tar.gz (inofficial Patch) is able to eliminate this problem. The bugfix is ready for download at eindbazen.net. It is possible to mitigate the weakness by firewalling tcp/80 (Web Services). The problem might be mitigated by replacing the product with FastCGI & ASP as an alternative. The best possible mitigation is suggested to be upgrading to the latest version. A possible mitigation has been published immediately after the disclosure of the vulnerability. Attack attempts may be identified with Snort ID 22063.

The vulnerability is also documented in the databases at Secunia (SA49014) and SecurityTracker (ID 1027022). Further details are available at kb.cert.org. See 60732 and 9012 for similar entries.

Screenshot


Video


CVSSv3

Base Score: 7.3 [?]
Temp Score: 6.6 [?]
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C [?]
Reliability: High

CVSSv2

Base Score: 7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P) [?]
Temp Score: 5.9 (CVSS2#E:POC/RL:OF/RC:C) [?]
Reliability: High

AVACAuCIA
LHMNNN
AMSPPP
NLNCCC
VectorComplexityAuthenticationConfidentialityIntegrityAvailability
LocalHighMultipleNoneNoneNone
AdjacentMediumSinglePartialPartialPartial
NetworkLowNoneCompleteCompleteComplete

CPE

Exploiting

Class: Privilege escalation (CWE-20)
Local: No
Remote: Yes

Availability: Yes
Access: Public
Status: Proof-of-Concept
Reliability: 90%
Programming Language: C
Author: metasploit (rayh4c)
Download: exploit-db.com

Current Price Estimation: $50k-$100k (0-day) / $2k-$5k (Today)

0-Day$0-$1k$1k-$2k$2k-$5k$5k-$10k$10k-$25k$25k-$50k$50k-$100k$100k-$500k
Today$0-$1k$1k-$2k$2k-$5k$5k-$10k$10k-$25k$25k-$50k$50k-$100k$100k-$500k


Nessus ID: 74630
Nessus Name: openSUSE Security Update : php5 (openSUSE-2012-288)
Nessus File: ala_ALAS-2012-77.nasl
Nessus Family: SuSE Local Security Checks
Nessus Context: local
Nessus Port: 0
OpenVAS ID: 71344
OpenVAS Name: Debian Security Advisory DSA 2465-1 (php5)
OpenVAS File: deb_2465_1.nasl
OpenVAS Family: Debian Local Security Checks

Saint ID: exploit_info/php_cgi_arg_rce
Saint Name: PHP CGI Query String Parameters Command Execution
MetaSploit ID: php_cgi_arg_injection.rb
MetaSploit File: metasploit-framework/modules/exploits/multi/http/php_cgi_arg_injection.rb
MetaSploit Name: PHP CGI Argument Injection

Exploit-DB: 18834

Countermeasures

Recommended: Upgrade
Status: Official fix
Reaction Time: 107 days since reported
0-Day Time: 111 days since found
Exposure Time: 0 days since known
Exploit Delay Time: 1 days since known

Upgrade: PHP 5.4.2/5.3.12 [first official Patch not working!]
Patch: CVE-2012-1823-mitigation.tar.gz (inofficial Patch)
Firewalling: tcp/80 (Web Services)
Alternative: FastCGI & ASP

Snort ID: 22063
Snort Class: attempted-admin
Snort Message: SERVER-WEBAPP PHP-CGI remote file include attempt

Suricata ID: 2014704
Suricata Class: web-application
Suricata Message: ET WEB_SPECIFIC_APPS PHP-CGI query string parameter vulnerability

Timeline

01/13/2012 Vulnerability found
01/17/2012 +4 days Vendor informed
03/21/2012 +64 days CVE assigned
05/03/2012 +43 days Advisory disclosed
05/03/2012 +0 days Countermeasure disclosed
05/04/2012 +1 days Exploit disclosed
05/04/2012 +0 days VulDB entry created
05/11/2012 +7 days NVD disclosed
06/13/2014 +763 days Nessus plugin released
07/03/2015 +385 days VulDB entry updated

Sources

Advisory: eindbazen.net
Researcher: De Eindbazen
Status: Confirmed
Confirmation: php.net
Coordinated: Yes

CVE: CVE-2012-1823 (mitre.org) (nvd.nist.org) (cvedetails.com)

Secunia: 49014 - PHP QUERY_STRING Parameters and Buffer Overflow Vulnerabilities, Highly Critical
SecurityTracker: 1027022
OSVDB: 81633

Misc.: kb.cert.org
See also: 60732 , 9012

Entry

Created: 05/04/2012
Updated: 07/03/2015
Entry: 100% complete