May 3, 2012 at 11:47 pm #7563
A serious remote-code execution vulnerability in PHP was accidentally disclosed Wednesday, leading to fears of an outbreak of attacks on sites that were built using vulnerable versions of PHP. The bug has been known privately since January when a team of researchers used it in a capture the flag contest and then subsequently reported it to the PHP Group. The developers were still in the process of building the patch for the flaw when it was disclosed Wednesday.
The vulnerability is a simple one but it has serious consequences. Essentially, the researchers found that when they passed a specific query string that contained the -s command to PHP in a CGI setup, PHP would interpret the -s as the command line argument and result in the disclosure of the source code for the application. They extended their testing and found they could pass whatever command-line arguments they wanted ot the PHP binary.
“When PHP is used in a CGI-based setup (such as Apache’smod_cgid), the php-cgi receives a processed query string parameter as command line arguments which allows command-line switches, such as -s, -d or -c to be passed to the php-cgi binary, which can be exploited to disclose source code and obtain arbitrary code execution,” the US-CERT said in an advisory published Wednesday. “A remote unauthenticated attacker could obtain sensitive information, cause a denial of service condition or may be able to execute arbitrary code with the privileges of the web server.”
The team that found the bug, known as Eindbazen, said that they had been waiting for several months for the PHP Group to release a patch for the vulnerability in order to publish information about the bug. However, someone accidentally marked an internal PHP bug as public and it eventually was posted to Reddit. So Eindbazen then published the details of their findings and how it can be exploited.
“We’ve tested this and have confirmed that the query parameters are passed to the php5-cgi binary in this configuration. Since the wrapper script merely passes all the arguments on to the actual php-cgi binary, the same problem exists with configurations where php-cgi is directly copied into the cgi-bin directory. It’s interesting to note that while slashes get added to any shell metacharacters we pass in the query string, spaces and dashes (‘-’) are not escaped. So we can pass as many options to PHP as we want!” they wrote in their analysis of the PHP CVE-2012-1823 vulnerability.
“There is one slight complication: php5-cgi behaves differently depending on which environment variables have been set, disabling the flag -r for direct code execution among others. However, this can be trivially bypassed. We’re removing the remote code execution PoC out of an abundance of caution, but at this point anyone should be able to figure this out. And for the record: safe_mode, allow_url_include and other security-related ini settings will not save you.”
PHP is one of the more popular scripting languages used in Web development. Since the time that the Eindbazen team reported the bug to the PHP Group, there have been several new versions of the language released, with various other security fixes, but without a patch for the CVE-2012-1863 bug. Right now, there is no patch available for the flaw discovered by the Eindbazen team, however they list a couple of technical workarounds in their post and have produced a file that includes both of them that users can download.
May 3, 2012 at 11:48 pm #47240
Note, you can read more about the vulnerability in detail here:
In essence it seems like the vulnerability is more simple than one would initially anticipate. It’s so simple it’s almost not true, even though it is of course true. ;D
May 4, 2012 at 8:35 am #47241j0rDyParticipant
first of all, props to eindbazen, i know some of them personally and they are hardcore. The vulnerability is indeed quite simple, but do not forget that the situation has to be just right, you have to actually run PHP in CGI. But still, kudo’s to eindbazen for finding it and trying to disclose it responsibly (they discovered this vulnerability in januari and reported it several times), if they only checked the private box…
May 4, 2012 at 4:22 pm #47242
Indeed it is simple and it’s also a very old / ancient vulnerability which seems to deem it a foreverday, as there is no working patch yet either. Some years ago, I stumpled across an interesting vulnerability on a particular webhost, which I couldn’t reproduce anywhere else.
When I sent a request like this:
The website would execute normally, but when I sent this:
The source of that script would be revealed. I can’t remember if it was an ASP or PHP powered website, but it was an interesting vulnerability.
May 5, 2012 at 8:35 am #47243
May 5, 2012 at 1:38 pm #47244
Haha nice one MrTuxracer ;D That’s actually brilliant of them to do so 🙂
- You must be logged in to reply to this topic.