A serious remote-code execution vulnerability in PHP was accidentally disclosed Wednesday, leading to fears of an outbreak of attacks on sites that were built using vulnerable versions of PHP. The bug has been known privately since January when a team of researchers used it in a capture the flag contest and then subsequently reported it to the PHP Group. The developers were still in the process of building the patch for the flaw when it was disclosed Wednesday.
The vulnerability is a simple one but it has serious consequences. Essentially, the researchers found that when they passed a specific query string that contained the -s command to PHP in a CGI setup, PHP would interpret the -s as the command line argument and result in the disclosure of the source code for the application. They extended their testing and found they could pass whatever command-line arguments they wanted ot the PHP binary.
"When PHP is used in a CGI-based setup (such as Apache'smod_cgid), the php-cgi receives a processed query string parameter as command line arguments which allows command-line switches, such as -s, -d or -c to be passed to the php-cgi binary, which can be exploited to disclose source code and obtain arbitrary code execution," the US-CERT said in an advisory published Wednesday. "A remote unauthenticated attacker could obtain sensitive information, cause a denial of service condition or may be able to execute arbitrary code with the privileges of the web server."
The team that found the bug, known as Eindbazen, said that they had been waiting for several months for the PHP Group to release a patch for the vulnerability in order to publish information about the bug. However, someone accidentally marked an internal PHP bug as public and it eventually was posted to Reddit. So Eindbazen then published the details of their findings and how it can be exploited.
"We’ve tested this and have confirmed that the query parameters are passed to the php5-cgi binary in this configuration. Since the wrapper script merely passes all the arguments on to the actual php-cgi binary, the same problem exists with configurations where php-cgi is directly copied into the cgi-bin directory. It’s interesting to note that while slashes get added to any shell metacharacters we pass in the query string, spaces and dashes (‘-’) are not escaped. So we can pass as many options to PHP as we want!" they wrote in their analysis of the PHP CVE-2012-1823 vulnerability.
"There is one slight complication: php5-cgi behaves differently depending on which environment variables have been set, disabling the flag -r for direct code execution among others. However, this can be trivially bypassed. We’re removing the remote code execution PoC out of an abundance of caution, but at this point anyone should be able to figure this out. And for the record: safe_mode, allow_url_include and other security-related ini settings will not save you."
PHP is one of the more popular scripting languages used in Web development. Since the time that the Eindbazen team reported the bug to the PHP Group, there have been several new versions of the language released, with various other security fixes, but without a patch for the CVE-2012-1863 bug. Right now, there is no patch available for the flaw discovered by the Eindbazen team, however they list a couple of technical workarounds in their post and have produced a file that includes both of them that users can download.