PHP up to 5.3.12/5.4.2 sapi/cgi/cgi_main.c $_SERVER['QUERY

VulDB: PHP up to 5.3.12/5.4.2 sapi/cgi/cgi_main.c $_SERVER['QUERY_STRING'] privilege escalation

General

scipID: 5319
Affected: PHP up to 5.3.12/5.4.2
Published: 05/03/2012 (De Eindbazen)
Risk: very critical
Entry: 100% complete
Created: 05/04/2012
Updated: 12/26/2012

Summary

A vulnerability, which was classified as very critical, was found in PHP up to 5.3.12/5.4.2. This affects an unknown function of the file _sapi/cgi/cgi_main.c_. The manipulation of the argument $_SERVER['QUERY_STRING'] with the input value -s leads to a privilege escalation vulnerability. This is going to have an impact on confidentiality, integrity, and availability.

The bug was discovered 01/13/2012. The weakness was shared 05/03/2012 by De Eindbazen as blog post. The advisory is shared for download at eindbazen.net. The vendor cooperated in the coordination of the public release. This vulnerability is uniquely identified as CVE-2012-1823 since 03/21/2012. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Technical details and a public exploit are known. Due to its background and reception, this vulnerability has a historic impact.

An exploit has been developed by metasploit (rayh4c) in C and been published 1 days after the advisory. It is declared as proof-of-concept. The exploit is shared for download at exploit-db.com. The vulnerability was handled as a non-public zero-day exploit for at least 111 days. The vulnerability scanner Nessus provides a plugin with the ID 59016 (USN-1437-1 : php5 vulnerability), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Ubuntu Local Security Checks and running in the context local.

Upgrading to version 5.4.2 or 5.3.12 [first official Patch not working!] eliminates this vulnerability. Applying the patch CVE-2012-1823-mitigation.tar.gz (inofficial Patch) is able to eliminate this problem. The bugfix is ready for download at eindbazen.net. It is possible to mitigate the weakness by firewalling tcp/80 (Web Services). The problem might be mitigated by replacing the product with FastCGI & ASP as an alternative. The best possible mitigation is suggested to be upgrading to the latest version. A possible mitigation has been published immediately after the disclosure of the vulnerability. The vulnerability is also documented in the databases at OSVDB (81633), Secunia (SA49014) and SecurityTracker (ID 1027022). Further details are available at kb.cert.org.

Screenshot

PHP up to 5.3.12/5.4.2 sapi/cgi/cgi_main.c $_SERVER['QUERY_STRING'] privilege escalation

CVSS

Base Score: 7.5 (CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P) [?]

Access Vector	Access Complexity	Authentication	Confidentiality	Integrity	Availability
Local	High	Multiple	None	None	None
Adjacent	Medium	Single	Partial	Partial	Partial
Network	Low	None	Complete	Complete	Complete

Exploiting

Class: Privilege escalation
Local: No
Remote: Yes

Availability: Yes
Access: Public
Status: Proof-of-Concept
Reliability: 90%
Programming Language: C
Author: metasploit (rayh4c)
Download: exploit-db.com

Nessus ID: 59016
Nessus Name: USN-1437-1 : php5 vulnerability
Nessus Family: Ubuntu Local Security Checks
Nessus Context: local

Exploit-DB: 18834

Countermeasures

Recommended: Upgrade
Reaction Time: 107 days since reported
0-Day Time: 111 days since found
Exposure Time: 0 days since known
Exploit Delay Time: 1 days since known

Upgrade: PHP 5.4.2/5.3.12 [first official Patch not working!]
Patch: CVE-2012-1823-mitigation.tar.gz
Firewalling: tcp/80 (Web Services)
Alternative: FastCGI & ASP