Bug 818607 (CVE-2012-1823)
| Summary: | CVE-2012-1823 php: command line arguments injection when run in CGI mode (VU#520827) | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | unspecified | CC: | fedora, jorton, mjc, rpm, tkramer |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | php 5.3.12, php 5.4.2 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-06-27 16:18:55 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 818732, 818733, 818734, 818735, 818736, 818737, 818752, 818856, 818857, 818858, 818859, 818860, 818861, 831139 | ||
| Bug Blocks: | 818619 | ||
|
Description
Jan Lieskovsky
2012-05-03 14:03:54 UTC
PHP 5.3.12 and 5.4.2 are released to correct this: http://www.php.net/archive/2012.php#id2012-05-03-1 They also note the mitigation/workaround that can be added to the httpd.conf or .htaccess: RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC] RewriteRule ^(.*) $1? [L] And the upstream fix is here: http://git.php.net/?p=php-src.git;a=commitdiff;h=55869a95ab75c0eb99c57201bfeccaef57e0d36d US-CERT vulnerability note: http://www.kb.cert.org/vuls/id/520827 Created php tracking bugs for this issue Affects: fedora-all [bug 818752] PHP 5.3.12 and 5.4.2 are build for fedora, but I will probably differ the updates a little, waiting for PHP 5.3.13 and 5.4.3... :( (In reply to comment #16) > PHP 5.3.12 and 5.4.2 are build for fedora, but I will probably differ the > updates a little, waiting for PHP 5.3.13 and 5.4.3... :( Are those updates expected soon, and/or providing some specific fix to wait for? (In reply to comment #17) > (In reply to comment #16) > > PHP 5.3.12 and 5.4.2 are build for fedora, but I will probably differ the > > updates a little, waiting for PHP 5.3.13 and 5.4.3... :( > > Are those updates expected soon, and/or providing some specific fix to wait > for? I guess that's for this info in the original reporter's blog post: The new PHP versions as well as the official php patch contain a bug which makes the fix trivial to bypass. (In reply to comment #18) > The new PHP versions as well as the official php patch contain a bug > which makes the fix trivial to bypass. https://lwn.net/Articles/495905/#CommAnchor495919 Red Hat is aware that a public exploit for this issue is available that allows remote code execution in affected PHP CGI configurations. This flaw does not affect the default configuration in Red Hat Enterprise Linux 5 and 6 using the PHP module for Apache httpd to handle PHP scripts. This flaw did not affect the version of PHP in Red Hat Enterprise Linux 3 or 4 ELS. Note that upstream failed to fix CVE-2012-1823 completely the first time, and so a second CVE, CVE-2012-2311 has been raised to cover the "incomplete fix". Since Red Hat are releasing packages with a complete fix we're not vulnerable to CVE-2012-2311. Updates for affected platforms are being prepared and will be released as soon as they complete testing. Additional links: http://www.php-security.net/archives/9-New-PHP-CGI-exploit-CVE-2012-1823.html http://www.php-security.net/archives/11-Mitigation-for-CVE-2012-1823-CVE-2012-2311.html http://www.metasploitminute.com/2012/05/cve-2012-1823-php-cgi-bug.html https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/php_cgi_arg_injection.rb CVE-2012-2311 is tracked via bug 818907. Upstream news entry now acknowledges that the CVE-2012-1823 as included in 5.3.12 and 5.4.2 does not address the problem: http://www.php.net/archive/2012.php#id2012-05-06-1 It also points out that the correction (see comment #19) does not address the problem where unsafe wrapper script (similar to the one in the original reporter's blog post) is used. For those cases, different mod_rewrite rules are provided as mitigation. However, those rules could reject certain non-malicious requests. Note that the workaround in comment #12 is ineffective. The suggested mod_rewrite rules to use to workaround the problem are now: RewriteEngine on RewriteCond %{QUERY_STRING} ^[^=]*$ RewriteCond %{QUERY_STRING} %2d|\- [NC] RewriteRule .? - [F,L] (In reply to comment #27) > Note that the workaround in comment #12 is ineffective. The suggested > mod_rewrite rules to use to workaround the problem are now: > > RewriteEngine on > RewriteCond %{QUERY_STRING} ^[^=]*$ > RewriteCond %{QUERY_STRING} %2d|\- [NC] > RewriteRule .? - [F,L] These rules were created to provide protection in use cases where insecure wrapper script, similar to the one pointed out in the original reporter's blog post, is used to run PHP. These rules may possibly reject certain non-malicious requests. See upstream news post referenced from comment #26 for additional details. This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:0547 https://rhn.redhat.com/errata/RHSA-2012-0547.html This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2012:0546 https://rhn.redhat.com/errata/RHSA-2012-0546.html The above PHP updates to not attempt to work around problems introduced by insecure wrapper scripts that do not properly pass command line arguments to the PHP interpreter. One example of such script was provided in the original reporter's blog post (http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/): #!/bin/sh exec /dh/cgi-system/php5.cgi $* (source: http://wiki.dreamhost.com/PHP.ini#Create_the_script_wrapper) Such wrappers should be updated to properly quote arguments passed to PHP, i.e. replace $* by "$@" (including quotes), or ignore all arguments if no arguments are expected to be passed via the wrapper script, i.e. remove $*. This issue has been addressed in following products: Red Hat Enterprise Linux 5.6 EUS - Server Only Via RHSA-2012:0569 https://rhn.redhat.com/errata/RHSA-2012-0569.html This issue has been addressed in following products: Red Hat Enterprise Linux 5.3 Long Life Red Hat Enterprise Linux 5.6 EUS - Server Only Red Hat Enterprise Linux 6.1 EUS - Server Only Red Hat Enterprise Linux 6.0 EUS - Server Only Via RHSA-2012:0568 https://rhn.redhat.com/errata/RHSA-2012-0568.html Following article explains how this is exploited in the wild (the describe method matches what Metasploit module linked in comment #24 does): http://blog.spiderlabs.com/2012/05/php-cgi-exploitation-by-example.html This gives further examples of exploit attempts detected on honeypots: http://blog.spiderlabs.com/2012/05/honeypot-alert-active-exploit-attempts-for-php-cgi-vuln.html (In reply to comment #25) > CVE-2012-2311 is tracked via bug 818907. In addition to CVE-2012-2311, two more related CVEs were assigned. Following provides an overview of what those CVEs were assigned to (mostly copied from bug #818907, comment #8): CVE-2012-2311 (bug #818907) - This CVE is only to be used for the incorrect detection of '=', which allows bypassing the check introduced in PHP versions 5.3.12 and 5.4.2 by using %3D in the query string. Red Hat released updates correcting CVE-2012-1823 did not have this problem, hence this CVE is not applicable to Red Hat Enterprise Linux PHP packages. CVE-2012-2335 (bug #820874) - This was assigned for an insecure wrapper script. This is not CVE for PHP itself. Upstream PHP versions 5.3.13 and 5.4.3 mitigated this problem by skipping leading spaces in the query string before doing other checks. This mitigation is not included in the Red Hat PHP packages updates fixing CVE-2012-1823. This fix may be included in future updates, however fixing such scripts is recommended (see comment #31). CVE-2012-2336 (bug #820708) - This CVE is for the problem that the second php_getopt() call was not skipped, and hence with the original fix applied, php-cgi would still handle injected -h/-? and -T options. That issue was not corrected in Red Hat PHP packages updates fixing CVE-2012-1823. Reference: http://thread.gmane.org/gmane.comp.security.oss.general/7600/focus=7635 This issue has been addressed in following products: Red Hat Web Application Stack for RHEL 5 Via RHSA-2012:0570 https://rhn.redhat.com/errata/RHSA-2012-0570.html Statement: This flaw did not affect the versions of PHP in Red Hat Enterprise Linux 3 or 4. Updates were released for Red Hat Enterprise Linux 5 and 6 (RHSA-2012:0546, RHSA-2012:0547), Red Hat Enterprise Linux 5.3 Long Life (RHSA-2012:0568), Red Hat Enterprise Linux 5.6, 6.0, and 6.1 Extended Update Support (RHSA-2012:0568, RHSA-2012:0569), and Red Hat Application Stack v2 (RHSA-2012:0570). This flaw only affected PHP CGI configurations and it did not affect the default configuration in Red Hat Enterprise Linux 5 and 6 using the PHP module for Apache httpd to handle PHP scripts. Note that this issue was not fixed completely the first time, which resulted in the assignment of additional related CVE identifiers - CVE-2012-2311, CVE-2012-2335, and CVE-2012-2336. Refer to the Red Hat CVE Database and the Red Hat Bugzilla for additional information on how those CVEs affect Red Hat products. php-5.4.3-1.fc17, maniadrive-1.2-40.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. php-5.3.13-1.fc16, maniadrive-1.2-32.fc16.5, php-eaccelerator-0.9.6.1-9.fc16.5 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. php-5.3.13-1.fc15, maniadrive-1.2-32.fc15.5, php-eaccelerator-0.9.6.1-9.fc15.5 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. |