Bug 818607 - (CVE-2012-1823) CVE-2012-1823 php: command line arguments injection when run in CGI mode (VU#520827)
CVE-2012-1823 php: command line arguments injection when run in CGI mode (VU#...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: Red Hat Product Security
impact=critical,public=20120503,repor...
: Security
Depends On: 818732 818733 818734 818735 818736 818737 818752 818856 818857 818858 818859 818860 818861 831139
Blocks: 818619
  Show dependency treegraph
 
Reported: 2012-05-03 10:03 EDT by Jan Lieskovsky
Modified: 2015-11-24 09:57 EST (History)
5 users (show)

See Also:
Fixed In Version: php 5.3.12, php 5.4.2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-27 12:18:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2012-05-03 10:03:54 EDT
A flaw was found in the way the php-cgi executable processed command line arguments when running in CGI mode. A remote attacker could send a specially-crafted request to a PHP script that would result in the query string being parsed by php-cgi as command line options and arguments. This could lead to the disclosure of the script's source code or arbitrary code execution with the privileges of the PHP interpreter.

References:
https://bugs.php.net/bug.php?id=61910
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
http://ompldr.org/vZGxxaQ
Comment 12 Vincent Danen 2012-05-03 16:05:36 EDT
PHP 5.3.12 and 5.4.2 are released to correct this:

http://www.php.net/archive/2012.php#id2012-05-03-1

They also note the mitigation/workaround that can be added to the httpd.conf or .htaccess:

         RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
         RewriteRule ^(.*) $1? [L]

And the upstream fix is here:

http://git.php.net/?p=php-src.git;a=commitdiff;h=55869a95ab75c0eb99c57201bfeccaef57e0d36d
Comment 14 Tomas Hoger 2012-05-03 16:41:34 EDT
US-CERT vulnerability note:
  http://www.kb.cert.org/vuls/id/520827
Comment 15 Tomas Hoger 2012-05-03 16:43:13 EDT
Created php tracking bugs for this issue

Affects: fedora-all [bug 818752]
Comment 16 Remi Collet 2012-05-03 17:56:22 EDT
PHP 5.3.12 and 5.4.2 are build for fedora, but I will probably differ the updates a little, waiting for PHP 5.3.13 and 5.4.3... :(
Comment 17 Tomas Hoger 2012-05-04 02:03:37 EDT
(In reply to comment #16)
> PHP 5.3.12 and 5.4.2 are build for fedora, but I will probably differ the
> updates a little, waiting for PHP 5.3.13 and 5.4.3... :(

Are those updates expected soon, and/or providing some specific fix to wait for?
Comment 18 Tomas Hoger 2012-05-04 02:40:07 EDT
(In reply to comment #17)
> (In reply to comment #16)
> > PHP 5.3.12 and 5.4.2 are build for fedora, but I will probably differ the
> > updates a little, waiting for PHP 5.3.13 and 5.4.3... :(
> 
> Are those updates expected soon, and/or providing some specific fix to wait
> for?

I guess that's for this info in the original reporter's blog post:

  The new PHP versions as well as the official php patch contain a bug
  which makes the fix trivial to bypass.
Comment 19 Tomas Hoger 2012-05-04 03:43:54 EDT
(In reply to comment #18)

>   The new PHP versions as well as the official php patch contain a bug
>   which makes the fix trivial to bypass.

https://lwn.net/Articles/495905/#CommAnchor495919
Comment 22 Mark J. Cox (Product Security) 2012-05-04 05:16:35 EDT
Red Hat is aware that a public exploit for this issue is available that allows remote code execution in affected PHP CGI configurations. This flaw does not affect the default configuration in Red Hat Enterprise Linux 5 and 6 using the PHP module for Apache httpd to handle PHP scripts. This flaw did not affect the version of PHP in Red Hat Enterprise Linux 3 or 4 ELS.

Note that upstream failed to fix CVE-2012-1823 completely the first time, and so a second CVE, CVE-2012-2311 has been raised to cover the "incomplete fix". Since Red Hat are releasing packages with a complete fix we're not vulnerable to CVE-2012-2311.

Updates for affected platforms are being prepared and will be released as soon as they complete testing.
Comment 25 Tomas Hoger 2012-05-04 06:38:31 EDT
CVE-2012-2311 is tracked via bug 818907.
Comment 26 Tomas Hoger 2012-05-07 03:36:41 EDT
Upstream news entry now acknowledges that the CVE-2012-1823 as included in 5.3.12 and 5.4.2 does not address the problem:

http://www.php.net/archive/2012.php#id2012-05-06-1

It also points out that the correction (see comment #19) does not address the problem where unsafe wrapper script (similar to the one in the original reporter's blog post) is used.  For those cases, different mod_rewrite rules are provided as mitigation.  However, those rules could reject certain non-malicious requests.
Comment 27 Vincent Danen 2012-05-07 13:43:08 EDT
Note that the workaround in comment #12 is ineffective.  The suggested mod_rewrite rules to use to workaround the problem are now:

RewriteEngine on
RewriteCond %{QUERY_STRING} ^[^=]*$
RewriteCond %{QUERY_STRING} %2d|\- [NC]
RewriteRule .? - [F,L]
Comment 28 Tomas Hoger 2012-05-07 15:07:24 EDT
(In reply to comment #27)
> Note that the workaround in comment #12 is ineffective.  The suggested
> mod_rewrite rules to use to workaround the problem are now:
> 
> RewriteEngine on
> RewriteCond %{QUERY_STRING} ^[^=]*$
> RewriteCond %{QUERY_STRING} %2d|\- [NC]
> RewriteRule .? - [F,L]

These rules were created to provide protection in use cases where insecure wrapper script, similar to the one pointed out in the original reporter's blog post, is used to run PHP.  These rules may possibly reject certain non-malicious requests.  See upstream news post referenced from comment #26 for additional details.
Comment 29 errata-xmlrpc 2012-05-07 15:17:40 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:0547 https://rhn.redhat.com/errata/RHSA-2012-0547.html
Comment 30 errata-xmlrpc 2012-05-07 15:20:27 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2012:0546 https://rhn.redhat.com/errata/RHSA-2012-0546.html
Comment 31 Tomas Hoger 2012-05-07 15:55:39 EDT
The above PHP updates to not attempt to work around problems introduced by insecure wrapper scripts that do not properly pass command line arguments to the PHP interpreter.  One example of such script was provided in the original reporter's blog post (http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/):

  #!/bin/sh
  exec /dh/cgi-system/php5.cgi $*

  (source: http://wiki.dreamhost.com/PHP.ini#Create_the_script_wrapper)

Such wrappers should be updated to properly quote arguments passed to PHP, i.e. replace $* by "$@" (including quotes), or ignore all arguments if no arguments are expected to be passed via the wrapper script, i.e. remove $*.
Comment 32 errata-xmlrpc 2012-05-10 11:33:57 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.6 EUS - Server Only

Via RHSA-2012:0569 https://rhn.redhat.com/errata/RHSA-2012-0569.html
Comment 33 errata-xmlrpc 2012-05-10 11:36:41 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5.3 Long Life
  Red Hat Enterprise Linux 5.6 EUS - Server Only
  Red Hat Enterprise Linux 6.1 EUS - Server Only
  Red Hat Enterprise Linux 6.0 EUS - Server Only

Via RHSA-2012:0568 https://rhn.redhat.com/errata/RHSA-2012-0568.html
Comment 34 Tomas Hoger 2012-05-10 12:44:23 EDT
Following article explains how this is exploited in the wild (the describe method matches what Metasploit module linked in comment #24 does):

http://blog.spiderlabs.com/2012/05/php-cgi-exploitation-by-example.html

This gives further examples of exploit attempts detected on honeypots:

http://blog.spiderlabs.com/2012/05/honeypot-alert-active-exploit-attempts-for-php-cgi-vuln.html
Comment 35 Tomas Hoger 2012-05-11 10:30:47 EDT
(In reply to comment #25)
> CVE-2012-2311 is tracked via bug 818907.

In addition to CVE-2012-2311, two more related CVEs were assigned.  Following provides an overview of what those CVEs were assigned to (mostly copied from bug #818907, comment #8):

CVE-2012-2311 (bug #818907) - This CVE is only to be used for the incorrect detection of '=', which allows bypassing the check introduced in PHP versions 5.3.12 and 5.4.2 by using %3D in the query string.  Red Hat released updates correcting CVE-2012-1823 did not have this problem, hence this CVE is not applicable to Red Hat Enterprise Linux PHP packages.

CVE-2012-2335 (bug #820874) - This was assigned for an insecure wrapper script.  This is not CVE for PHP itself.  Upstream PHP versions 5.3.13 and 5.4.3 mitigated this problem by skipping leading spaces in the query string before doing other checks.  This mitigation is not included in the Red Hat PHP packages updates fixing CVE-2012-1823.  This fix may be included in future updates, however fixing such scripts is recommended (see comment #31).

CVE-2012-2336 (bug #820708) - This CVE is for the problem that the second php_getopt() call was not skipped, and hence with the original fix applied, php-cgi would still handle injected -h/-? and -T options.  That issue was not corrected in Red Hat PHP packages updates fixing CVE-2012-1823.

Reference:
http://thread.gmane.org/gmane.comp.security.oss.general/7600/focus=7635
Comment 36 errata-xmlrpc 2012-05-11 13:41:10 EDT
This issue has been addressed in following products:

  Red Hat Web Application Stack for RHEL 5

Via RHSA-2012:0570 https://rhn.redhat.com/errata/RHSA-2012-0570.html
Comment 37 Tomas Hoger 2012-05-11 16:32:17 EDT
Statement:

This flaw did not affect the versions of PHP in Red Hat Enterprise Linux 3 or 4. Updates were released for Red Hat Enterprise Linux 5 and 6 (RHSA-2012:0546, RHSA-2012:0547), Red Hat Enterprise Linux 5.3 Long Life (RHSA-2012:0568), Red Hat Enterprise Linux 5.6, 6.0, and 6.1 Extended Update Support (RHSA-2012:0568, RHSA-2012:0569), and Red Hat Application Stack v2 (RHSA-2012:0570).

This flaw only affected PHP CGI configurations and it did not affect the default configuration in Red Hat Enterprise Linux 5 and 6 using the PHP module for Apache httpd to handle PHP scripts.

Note that this issue was not fixed completely the first time, which resulted in the assignment of additional related CVE identifiers - CVE-2012-2311, CVE-2012-2335, and CVE-2012-2336. Refer to the Red Hat CVE Database and the Red Hat Bugzilla for additional information on how those CVEs affect Red Hat products.
Comment 38 Fedora Update System 2012-05-26 03:20:45 EDT
php-5.4.3-1.fc17, maniadrive-1.2-40.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 39 Fedora Update System 2012-05-26 21:52:01 EDT
php-5.3.13-1.fc16, maniadrive-1.2-32.fc16.5, php-eaccelerator-0.9.6.1-9.fc16.5 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 40 Fedora Update System 2012-05-27 03:21:34 EDT
php-5.3.13-1.fc15, maniadrive-1.2-32.fc15.5, php-eaccelerator-0.9.6.1-9.fc15.5 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.