CVE-2012-0209
published 2012-09-25CVE-2012-0209: Horde 3.3.12, Horde Groupware 1.2.10, and Horde Groupware Webmail Edition 1.2.10, as distributed by FTP between November 2011 and February 2012, contains an…
PriorityP271high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
71.90%
99.3th percentile
Horde 3.3.12, Horde Groupware 1.2.10, and Horde Groupware Webmail Edition 1.2.10, as distributed by FTP between November 2011 and February 2012, contains an externally introduced modification (Trojan Horse) in templates/javascript/open_calendar.js, which allows remote attackers to execute arbitrary PHP code.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| horde | groupware | — | — |
| horde | horde | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Horde 3.3.12 Backdoor Attempt"; flow:established,to_server; http.uri; content:"/services/javascript.php"; http.cookie; content:"href"; http.request_body; content:"file=open_calendar.js"; reference:cve,2012-0209; classtype:web-application-attack; sid:2014260; rev:4; metadata:created_at 2012_02_21, cve CVE_2012_0209, signature_severity Major, updated_at 2020_04_21;)
- →Exploit sends a POST request to /services/javascript.php with body parameter 'file=open_calendar.js' and a Cookie header containing 'href=<php_function>:<arguments>' to trigger the backdoor. ↗
- →The backdoor payload pattern '$m[1]($m[2])' can be grep-searched within the Horde directory tree to identify compromised files. ↗
- →The backdoor was introduced into the file templates/javascript/open_calendar.js in tarballs distributed via FTP; verify file integrity against known-good MD5 checksums of the affected tarballs. ↗
- →The exploit uses the PHP function 'passthru' delivered via the Cookie 'href' field; monitor for HTTP requests to javascript.php with cookie values matching the pattern href=<word>:<command>. ↗
- ·Only tarballs distributed via FTP during specific windows are affected; CVS and Git repository checkouts are clean. Horde 4 releases were not compromised. ↗
- ·The Metasploit module requires the 'APP' parameter to correspond to an active Horde application; the default is 'horde'. Adjust detection rules if non-default app names are used. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Horde 3.3.12 Backdoor Attempt
suricata·2012-02-21
CVE-2012-0209 ET WEB_SPECIFIC_APPS Horde 3.3.12 Backdoor Attempt
ET WEB_SPECIFIC_APPS Horde 3.3.12 Backdoor Attempt
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Horde 3.3.12 Backdoor Attempt"; flow:established,to_server; http.uri; content:"/services/javascript.php"; http.cookie; content:"href"; http.request_body; content:"file=open_calendar.js"; reference:cve,2012-0209; classtype:web-application-attack; sid:2014260; rev:4; metadata:created_at 2012_02_21, cve CVE_2012_0209, signature_severity Major, updated_at 2020_04_21;)
Exploit-DB
Horde 3.3.12 - Backdoor Arbitrary PHP Code Execution (Metasploit)
exploitdb·2012-02-17
CVE-2012-0209 Horde 3.3.12 - Backdoor Arbitrary PHP Code Execution (Metasploit)
Horde 3.3.12 - Backdoor Arbitrary PHP Code Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Horde 3.3.12 Backdoor Arbitrary PHP Code Execution',
'Description' => %q{
This module exploits an arbitrary PHP code execution vulnerability introduced
as a backdoor into Horde 3.3.12 and Horde Groupware 1.2.10.
},
'Author' => [
'Eric Romang', # first public PoC
'jduck' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2012-0209'],
[ 'URL', 'http://dev.horde.org/h/jonah/stories/view.php?channel_id=1&
Metasploit
Horde 3.3.12 Backdoor Arbitrary PHP Code Execution
metasploit
Horde 3.3.12 Backdoor Arbitrary PHP Code Execution
Horde 3.3.12 Backdoor Arbitrary PHP Code Execution
This module exploits an arbitrary PHP code execution vulnerability introduced as a backdoor into Horde 3.3.12 and Horde Groupware 1.2.10.
Bugzilla
CVE-2012-0209 Horde 3.3.12 backdoor found in source code
bugzilla·2012-02-15·CVSS 7.5
CVE-2012-0209 [HIGH] CVE-2012-0209 Horde 3.3.12 backdoor found in source code
CVE-2012-0209 Horde 3.3.12 backdoor found in source code
From http://dev.horde.org/h/jonah/stories/view.php?channel_id=1&id=155
A few days ago we became aware of a manipulated file on our FTP server. Upon further investigation we discovered that the server has been hacked earlier, and three releases have been manipulated to allow unauthenticated remote PHP execution.
We have immediately taken down all distribution servers to further analyze the extent of this incident, and we have worked closely with various Linux distributions to coordinate our response.
Since then the FTP and PEAR servers have been replaced and further secured. Clean versions of our releases have been uploaded.
This issue will be tracked as CVE-2012-0209: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0209
We
Greynoiseio
NoiseLetter February 2024
blogs_greynoiseio
NoiseLetter February 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://dev.horde.org/h/jonah/stories/view.php?channel_id=1&id=155http://eromang.zataz.com/2012/02/15/cve-2012-0209-horde-backdoor-analysis/http://lists.horde.org/archives/announce/2012/000751.htmlhttp://packetstormsecurity.org/files/109874/Horde-3.3.12-Backdoor-Arbitrary-PHP-Code-Execution.htmlhttps://bugzilla.redhat.com/show_bug.cgi?id=790877http://dev.horde.org/h/jonah/stories/view.php?channel_id=1&id=155http://eromang.zataz.com/2012/02/15/cve-2012-0209-horde-backdoor-analysis/http://lists.horde.org/archives/announce/2012/000751.htmlhttp://packetstormsecurity.org/files/109874/Horde-3.3.12-Backdoor-Arbitrary-PHP-Code-Execution.htmlhttps://bugzilla.redhat.com/show_bug.cgi?id=790877
2012-09-25
Published