CVE-2012-2329
published 2012-05-11CVE-2012-2329: Buffer overflow in the apache_request_headers function in sapi/cgi/cgi_main.c in PHP 5.4.x before 5.4.3 allows remote attackers to cause a denial of service…
PriorityP346medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
62.65%
99.1th percentile
Buffer overflow in the apache_request_headers function in sapi/cgi/cgi_main.c in PHP 5.4.x before 5.4.3 allows remote attackers to cause a denial of service (application crash) via a long string in the header of an HTTP request.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The exploit targets PHP-CGI only; Apache httpd mod_php configurations are NOT affected. Detection should focus on PHP-CGI deployments. ↗
- →The overflow is triggered by an HTTP request header value exceeding 128 bytes, specifically in environment variables prefixed with HTTP_ (e.g., HTTP_X_<name>). Alert on abnormally long HTTP header values sent to PHP-CGI endpoints. ↗
- →The exploit sends a GET request with a crafted HTTP_X_<4-char-random> header containing the overflow payload. Monitor for GET requests to PHP scripts with unusually large custom HTTP_X_* headers. ↗
- →A 500 HTTP response code from the target after sending the oversized header may indicate a successful crash/exploitation attempt. ↗
- →The exploit uses a custom encoder (avoid_underscore_tolower) that avoids the 0x5f (underscore) byte and uppercase bytes. Shellcode in the payload will not contain underscores or uppercase ASCII letters (0x41-0x5a). ↗
- →The ROP gadget used is a pop/pop/ret from php5ts.dll at address 0x1002aa79. Presence of this address in network shellcode or memory is a strong indicator of exploitation of this CVE on Windows targets. ↗
- →The SEH-based exploit uses ECX alignment via 'pop esi' (0x5e) to point to the start of the encoded payload. The payload space is 1321 bytes with offset 1332. ↗
- ·Only PHP 5.4.0 through 5.4.2 in CGI mode are vulnerable. PHP shipped with RHEL 4, 5, and 6 is NOT affected. ↗
- ·The Metasploit module was tested specifically against the thread-safe PHP 5.4.2 from windows.php.net running with Apache 2.2.22 from apachelounge.com on Windows. The ROP address (0x1002aa79 in php5ts.dll) is version-specific and will not work against other builds without adjustment. ↗
- ·The exploit target is Windows only (XP SP3 / 2003 Server SP2 with No DEP). DEP-enabled systems are not covered by this module. ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qp7j-m6w8-5jjh: Buffer overflow in the apache_request_headers function in sapi/cgi/cgi_main
ghsa_unreviewed·2022-05-17
CVE-2012-2329 [MEDIUM] CWE-119 GHSA-qp7j-m6w8-5jjh: Buffer overflow in the apache_request_headers function in sapi/cgi/cgi_main
Buffer overflow in the apache_request_headers function in sapi/cgi/cgi_main.c in PHP 5.4.x before 5.4.3 allows remote attackers to cause a denial of service (application crash) via a long string in the header of an HTTP request.
Red Hat
php: buffer overflow flaw in apache_request_headers() in PHP 5.4.x
vendor_redhat·2012-05-08·CVSS 5.0
CVE-2012-2329 [MEDIUM] CWE-697 php: buffer overflow flaw in apache_request_headers() in PHP 5.4.x
php: buffer overflow flaw in apache_request_headers() in PHP 5.4.x
Buffer overflow in the apache_request_headers function in sapi/cgi/cgi_main.c in PHP 5.4.x before 5.4.3 allows remote attackers to cause a denial of service (application crash) via a long string in the header of an HTTP request.
Statement: Not vulnerable. This issue did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 4, 5, or 6. This flaw only affects PHP 5.4.0 through 5.4.2.
Package: php (Red Hat Enterprise Linux 4) - Not affected
Package: php (Red Hat Enterprise Linux 5) - Not affected
Package: php53 (Red Hat Enterprise Linux 5) - Not affected
Package: php (Red Hat Enterprise Linux 6) - Not affected
No detection rules found.
Exploit-DB
PHP 5.4.3 - apache_request_headers Function Buffer Overflow (Metasploit)
exploitdb·2012-06-17
CVE-2012-2329 PHP 5.4.3 - apache_request_headers Function Buffer Overflow (Metasploit)
PHP 5.4.3 - apache_request_headers Function Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'PHP apache_request_headers Function Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow in the CGI version of PHP
5.4.x before 5.4.3. The vulnerability is due to the insecure handling of the
HTTP headers.
This module has been tested against the thread safe version of PHP 5.4.2,
from "windows.php.net", running with Apache 2.2.22 from "apachelounge.com".
},
'Author' =>
[
'Vincent Danen', # Vulnerability d
Metasploit
PHP apache_request_headers Function Buffer Overflow
metasploit
PHP apache_request_headers Function Buffer Overflow
PHP apache_request_headers Function Buffer Overflow
This module exploits a stack based buffer overflow in the CGI version of PHP 5.4.x before 5.4.3. The vulnerability is due to the insecure handling of the HTTP headers. This module has been tested against the thread safe version of PHP 5.4.2, from "windows.php.net", running with Apache 2.2.22 from "apachelounge.com".
Metasploit
Avoid underscore/tolower
metasploit·CVSS 5.0
CVE-2012-2329 [MEDIUM] Avoid underscore/tolower
Avoid underscore/tolower
Underscore/tolower Safe Encoder used to exploit CVE-2012-2329. It is a modified version of the 'Avoid UTF8/tolower' encoder by skape. Please check the documentation of the skape encoder before using it. As the original, this encoder expects ECX pointing to the start of the encoded payload. Also BufferOffset must be provided if needed. The changes introduced are (1) avoid the use of the 0x5f byte (underscore) in because it is a badchar in the CVE-2012-2329 case and (2) optimize the transformation block, having into account more relaxed conditions about bad characters greater than 0x80.
Bugzilla
CVE-2012-2329 php: buffer overflow flaw in apache_request_headers() in PHP 5.4.x
bugzilla·2012-05-08·CVSS 5.0
CVE-2012-2329 [MEDIUM] CVE-2012-2329 php: buffer overflow flaw in apache_request_headers() in PHP 5.4.x
CVE-2012-2329 php: buffer overflow flaw in apache_request_headers() in PHP 5.4.x
A buffer overflow was reported in the apache_request_headers() function in PHP 5.4.x. The apache_request_headers() function has a loop that copies the name of an environment variable while it fixes cases and converts '_' to '-'. While this loop is supposed to only copy the variable name ("Cookie" from "HTTP_COOKIE"), it instead continues to the end of the entire environment variable. If the string being copied is longer than 128 bytes, it will overflow the buffer, resulting in a crash of the php interpretter.
Statement:
Not vulnerable. This issue did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 4, 5, or 6. This flaw only affects PHP 5.4.0 through 5.4.2.
External Reference:
htt
Bugzilla
CVE-2012-2329 php: buffer overflow flaw in apache_request_headers() in PHP 5.4.x [fedora-17]
bugzilla·2012-05-08·CVSS 5.0
CVE-2012-2329 [MEDIUM] CVE-2012-2329 php: buffer overflow flaw in apache_request_headers() in PHP 5.4.x [fedora-17]
CVE-2012-2329 php: buffer overflow flaw in apache_request_headers() in PHP 5.4.x [fedora-17]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/ne
http://secunia.com/advisories/49014http://www.php.net/ChangeLog-5.php#5.4.3http://www.php.net/archive/2012.php#id2012-05-08-1http://www.securityfocus.com/bid/53455https://bugs.php.net/bug.php?id=61807https://bugzilla.redhat.com/show_bug.cgi?id=820000https://exchange.xforce.ibmcloud.com/vulnerabilities/75545https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03839862http://secunia.com/advisories/49014http://www.php.net/ChangeLog-5.php#5.4.3http://www.php.net/archive/2012.php#id2012-05-08-1http://www.securityfocus.com/bid/53455https://bugs.php.net/bug.php?id=61807https://bugzilla.redhat.com/show_bug.cgi?id=820000https://exchange.xforce.ibmcloud.com/vulnerabilities/75545https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03839862
2012-05-11
Published