cbcvebase.
CVE-2012-2329
published 2012-05-11

CVE-2012-2329: Buffer overflow in the apache_request_headers function in sapi/cgi/cgi_main.c in PHP 5.4.x before 5.4.3 allows remote attackers to cause a denial of service…

PriorityP346medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
62.65%
99.1th percentile
Buffer overflow in the apache_request_headers function in sapi/cgi/cgi_main.c in PHP 5.4.x before 5.4.3 allows remote attackers to cause a denial of service (application crash) via a long string in the header of an HTTP request.

Affected

3 ranges
VendorProductVersion rangeFixed in
phpphp
phpphp
phpphp

Detection & IOCsextracted from sources · hover to see the quote

pathsapi/cgi/cgi_main.c
  • The exploit targets PHP-CGI only; Apache httpd mod_php configurations are NOT affected. Detection should focus on PHP-CGI deployments.
  • The overflow is triggered by an HTTP request header value exceeding 128 bytes, specifically in environment variables prefixed with HTTP_ (e.g., HTTP_X_<name>). Alert on abnormally long HTTP header values sent to PHP-CGI endpoints.
  • The exploit sends a GET request with a crafted HTTP_X_<4-char-random> header containing the overflow payload. Monitor for GET requests to PHP scripts with unusually large custom HTTP_X_* headers.
  • A 500 HTTP response code from the target after sending the oversized header may indicate a successful crash/exploitation attempt.
  • The exploit uses a custom encoder (avoid_underscore_tolower) that avoids the 0x5f (underscore) byte and uppercase bytes. Shellcode in the payload will not contain underscores or uppercase ASCII letters (0x41-0x5a).
  • The ROP gadget used is a pop/pop/ret from php5ts.dll at address 0x1002aa79. Presence of this address in network shellcode or memory is a strong indicator of exploitation of this CVE on Windows targets.
  • The SEH-based exploit uses ECX alignment via 'pop esi' (0x5e) to point to the start of the encoded payload. The payload space is 1321 bytes with offset 1332.
  • ·Only PHP 5.4.0 through 5.4.2 in CGI mode are vulnerable. PHP shipped with RHEL 4, 5, and 6 is NOT affected.
  • ·The Metasploit module was tested specifically against the thread-safe PHP 5.4.2 from windows.php.net running with Apache 2.2.22 from apachelounge.com on Windows. The ROP address (0x1002aa79 in php5ts.dll) is version-specific and will not work against other builds without adjustment.
  • ·The exploit target is Windows only (XP SP3 / 2003 Server SP2 with No DEP). DEP-enabled systems are not covered by this module.

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.