CVE-2012-2376
published 2012-05-21CVE-2012-2376: Buffer overflow in the com_print_typeinfo function in PHP 5.4.3 and earlier on Windows allows remote attackers to execute arbitrary code via crafted arguments…
PriorityP273critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
20.05%
97.1th percentile
Buffer overflow in the com_print_typeinfo function in PHP 5.4.3 and earlier on Windows allows remote attackers to execute arbitrary code via crafted arguments that trigger incorrect handling of COM object VARIANT types, as exploited in the wild in May 2012.
Affected
105 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| php | php | <= 5.4.3 | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for HTTP requests invoking com_print_typeinfo() with crafted COM object VARIANT type arguments on Windows-hosted PHP 5.4.3 and earlier; the function mishandles VARIANT types leading to a stack/heap buffer overflow. ↗
- →The exploit uses heap spray targeting address 0x048d0030 and pivots the stack via an XCHG EAX,ESP ROP gadget in ole32.dll (0x7752ae9f), then calls VirtualProtect (0x7c801ad4) to mark shellcode PAGE_EXECUTE_READWRITE before executing a bind-shell payload on port 1337. Detect heap spray patterns and ROP gadget sequences in PHP process memory. ↗
- →The exploit delivers a two-stage payload: an HTML page (offset-brute.html) that iterates offsets and issues GET requests to a PHP script (0day.php) containing the malicious com_print_typeinfo call. Monitor for repeated GET requests to PHP scripts with incrementing offset parameters from a browser context. ↗
- →The shellcode begins with a stack-adjustment stub (\xbc\x0c\xb0\xc0\x00) followed by the encoded bind-shell. Use the leading byte sequence as a signature to detect the shellcode in network traffic or PHP process memory. ↗
- →Exploitation is Windows-only; Linux/Unix PHP deployments are not affected. Focus detection efforts on Windows IIS/Apache PHP deployments running PHP <= 5.4.3. ↗
- ·The exploit was tested and tuned specifically for Windows XP SP3 (Polish locale); hardcoded addresses (ole32.dll ROP gadget 0x7752ae9f, VirtualProtect 0x7c801ad4) are version/locale-specific and will differ on other Windows builds, limiting direct reuse of the PoC without re-bruteforcing offsets. ↗
- ·The PoC includes an offset-bruteforce loop (offset-brute.html) that iterates heap spray offsets via repeated GET requests, meaning the exploit may require many requests before succeeding; detection rules should account for this brute-force pattern rather than a single-shot trigger. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r84c-ppfc-cj9g: Buffer overflow in the com_print_typeinfo function in PHP 5
ghsa_unreviewed·2022-05-17
CVE-2012-2376 [HIGH] CWE-119 GHSA-r84c-ppfc-cj9g: Buffer overflow in the com_print_typeinfo function in PHP 5
Buffer overflow in the com_print_typeinfo function in PHP 5.4.3 and earlier on Windows allows remote attackers to execute arbitrary code via crafted arguments that trigger incorrect handling of COM object VARIANT types, as exploited in the wild in May 2012.
VulnCheck
PHP PHP Improper Restriction of Operations within the Bounds of a Memory Buffer
vulncheck·2012·CVSS 10.0
CVE-2012-2376 [CRITICAL] PHP PHP Improper Restriction of Operations within the Bounds of a Memory Buffer
PHP PHP Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in the com_print_typeinfo function in PHP 5.4.3 and earlier on Windows allows remote attackers to execute arbitrary code via crafted arguments that trigger incorrect handling of COM object VARIANT types, as exploited in the wild in May 2012.
Affected: PHP PHP
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://nvd.nist.gov/vuln/detail/CVE-2012-2376; https://www.cve.org/CVERecord?id=CVE-2012-2376
Red Hat
php: Buffer overflow in com_print_typeinfo() by parsing certain variant types
vendor_redhat·2012-05-19·CVSS 10.0
CVE-2012-2376 [CRITICAL] php: Buffer overflow in com_print_typeinfo() by parsing certain variant types
php: Buffer overflow in com_print_typeinfo() by parsing certain variant types
Buffer overflow in the com_print_typeinfo function in PHP 5.4.3 and earlier on Windows allows remote attackers to execute arbitrary code via crafted arguments that trigger incorrect handling of COM object VARIANT types, as exploited in the wild in May 2012.
Statement: Not vulnerable. This flaw is specific to PHP instances, running on Microsoft Windows platform.
Package: php (Red Hat Enterprise Linux 5) - Not affected
Package: php53 (Red Hat Enterprise Linux 5) - Not affected
Package: php (Red Hat Enterprise Linux 6) - Not affected
No detection rules found.
http://isc.sans.edu/diary.html?storyid=13255http://openwall.com/lists/oss-security/2012/05/20/2http://www.exploit-db.com/exploits/18861/http://www.securitytracker.com/id?1027089https://bugzilla.redhat.com/show_bug.cgi?id=823464https://exchange.xforce.ibmcloud.com/vulnerabilities/75778http://isc.sans.edu/diary.html?storyid=13255http://openwall.com/lists/oss-security/2012/05/20/2http://www.exploit-db.com/exploits/18861/http://www.securitytracker.com/id?1027089https://bugzilla.redhat.com/show_bug.cgi?id=823464https://exchange.xforce.ibmcloud.com/vulnerabilities/75778
2012-05-21
Published
Exploited in the wild