On Tuesday, October 29th, 2013, exploit author Kingcope released exploit code targeting a known vulnerability in Apache and PHP that allowed for remote code execution under certain conditions. More information on the exploit, as well as the code, can be found at http://www.exploit-db.com/exploits/29290/.
Since Tuesday other attack code variants have emerged, including one released by noptrix, that can be found here at http://www.exploit-db.com/exploits/29316/.
According to the Kingcope:
This is a code execution bug in the combination of Apache and PHP. On Debian and Ubuntu the vulnerability is present in the default install of the php5-cgi package.
When the php5-cgi package is installed on Debian and Ubuntu or php-cgi is installed manually the php-cgi binary is accessible under /cgi-bin/php5 and /cgi-bin/php. The vulnerability makes it possible to execute the binary because this binary has a security check enabled when installed with Apache http server and this security check is circumvented by the exploit.
Detecting the Exposure with CloudPassage Halo
To help users detect if their current Apache and PHP installations are susceptible to this attack, the CVE-2012-1823 – Apache / PHP5.x Remote Code Execution Exploit configuration policy was created by the CloudPassage research team. It should be noted that the following rules and checks could serve as a potential indicator of compromise (IOC). That being said, an alert on a true positive on an individual check will likely not serve as the sole indicator of vulnerability, but it should still be investigated.
System Configuration > Vulnerable PHP version possibly detected
- Several File String Presence checks exist to see if one of the listed php5 versions was installed using the package manager by inspecting /var/log/dpkg.log
Software Configuration > cgi.force_redirect
- Contains a File String Presence check to see if the cgi.force_redirect setting is enabled within the three most common php.ini files on the system – /etc/php5/cli/php.ini, /etc/php5/cgi/php.ini,and /etc/php5/apache2/php.ini.
Software Configuration > cgi.redirect_status_env
- Contains a File String Presence check to see if the cgi.redirect_status_envsetting is enabled within the three most common php.ini files on the system – /etc/php5/cli/php.ini, /etc/php5/cgi/php.ini,and /etc/php5/apache2/php.ini.
To begin using the CVE-2012-1823 – Apache / PHP5.x Remote Code Execution Exploit configuration policy, download the cve-2012-1823-apache-php5-x-remote-code-execution-exploit.policy.json file to your local workstation, log into your CloudPassage Halo Portal account, and import the policy as a Configuration Policy.