Nmap Development mailing list archives

NSE for detecting vulnerable PHP-CGI setups (CVE2012-1823)

From: Paulino Calderon <paulino () calderonpale com>
Date: Fri, 04 May 2012 12:30:00 -0500

Hi list,

Here is my script for detecting vulnerable PHP-CGI setups(CVE2012-1823). This is a pretty scary vuln as it affects a lot ofinstallations. Here is the full advisory:http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/I'm going to look more into it to write a reliable exploitation scripttoo. So far it seems the -r flag is not available in all the setups andwe will need to exploit via RFI to be 100% accurate.


Cheers.

-- @usage
-- nmap -sV --script http-vuln-cve2012-1823 <target>

-- nmap -p80 --script http-vuln-cve2012-1823 --script-argshttp-vuln-cve2012-1823.uri=/test.php <target>

-- @output
-- PORT   STATE SERVICE REASON
-- 80/tcp open  http    syn-ack
-- | http-vuln-cve2012-1823:
-- |   VULNERABLE:
-- |   PHP-CGI Remote code execution and source code disclosure
-- |     State: VULNERABLE (Exploitable)
-- |     IDs:  CVE:2012-1823
-- |     Description:
-- |       According to PHP's website, "PHP is a widely-used general-purpose

-- | scripting language that is especially suited for Webdevelopment and

-- |       can be embedded into HTML." When PHP is used in a CGI-based setup

-- | (such as Apache's mod_cgid), the php-cgi receives a processedquery-- | string parameter as command line arguments which allowscommand-line-- | switches, such as -s, -d or -c to be passed to the php-cgibinary,-- | which can be exploited to disclose source code and obtainarbitrary

-- |       code execution.
-- |     Disclosure date: 2012-05-3
-- |     Extra information:
-- |       Proof of Concept:/index.php?-s
-- |     References:
-- |       http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
-- |       http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1823
-- |_      http://ompldr.org/vZGxxaQ
--
-- @args http-vuln-cve2012-1823.uri URI. Default: /index.php

--
Paulino Calderón Pale
Website: http://calderonpale.com
Twitter: http://twitter.com/calderpwn

Attachment: http-vuln-cve2012-1823.nse
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

NSE for detecting vulnerable PHP-CGI setups (CVE2012-1823) Paulino Calderon (May 04)
- Re: NSE for detecting vulnerable PHP-CGI setups (CVE2012-1823) David Fifield (May 04)
  - Re: NSE for detecting vulnerable PHP-CGI setups (CVE2012-1823) Patrik Karlsson (May 04)
    - Re: NSE for detecting vulnerable PHP-CGI setups (CVE2012-1823) Paulino Calderon (May 04)
    - Re: NSE for detecting vulnerable PHP-CGI setups (CVE2012-1823) Patrik Karlsson (May 04)
- Re: NSE for detecting vulnerable PHP-CGI setups (CVE2012-1823) Paulino Calderon (May 07)