05-07-2012 11:38 AM - edited 03-10-2019 05:40 AM
Gents:
I believe I have a signature worked out for the nasty PHP-CGI bug. (CVE-2012-1823)
The vulnerability is executed by using arguments in the URL of PHP scripts. (Example: http://www.facebook.com/?-s would show you the source code if it was vulnerable. Facebook has since fixed it and planted a nice easter egg.)
Cisco has not released an official signature for this yet. This is a custom signature of my own device and I make no claims or waranty of it's fitness.
Start by creating a custom sig:
Signature Type = Vulnerability
Engine Type = Service HTTP
Specify Request Regex = Yes
Request Regex = [\?][\-][acndefhilmrBRFEHTsvwz]
Service Ports = 80 (*note that https urls are encrypted and you wont get any hits by enabling 443)
Set Severity to high and tell it to produce an alert.
Next create and event action filter to remove the produce alert action for threats triggered leaving your network. (we only care about our php installations, not everyone esle's.) Watch it for a few days, if you have no false positives, set it up to drop packets.
Good Luck. Let me know if anyone see's a flaw in this signature design.
Thanks,
Tom T.
05-07-2012 01:35 PM
Hey Tom,
Thank you for letting us know about the custom signature, we appreciate the input. I have added this CVE to our system to be addressed as soon as possible.
The signature you listed makes sense, however it seems to me that the regular expression might be a little loose for use on some busy networks.
Currently it is looking for three characters anywhere in the request.
I would probably move the request regex to the URI Regex field. I would also add the trailing "/" to the regex to tighten it a little more. We could also move the signature to the #WEBPORTS service-ports variable, to cover ports 8080,8000, etc.
Before we release signatures we perform rigorous false positive testing however, so we will need to take our own signature through this process before you see it in the signature package.
Thanks again for your suggestion
Regards
Neil Archibald
Cisco IPS Signature Team
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide