Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2588
Views
0
Helpful
1
Replies

Detect PHP-CGI Remote Execution Exploit CVE-2012-1823

enkrypter
Level 1
Level 1

‎05-07-2012 11:38 AM - edited ‎03-10-2019 05:40 AM

Gents:

I believe I have a signature worked out for the nasty PHP-CGI bug.  (CVE-2012-1823)

The vulnerability is executed by using arguments in the URL of PHP scripts.  (Example:  http://www.facebook.com/?-s     would show you the source code if it was vulnerable.  Facebook has since fixed it and planted a nice easter egg.)

Cisco has not released an official signature for this yet.  This is a custom signature of my own device and I make no claims or waranty of it's fitness.

Start by creating a custom sig:

Signature Type = Vulnerability

Engine Type = Service HTTP

Specify Request Regex = Yes

Request Regex = [\?][\-][acndefhilmrBRFEHTsvwz]

Service Ports = 80       (*note that https urls are encrypted and you wont get any hits by enabling 443)

Set Severity to high and tell it to produce an alert.

Next create and event action filter to remove the produce alert action for threats triggered leaving your network.  (we only care about our php installations, not everyone esle's.)  Watch it for a few days, if you have no false positives, set it up to drop packets.

Good Luck.  Let me know if anyone see's a flaw in this signature design. 

Thanks,

Tom T.

Labels:
0 Helpful
1 Reply 1

nearchib
Level 1
Level 1

‎05-07-2012 01:35 PM

Hey Tom,

Thank you for letting us know about the custom signature, we appreciate the input. I have added this CVE to our system to be addressed as soon as possible.

The signature you listed makes sense, however it seems to me that the regular expression might be a little loose for use on some busy networks.

Currently it is looking for three characters anywhere in the request.

I would probably move the request regex to the URI Regex field. I would also add the trailing "/" to the regex to tighten it a little more. We could also move the signature to the #WEBPORTS service-ports variable, to cover ports 8080,8000, etc.

Before we release signatures we perform rigorous false positive testing however, so we will need to take our own signature through this process before you see it in the signature package.

Thanks again for your suggestion

Regards

Neil Archibald

Cisco IPS Signature Team

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card