PHP 5.4 Exploit PoC in the wild

Clarifications/Updates to the original diary:

- This is NOT remote exploitable. An exploit would require the attacker to upload PHP code to the server, at which point, the attacker could just use PHP to run shell commands via "exec".

- only the windows version is vulnerable

- on windows, the "COM" functions are part of php core, not an extension.

- this is not at all related to the (more serious) CVE-2012-2336 vulnerability mentioned below. The com_type_info vulnerability is now known as CVE-2012-2376.


--- original report by Manuel ----


There is a remote exploit in the wild for PHP 5.4.3 in Windows, which takes advantage of a vulnerability in the com_print_typeinfo function. The php engine needs to execute the malicious code, which can include any shellcode like the the ones that bind a shell to a port.

Since there is no patch available for this vulnerability yet, you might want to do the following:

  • Block any file upload function in your php applications to avoid risks of exploit code execution.
  • Use your IPS to filter known shellcodes like the ones included in metasploit.
  • Keep PHP in the current available version, so you can know that you are not a possible target for any other vulnerability like CVE-2012-2336 registered at the beginning of the month.
  • Use your HIPS to block any possible buffer overflow in your system.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
e-mail: msantand at isc dot sans dot org

Manuel Humberto Santander Pelaacuteez

195 Posts
ISC Handler
May 19th 2012
0in released this, reference:
Been assigned CVE-2012-2376?

135 Posts

Sign Up for Free or Log In to start participating in the conversation!