Zero-day vulnerabilities discovered: 2
Buffer overflow
The vulnerability allows a remote attacker to cause DoS conditions or execute arbitrary code on the target system.Bug with Variant type parsing was originally discovered by Condis. There is evidence this vulnerability was being exploited in the wild before official patch release.
Software: PHP
Known/fameous malware:
Trojan.Filecoder
OS command injection
The vulnerability allows a remote attacker to execute arbitrary code on the target system.Also known as CVE-2012-1823.The patch for the original vulnerability CVE-2012-1823 was accidentally disclosed before the official release however did not fix the issue. The vulnerability became widely discussed in the public and used in real-world attacks. It took several days for the developers to issue a proper security patch.
The vulnerability was being exploited by Linux worm (Linux.Darlloz) in 2013 to target the Internet of things (IoT) devices.
Software: PHP
Known/fameous malware:
Linux.Darlloz
Links:
https://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
http://www.computerworld.com/article/2504068/malware-vulnerabilities/php-patches-actively-exploited-...
https://threatpost.com/php-group-set-release-another-patch-cve-2012-1823-flaw-050812/76537/
http://www.php.net/ChangeLog-5.php#5.4.2
https://www.trustwave.com/Resources/Library/Documents/2013-Trustwave-Global-Security-Report/?dl=1
http://www.php.net/archive/2012.php#id2012-05-03-1
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27798
https://www.symantec.com/connect/blogs/linux-worm-targeting-hidden-devices
http://www.primalsecurity.net/0xe-python-tutorials-use-case-cve-2012-1823/
http://eromang.zataz.com/2012/05/06/cve-2012-1823-php-cgi-argument-injection-metasploit-demo/
http://websec.ca/blog/view/detecting-and-exploiting-php-cgi
https://pen-testing.sans.org/blog/2012/06/04/tips-for-pen-testers-on-exploiting-the-php-remote-execu...
https://isc.sans.edu/diary/PHP+vulnerability+CVE-2012-1823+being+exploited+in+the+wild/13312#__utma=...
http://commandline.ninja/2012/05/08/php-updated-cve-2012-1823-cve-2012-2311/
https://bobcares.com/blog/php-cgi-severe-vulnerability-cve-2012-1823/
https://blog.cloudpassage.com/2013/10/31/cve-2012-1823-apache-php5-x-remote-code-execution-exploit/
https://www.symantec.com/security_response/writeup.jsp?docid=2013-112710-1612-99&tabid=2
http://www.pcworld.idg.com.au/article/424083/php_patches_actively_exploited_cgi_vulnerability/