Zero-day Vulnerability Database
Zero-day vulnerabilities discovered: 2
Remote code execution in PHP
CVE-2012-2376
Buffer overflow
The vulnerability allows a remote attacker to cause DoS conditions or execute arbitrary code on the target system.The weakness exists due to buffer overflow in the com_print_typeinfo function. A remote attacker can send a specially crafted arguments, trigger incorrect handling of COM object VARIANT types and cause the target application to crash or execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability results in denial of service or arbitrary code execution on the vulnerable system.
Note: the vulnerability was being actively exploited.
Bug with Variant type parsing was originally discovered by Condis. There is evidence this vulnerability was being exploited in the wild before official patch release.
Software: PHP
Known/fameous malware:
Trojan.Filecoder
Remote command injection in PHP
CVE-2012-2311
OS command injection
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists due to error when parsing QUERY_STRING parameters within PHP-CGI-based application (sapi/cgi/cgi_main.c). A remote attacker can send specially crafted HTTP request with query string, contain a %3D sequence but no = (equals sign) character, inject and execute arbitrary OS commands on vulnerable system with privileges of the web server.
Successful exploitation of the vulnerability results in denial of service or arbitrary code execution on the vulnerable system.
This vulnerability is a result of an incomplete fix for SB2012050301.
Note: the vulnerability was being actively exploited.
Also known as CVE-2012-1823.The patch for the original vulnerability CVE-2012-1823 was accidentally disclosed before the official release however did not fix the issue. The vulnerability became widely discussed in the public and used in real-world attacks. It took several days for the developers to issue a proper security patch.
The vulnerability was being exploited by Linux worm (Linux.Darlloz) in 2013 to target the Internet of things (IoT) devices.
Software: PHP
Known/fameous malware:
Linux.Darlloz
The vulnerability was being exploited by Linux worm (Linux.Darlloz) in 2013 to target the Internet of things (IoT) devices.
Links:
https://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
http://www.computerworld.com/article/2504068/malware-vulnerabilities/php-patches-actively-exploited-...
https://threatpost.com/php-group-set-release-another-patch-cve-2012-1823-flaw-050812/76537/
http://www.php.net/ChangeLog-5.php#5.4.2
https://www.trustwave.com/Resources/Library/Documents/2013-Trustwave-Global-Security-Report/?dl=1
http://www.php.net/archive/2012.php#id2012-05-03-1
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=27798
https://www.symantec.com/connect/blogs/linux-worm-targeting-hidden-devices
http://www.primalsecurity.net/0xe-python-tutorials-use-case-cve-2012-1823/
http://eromang.zataz.com/2012/05/06/cve-2012-1823-php-cgi-argument-injection-metasploit-demo/
http://websec.ca/blog/view/detecting-and-exploiting-php-cgi
https://pen-testing.sans.org/blog/2012/06/04/tips-for-pen-testers-on-exploiting-the-php-remote-execu...
https://isc.sans.edu/diary/PHP+vulnerability+CVE-2012-1823+being+exploited+in+the+wild/13312#__utma=...
http://commandline.ninja/2012/05/08/php-updated-cve-2012-1823-cve-2012-2311/
https://bobcares.com/blog/php-cgi-severe-vulnerability-cve-2012-1823/
https://blog.cloudpassage.com/2013/10/31/cve-2012-1823-apache-php5-x-remote-code-execution-exploit/
https://www.symantec.com/security_response/writeup.jsp?docid=2013-112710-1612-99&tabid=2
http://www.pcworld.idg.com.au/article/424083/php_patches_actively_exploited_cgi_vulnerability/