Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Detect PHP-CGI Remote Execution Exploit CVE-2012-1823

Gents:

I believe I have a signature worked out for the nasty PHP-CGI bug.  (CVE-2012-1823)

The vulnerability is executed by using arguments in the URL of PHP scripts.  (Example:  http://www.facebook.com/?-s     would show you the source code if it was vulnerable.  Facebook has since fixed it and planted a nice easter egg.)

Cisco has not released an official signature for this yet.  This is a custom signature of my own device and I make no claims or waranty of it's fitness.

Start by creating a custom sig:

Signature Type = Vulnerability

Engine Type = Service HTTP

Specify Request Regex = Yes

Request Regex = [\?][\-][acndefhilmrBRFEHTsvwz]

Service Ports = 80       (*note that https urls are encrypted and you wont get any hits by enabling 443)

Set Severity to high and tell it to produce an alert.

Next create and event action filter to remove the produce alert action for threats triggered leaving your network.  (we only care about our php installations, not everyone esle's.)  Watch it for a few days, if you have no false positives, set it up to drop packets.

Good Luck.  Let me know if anyone see's a flaw in this signature design. 

Thanks,

Tom T.

  • Intrusion Prevention Systems/IDS
Everyone's tags (3)
1 REPLY
New Member

Detect PHP-CGI Remote Execution Exploit CVE-2012-1823

Hey Tom,

Thank you for letting us know about the custom signature, we appreciate the input. I have added this CVE to our system to be addressed as soon as possible.

The signature you listed makes sense, however it seems to me that the regular expression might be a little loose for use on some busy networks.

Currently it is looking for three characters anywhere in the request.

I would probably move the request regex to the URI Regex field. I would also add the trailing "/" to the regex to tighten it a little more. We could also move the signature to the #WEBPORTS service-ports variable, to cover ports 8080,8000, etc.

Before we release signatures we perform rigorous false positive testing however, so we will need to take our own signature through this process before you see it in the signature package.

Thanks again for your suggestion

Regards

Neil Archibald

Cisco IPS Signature Team

1728
Views
0
Helpful
1
Replies