On Tuesday, October 29th, 2013, exploit author Kingcope released exploit code targeting a known vulnerability in Apache and PHP that allowed for remote code execution under certain conditions. More information on the exploit, as well as the code, can be found at http://www.exploit-db.com/exploits/29290/.
Since Tuesday other attack code variants have emerged, including one released by noptrix, that can be found here at http://www.exploit-db.com/exploits/29316/.
According to the Kingcope:
This is a code execution bug in the combination of Apache and PHP. On Debian and Ubuntu the vulnerability is present in the default install of the php5-cgi package.
When the php5-cgi package is installed on Debian and Ubuntu or php-cgi is installed manually the php-cgi binary is accessible under /cgi-bin/php5 and /cgi-bin/php. The vulnerability makes it possible to execute the binary because this binary has a security check enabled when installed with Apache http server and this security check is circumvented by the exploit.
Detecting the Exposure with CloudPassage Halo
To help users detect if their current Apache and PHP installations are susceptible to this attack, the CVE-2012-1823 – Apache / PHP5.x Remote Code Execution Exploit configuration policy was created by the CloudPassage research team. It should be noted that the following rules and checks could serve as a potential indicator of compromise (IOC). That being said, an alert on a true positive on an individual check will likely not serve as the sole indicator of vulnerability, but it should still be investigated.
Read more >