On Tuesday, October 29th, 2013, exploit author Kingcope released exploit code targeting a known vulnerability in Apache and PHP that allowed for remote code execution under certain conditions. More information on the exploit, as well as the code, can be found at http://www.exploit-db.com/exploits/29290/.
Since Tuesday other attack code variants have emerged, including one released by noptrix, that can be found here at http://www.exploit-db.com/exploits/29316/.
According to the Kingcope:
This is a code execution bug in the combination of Apache and PHP. On Debian and Ubuntu the vulnerability is present in the default install of the php5-cgi package.
When the php5-cgi package is installed on Debian and Ubuntu or php-cgi is installed manually the php-cgi binary is accessible under /cgi-bin/php5 and /cgi-bin/php. The vulnerability makes it possible to execute the binary because this binary has a security check enabled when installed with Apache http server and this security check is circumvented by the exploit.
To help users detect if their current Apache and PHP installations are susceptible to this attack, the CVE-2012-1823 – Apache / PHP5.x Remote Code Execution Exploit configuration policy was created by the CloudPassage research team. It should be noted that the following rules and checks could serve as a potential indicator of compromise (IOC). That being said, an alert on a true positive on an individual check will likely not serve as the sole indicator of vulnerability, but it should still be investigated.
System Configuration > Vulnerable PHP version possibly detected
Software Configuration > cgi.force_redirect
Software Configuration > cgi.redirect_status_env
To begin using the CVE-2012-1823 – Apache / PHP5.x Remote Code Execution Exploit configuration policy, download the cve-2012-1823-apache-php5-x-remote-code-execution-exploit.policy.json file to your local workstation, log into your CloudPassage Halo Portal account, and import the policy as a Configuration Policy.