CVE-2024-4577: PHP argument injection on Windows
Celia Catalán.png)
On June 6, Orange Tsai revealed a new vulnerability that affected PHP, affecting all versions of PHP for Windows (PHP in CGI mode in particular in languages: Chinese and Japanese), including default installations on servers. XAMPP.
The root of the problem lies in poor character processing by the CGI engine (similar to the 12-year-old vulnerability CVE-2012-1823). This engine interprets (0xAD) and decodes it as a “soft script”, which PHP will convert into a “real script” thanks to the “best fit” mapping function, thus allowing a malicious agent to be used to execute arbitrary code
Affected versions
This vulnerability has been rated according to CVSS 3.1 metrics as 9.8 critical according to NIST, and the affected versions are:
- PHP 8.3 <8.3.8
- PHP 8.2 < 8.2.20
- PHP 8.1 <8.1.29
Explotation
To exploit this vulnerability, certain characteristics are necessary on the victim machine:
- The PHP software must be configured in CGI mode.
- Exploitation is possible if the php.exe or php-cgi.exe binaries are exposed (all default installations in XAMPP for Windows).
- The operating system must be Windows.
Because this vulnerability is very similar to the aforementioned CVE-2012-1823, exploitation techniques can be used. To do this, according to these techniques, to translate the injection into RCE, you should try to inject the following arguments:
This will allow the input of the HTTP request body and process it using PHP. An example request was created by adding the “soft script” instead of the “real script”, and in the body of the request a php code was added that allowed the phpinfo page to be seen, demonstrating that the RCE was achieved.
As you can see in the screenshots, code has been executed by injecting arguments into the request. This represents a serious problem because a malicious agent could use this vulnerability to control any machine affected by this CVE, affecting its confidentiality, integrity and availability.
Vulnerability identification and mitigation
To identify the vulnerability in the systems, it can be done by inspecting the PHP version.
To mitigate the vulnerability, the PHP software must mainly be updated to the new patched versions:
- 8.3.8
- 8.2.20
- 8.1.29
It is very important to apply the latest update as malicious actors are currently using TellYouThePass ransomware to actively exploit it.
Javier Muñoz, Cybersecurity Analyst at Zerolynx
