Introduction
Recently, researchers from DEVCORE disclosed a simple, yet critical, remote code execution vulnerability in PHP, tracked as CVE-2024-4577. The vulnerability affects all versions of PHP installed on the Windows operating system when running in CGI (Common Gateway Interface) mode or when the PHP executables (e.g., php.exe or php-cgi.exe) are exposed in directories accessible to the web server. By default, all versions of XAMPP installations on Windows are vulnerable. It impacts PHP versions 8.3 before 8.3.8, 8.2 before 8.2.20, and 8.1 before 8.1.29.
The vulnerability arises from a flaw in character encoding conversion handling, particularly the Best-Fit feature on Windows systems when PHP operates in CGI mode. At the time of writing, Windows systems running in Traditional Chinese, Simplified Chinese, and Japanese locales are vulnerable.
Due to its ease of exploitation, it has been actively exploited by threat actors in the wild following its public disclosure in early June 2024. The flaw has been used to deploy various types of malware, such as the remote access trojan Gh0st RAT, the DDoS botnet Muhstik, and cryptocurrency miners like RedTail and XMRig.
PHP (Hypertext Preprocessor) is a widely used open-source general-purpose scripting language for web development, popular among developers for efficiently creating robust websites, as it integrates seamlessly with HTML and databases like MySQL. This exploit poses a significant threat due to the widespread adoption of PHP and XAMPP, its straightforward exploitability leading to remote code execution (RCE), and the existence of readily available proof-of-concept (PoC) code.
Due to its high severity and impact on confidentiality, integrity, and availability, it has been assigned a critical CVSS score of 9.8. The vulnerability is also listed in the CISA KEV (Known Exploited Vulnerabilities) catalog.
Understanding the Vulnerability
The vulnerability CVE-2024-4577 in PHP is caused by improper handling of character encoding conversions when PHP is used in CGI mode. In this mode, the web server parses HTTP requests and forwards them to a PHP script for processing.
The vulnerability arises from the Windows Best Fit Mapping feature, which maps specific Unicode characters into a character such that it can be used in a Windows language locale. The mapping important to this vulnerability is the mapping of the Soft Hyphen (0xAD) to standard Hyphen (0x2D), which PHP while processing interprets as a command-line argument delimiter.
Interestingly, this vulnerability is a recurrence of an argument injection bug CVE-2012-1823 that was patched over a decade ago.
As a result of the patch, Apache escapes the real hyphen (0x2D), but not the soft hyphen (0xAD), as it doesn’t recognize it as a hyphen. During unicode processing, PHP applies a ‘best fit’ mapping and interprets the soft hyphen as a real hyphen. This discrepancy allows an attacker to insert additional command line arguments, starting with hyphens, into the PHP process, resulting in remote code execution (RCE) and enabling the attacker to execute arbitrary commands on the server.
To achieve RCE, one can inject the following arguments into an HTTP POST query request:
The HTTP query string gets decoded as:
This exploit argument for CVE-2012-1823 uses the “-d” flag to define a .INI configuration entry:
With all these configurations set, the command injected in the body of the HTTP request gets executed.
The vulnerability is incredibly simple to exploit. An attacker can exploit this by sending a crafted HTTP request with the soft hyphen in the query string, which bypasses the existing checks for hyphens and allows arbitrary command-line arguments to be passed to the PHP interpreter. The exploit is particularly dangerous because it affects all versions of PHP on Windows when using CGI mode or when the PHP executables are exposed to the web server.
Vulnerable Environment Setup
- Firstly, we need to deploy a Windows OS to run a PHP-based HTTP server. For this, we deployed Windows Server 2019.
- Next, we change the system locale to one of the specified languages (Traditional Chinese, Simplified Chinese, or Japanese), as the Windows best-fit feature gets executed during character encoding conversion for our required character (soft hyphen) in these locales, which is necessary to demonstrate the exploit. We used Simplified Chinese.
Figure 1: Setting system locale
- For exploitation, we need an HTTP server that can be configured to use PHP. For the demonstration purposes, we are using ApacheFriends XAMPP version 8.2.12 for windows, which can be installed from here. This version of XAMPP, by default, uses the vulnerable PHP version.
XAMPPÂ is a cross-platform web server solution based on Apache HTTP Server, MariaDB database server, and script interpreters PHP and Perl.
- To enable the Apache HTTP server to use the PHP-CGI binary, we need to add a few lines to the httpd-xampp.conf file. It can be opened from here:
Figure 2: Locating httpd-xampp.conf
- We need to uncomment or add the following lines to the httpd-xampp.conf :
Figure 3: Contents to be added to enable CGI mode
- Lastly, we need to copy the php-cgi.exe from the php directory into the cgi-bin directory under the xampp folder and start the Apache service from the XAMPP Control panel.
- The machine is now configured to be vulnerable to CVE-2024-4577.
Attack in action
Sending the exploit
To demonstrate the exploit, we referenced a Proof of Concept (PoC) from watchTowr.
We used the following curl command to exploit:
We ran the above curl command from a different Ubuntu machine on the same network to send the malicious HTTP request. The –data flag specifies the body of the curl request, which we used to send the command to execute on the victim server, in this case, running the calculator.
Traffic over the wire
While executing the payload, we monitored the packets using Wireshark to inspect the actual HTTP request. The following screenshot displays the request captured by Wireshark. Clearly visible is our use of a soft hyphen (%AD in encoded form) instead of a real hyphen, ensuring the exploit remains effective despite its previous patch.
Figure 4: Wireshark capture of the Malicious Request Sent
Exploit Verification
We observe that, upon running the PoC, it successfully opens a calculator as intended. This shows how unauthenticated attackers could leverage this exploit to achieve remote code execution.
Figure 5: Successful Execution of Exploit Demonstrated by Opened Calculator
Honeypot Exploit Detection
We observed exploit attempts targeting this PHP vulnerability on our honeypot network, indicating active and widespread usage of this vulnerability by attackers.
Figure 6: Exploit Attempts Detected for CVE-2024-4577 from ATI’s Honeypot
Figure 7: Raw Payload request from Honeypot
LEVERAGE SUBSCRIPTION SERVICE TO STAY AHEAD OF ATTACKS
Keysight’s Application and Threat Intelligence (ATI) Subscription provides daily malware and bi-weekly updates of the latest application protocols and vulnerabilities for use with Keysight test platforms. The ATI Research Center continuously monitors threats as they appear in the wild and has just released a strike for this CVE as part of BreakingPoint System’s recent update 2024-13. More information is present here.
The following image shows a screenshot of this CVE as a strike in BreakingPoint System :
References
- https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/
- https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/
- https://www.akamai.com/blog/security-research/2024-php-exploit-cve-one-day-after-disclosure#attempts
- https://github.com/watchtowrlabs/CVE-2024-4577
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-ucoderef/d1980631-6401-428e-a49d-d71394be7da8