Governance & Risk Management
,
Patch Management
,
Vulnerability Assessment & Penetration Testing (VA/PT)
Remote Code Execution Exploit Found; Patch Now Available
Server administrators should take immediate action to patch a critical remote code execution vulnerability in PHP for Windows, affecting all releases since version 5.x and posing a widespread threat.
See Also: 4 Steps to Prove the Value of Your Vulnerability Management Program
Researchers at DEVCORE discovered the flaw, identified as CVE-2024-4577, during its continuous offensive research. The vulnerability allows unauthenticated attackers to bypass protections related to CVE-2012-1823 by exploiting specific character sequences.
This flaw in the Best-Fit feature of Windows’ encoding conversion enables attackers to execute arbitrary code on remote PHP servers through an argument injection attack.
The affected PHP versions are:
- PHP 8.3 < 8.3.8
- PHP 8.2 < 8.2.20
- PHP 8.1 < 8.1.29
Researchers warned that the older branches of PHP, including 8.0, 7 and 5, which are no longer supported, are also affected. DEVCORE advises server administrators to evaluate their systems and immediately implement the recommended patches.
Servers running PHP on Windows in Traditional Chinese (Code Page 950), Simplified Chinese (Code Page 936), and Japanese (Code Page 932) are particularly vulnerable.
The advisory said Windows servers in English, Korean and Western European can be exploited, and administrators should conduct thorough assessments and apply updates.
Researchers illustrated two scenarios of how this vulnerability can be exploited: running PHP under CGI mode or by exposing the PHP binary.
For running PHP under CGI mode: Configurations that map HTTP requests to a PHP-CGI executable binary in the Apache HTTP Server are directly susceptible. This includes setups involving directives such as AddHandler cgi-script .php and SetHandler application/x-httpd-php-cgi.
In such configurations, the vulnerability allows attackers to exploit the PHP-CGI executable directly, potentially leading to arbitrary code execution on the server.
Attackers can manipulate the HTTP requests to inject malicious code into the PHP interpreter, taking advantage of the vulnerability in Windows’ encoding conversion.
In the second scenario, by exposing the PHP binary: Default configurations in XAMPP for Windows, where the PHP executable binary is exposed, are inherently vulnerable. Typical scenarios include copying php.exe or php-cgi.exe to the /cgi-bin/ directory or exposing the PHP directory via the ScriptAlias directive.
In these scenarios, if the PHP executable is accessible and vulnerable, attackers can craft HTTP requests to execute arbitrary code through the PHP interpreter. This method exploits the oversight in Windows’ encoding conversion within PHP, allowing unauthorized code execution on the server.
DEVCORE researchers advise upgrading to the latest PHP versions: 8.3.8, 8.2.20, and 8.1.29 to mitigate this vulnerability. For systems that cannot be upgraded, temporary mitigation measures include implementing specific ‘Rewrite Rules’ to block attack vectors in affected locales.
The XAMPP users should disable the PHP-CGI feature if it is not required. This can be done by commenting out the ScriptAlias line in the httpd-xampp.conf configuration file.
DEVCORE reported the issue to PHP developers on May 7 and PHP developers confirmed the vulnerability and prioritized a fix. They released multiple versions of the fix and updated the final patched versions on June 6.