PHP addressed significant RCE vulnerability that could affect millions of servers
June 09, 2024
A fresh PHP bug for Windows allowing remote code execution (RCE) affects version 5.x and older editions, potentially impacting servers across the globe.
A critical remote code execution (RCE) vulnerability named CVE-2024-4577 in the PHP programming language was recently discovered by researchers at cybersecurity firm DEVCORE. An unauthorized attacker could exploit this flaw to gain complete control over affected servers.
PHP is a frequently used open-source scripting language for web development.
DEVCORE’s advisory highlights that during the implementation of PHP, the team overlooked the encoding conversion Best-Fit feature within the Windows operating system. This mistake allows unauthenticated attackers to circumvent the previous protection of CVE-2012-1823 through specific character sequences, facilitating the execution of arbitrary code on remote PHP servers through an argument injection attack.
The PHP development team was notified of the vulnerability CVE-2024-4577 by Devcore researcher Orange Tsai on May 7, 2024. Subsequently, they released a version addressing the issue on June 6, 2024.
The flaw stems from the Best-Fit feature of encoding conversion within the Windows operating system, enabling attackers to bypass protections for a previous vulnerability, CVE-2012-1823, by using particular character sequences. Consequently, malicious actors can execute arbitrary code on remote PHP servers through an argument injection attack, seizing control of vulnerable servers.
Following the disclosure of the vulnerability and the public availability of a Proof of Concept (PoC) exploit code, multiple threat actors are attempting to exploit it, as reported by Shadowserver and GreyNoise researchers.
Shadowserver researchers noted multiple IPs probing PHP/PHP-CGI CVE-2024-4577 (Argument Injection Vulnerability) against their honeypot sensors since June 7th.
Greynoise researchers also reported illicit exploitation attempts of CVE-2024-4577.
“It has been confirmed that unauthorized attackers can directly execute arbitrary code on remote servers when Windows is running in specific locales:
- Traditional Chinese (Code Page 950)
- Simplified Chinese (Code Page 936)
- Japanese (Code Page 932)
The advisory further states, “Although exploitation scenarios for locales like English, Korean, and Western European are currently challenging to enumerate due to the diverse uses of PHP, users are advised to assess their assets thoroughly, verify their usage scenarios, and update PHP to the latest version for enhanced security.”
XAMPP Users are susceptible due to a default configuration that exposes the PHP binary. Although XAMPP has not issued an update for this vulnerability yet, DEVCORE provided instructions to mitigate the risk of attacks.
Experts recommend system administrators unable to upgrade and users of End of Life (EoL) versions to implement a mod_rewrite rule to thwart attacks:
RewriteEngine On
RewriteCond %{QUERY_STRING} ^%ad [NC]
RewriteRule .? – [F,L]XAMPP users should locate the ‘ScriptAlias’ directive in the Apache configuration file (C:/xampp/apache/conf/extra/httpd-xampp.conf) and disable it.
“All users are strongly encouraged to upgrade to the latest PHP versions such as 8.3.8, 8.2.20, and 8.1.29,” concludes the advisory. “Nevertheless, due to the outdated and problematic nature of PHP CGI, users should consider transitioning to a more secure architecture like Mod-PHP, FastCGI, or PHP-FPM.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, RCE)
About Author
