Skip to main content
Purpleshift
  1. Active Vulnerability List/
  2. 2024/

CVE-2024-4577 | PHP | RCE

VulnerabilityCVE-2024-4577
TypeRemote Code Execution PoC
DescriptionCVE-2024-4577 is a critical PHP vulnerability affecting Windows installations in CGI mode, specifically under Chinese and Japanese locales. The vulnerability arises from improper handling of Unicode characters, allowing command injection through a ‘soft hyphen’ (0xAD) that is interpreted as a regular hyphen by PHP, enabling remote code execution.
The Impact of the BugThis vulnerability affects all versions of PHP installed on the Windows operating system and can be exploited to execute arbitrary code on the affected server.

Impact:
  • Arbitrary Code Execution: By exploiting this vulnerability, an unauthenticated attacker can execute arbitrary code on the remote PHP server. This could lead to full system compromise, allowing the attacker to execute commands, alter data, and control the server.
  • Bypassing Previous Protections: The vulnerability allows attackers to bypass protections put in place for CVE-2012-1823, making systems that were previously thought to be secure vulnerable again.
Root Cause The vulnerability arises from the improper handling of special characters in URLs by the PHP CGI component, specifically in environments where the best-fit feature of encoding conversion within the Windows operating system is used. This oversight allows attackers to bypass existing protections and inject malicious arguments.
How to detect if you have a vulnerable application to this attack vector?Detection: To determine if your application is vulnerable or if it has been exploited:
  • Monitor Logs: Check for unusual patterns in web server logs, particularly requests with suspicious or unusual URL parameters.
  • Update and Patch: Ensure that your PHP version is up-to-date and that all patches related to CGI argument handling have been applied.
  • Configuration Review: Review and harden the configuration of PHP CGI, ensuring that unnecessary features are disabled and input validation is enforced.
  • Web Application Firewalls: Implement WAF rules to detect and block attempts to exploit this vulnerability.
ExploitationAttackers can inject arguments like post method to gain control:
http://www.victim.com/a.php?-d allow_url_include=1 -d auto_prepend_file=php://input
http body : <?php system('calc')?>
Referenceshttps://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/
https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/
https://github.com/watchtowrlabs/CVE-2024-4577
https://m.blog.naver.com/information_schema/223474001322