Analyzing CVE-2024-4577
this is a deep-dive into the PHP CGI RCE vulnerability.
Introduction
Security in the digital environment is more important than ever. That said, imagine an invisible door opens on millions of websites due to a new vulnerability in PHP, one of the most used programming languages on the web. This vulnerability, known as CVE-2024-4577, allows remote attackers to execute arbitrary commands on affected servers by injecting arguments into CGI. Discovered by security researcher Orange Tsai (@orange_8361) of DEVCORE (@d3vc0r3), this flaw has captured the attention of the global security community. The information we present here comes from external research sources.
Vulnerability Description
CVE-2024-4577 is a remote code execution (RCE) vulnerability that affects the implementation of encoding conversion on Windows systems. This flaw is due to the way PHP handles certain arguments during encoding conversion, which can be exploited by attackers to inject and execute malicious code on the server. The vulnerability arises due to an oversight in the Best-Fit feature of encoding conversion within the Windows operating system, allowing attackers to bypass the protection implemented for CVE-2012-1823 via specific character sequences.
Relationship with CVE-2012-1823
Both PHP and DEVCORE have noted that CVE-2024-4577 is a patch bypass for CVE-2012-1823. CVE-2012-1823 was patched in PHP versions 5.13.12 and 5.4.2 on May 3, 2012, and at the time was noted as a vulnerability that “had gone undetected for at least 8 years.” The vulnerability was originally discovered during a capture the flag (CTF) event in 2012. Although the original blog is no longer accessible, an archived copy details the discovery and notification of the flaw. Several exploit scripts exist for CVE-2012-1823, and it has been on the US Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) list since March 25, 2022.
Impact
The severity of CVE-2024-4577 lies in its ability to completely compromise the security of the affected server. Successful exploitation of this vulnerability allows attackers to execute arbitrary commands on the targeted server, which can result in a variety of serious consequences:
- Complete Server Control: Attackers can take full control of the server, allowing them to modify settings, access sensitive data, and run any type of malicious software.
- Data Exfiltration: Confidential information and user data can be stolen, posing a significant risk to privacy and information security.
- Data Destruction or Manipulation: Attackers can modify or delete critical data, affecting the integrity and availability of the information.
- Malware Installation: Malicious programs can be installed on the compromised server, which can spread to other systems and networks.
- Disruption of Services: Exploitation of this vulnerability can cause interruptions in services, affecting the availability of applications and websites.
Given the extensive use of PHP in global web infrastructure, this vulnerability puts an enormous number of websites and applications at risk, including those that handle sensitive or confidential information.
Affected Versions
Vulnerable PHP versions include:
- PHP 8.3 < 8.3.8
- PHP 8.2 < 8.2.20
- PHP 8.1 < 8.1.29
Mitigation measures
PHP update
The most effective measure to mitigate this vulnerability is to update PHP to the patched versions:
- PHP 8.1.29
- PHP 8.2.20
- PHP 8.3.8
Sanitation and Validation of Parameters
Sanitizing and validating input parameters is one of the most effective strategies to prevent attacks such as command injection. Here is how this process can be carried out and why it is crucial:
- Parameter Sanitization:
- Escaping Special Characters: Before processing any user input, it is important to remove or escape special characters that could be used in an injection attack. For example, characters like
;
,&
,|
, and>
should be treated with care, as they can be used to insert malicious commands. - Data Cleaning: Use specific PHP functions such as
htmlspecialchars()
orfilter_var()
to clean and convert the input data to a safe format.
- Escaping Special Characters: Before processing any user input, it is important to remove or escape special characters that could be used in an injection attack. For example, characters like
- Parameter Validation:
- Data Type: Ensure that the data received is of the expected type (for example, integers, strings, email addresses). This can be done using functions like
is_int()
,is_string()
, orfilter_var()
with specific filters. - Range and Length: Verify that the data is within the expected ranges and lengths. For example, if you expect a string of no more than 50 characters, you must validate this explicitly.
- Allowed Patterns: Use regular expressions to ensure that the data only contains allowed characters. For example, an email address must match a specific pattern to be considered valid.
- Data Type: Ensure that the data received is of the expected type (for example, integers, strings, email addresses). This can be done using functions like
Implementing these practices ensures that any user input is properly reviewed before being processed, significantly reducing the risk of command injections and other similar vulnerabilities.
Secure Configuration
Configuring your PHP environment securely is essential to minimize the risks associated with the CVE-2024-4577 vulnerability. Here are some important steps to achieve a secure setup:
- Disable Unnecessary Features:
- Disable PHP CGI if not necessary: If you do not need to run PHP in CGI mode, it is advisable to disable it completely. PHP can be run in more secure modes such as FastCGI or PHP-FPM, which offer better security controls.
- Remove or restrict access to PHP executables: Ensure that PHP executables (php.exe, php-cgi.exe) are not publicly accessible. This can be done by correctly configuring the routes and permissions on the web server.
- Configure the Web Server:
- Using ScriptAlias: If it is necessary to expose the PHP executable, use directives like
ScriptAlias
to restrict access to only specific and safe paths. For example, in Apache:
ScriptAlias /php-cgi/ "/safe/path/to/php-cgi/"
- Access Restriction: Set appropriate permissions to limit who can access and execute PHP scripts. This includes setting file and directory permissions to prevent unauthorized access.
- Using ScriptAlias: If it is necessary to expose the PHP executable, use directives like
- Additional Protection with Rewrite Rules:
- Implement Rewrite Rules: Use rewrite rules on the web server to block malicious requests. For example, in Apache, you can add rules like:
RewriteEngine On
RewriteCond %{QUERY_STRING} ^%ad [NC]
RewriteRule .? - [F,L]
These rules help block known patterns of attacks, providing an additional layer of defense.
Recommendations for XAMPP
For users using XAMPP, it is recommended to disable PHP executable exposure in the Apache configuration to avoid this vulnerability. Modify the Apache configuration file:
C:/xampp/apache/conf/extra/httpd-xampp.conf
Comment the line that exposes the PHP CGI:
# ScriptAlias /php-cgi/ "C:/xampp/php/"
PoCs
- PoC by ZeroTrust Bl4cksku11
- PoC by TAM-K592
- PoC by watchtowrlabs