The developers of PHP, a widely used open-source scripting language designed for web development and commonly used on both Windows and Linux servers, have released an update to address a critical vulnerability identified in all PHP versions for Windows.
The flaw, designated CVE-2024-4577, is due to an error in how PHP handles character encoding conversions. This error allows unauthenticated threat actors to pass special character sequences as URL arguments, which could lead to remote code execution.
CVE-2024-4577 affects all releases of PHP since version 5.x running on Windows Servers used in CGI mode. However, CVE-2024-4577 may still affect PHP servers that aren’t in CGI mode as long as the executables (e.g., php.exe or php-cgi.exe) are located in directories accessible by the web server.
At least one PHP server, XAMPP for Windows, has this configuration by default and is therefore likely vulnerable to CVE-2024-4577.
Additionally, cybersecurity researchers have verified that when Windows runs in the Traditional Chinese, Simplified Chinese, or Japanese locale, an unauthorized threat actor can directly execute arbitrary code on the remote server. Researchers could not rule out the possibility that other locales, such as English, Korean, and Western European, are not also vulnerable.
Due to the widespread use of PHP, researchers worry this flaw could potentially impact a significant number of servers worldwide. Despite a patch being available, not all affected servers will be updated before threat actors begin to identify and exploit them, if at all. The Shadowserver Foundation is already reporting that it has detected multiple IP addresses scanning for servers vulnerable to CVE-2024-4577.
Source: Bleeping Computer
Analysis
In 2012, a critical command injection vulnerability, designated CVE-2012-1823, was discovered in PHP for Windows. Like CVE-2024-4577, this flaw allowed threat actors to include command line switches (e.g., “-s”) in HTTP query strings which could lead to remote code execution. Shortly after the discovery of CVE-2012-1823, PHP’s developers released a patch that detected dashes in the query string and filtered them out.
CVE-2024-4577 is effectively a bypass of the patch for CVE-2012-1823. Due to how Windows handles some Unicode conversions, there are some character sequences in certain locales that, when converted to their equivalent ASCII characters after PHP has done its query string filtering, are the equivalent of a “-”. Thus, the use of these character sequences in the HTTP query strings allows command injection, just like CVE-2012-1823.
It appears that only certain PHP Windows Servers, like XAMPP, and limited locales, such as Chinese and Japanese, are presently at high risk. However, it’s likely only a matter of time before threat actors discover additional characters from other locales and other PHP configurations that can be exploited.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software, appliances and operating systems. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the exploitation of these vulnerabilities.
Field Effect MDR users were automatically notified if a vulnerable PHP server was detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect strongly encourages users of the affected PHP servers to update to the latest version as soon as possible, in accordance with PHP’s advisory.
Related Articles