The well-known open-source scripting language PHP (Hypertext Preprocessor) just had a critical RCE flaw patched and disclosed. Found and reported by security researcher Orange Tsai, CVE-2024-4577 affects the PHP-CGI module in the Windows version and impacts all releases post 5.x.
The flaw, which involves an OS command injection, is found within the ‘Best-Fit’ feature of encoding conversion and allows attackers to execute arbitrary code with specific character sequences. With a rather simple exploitation technique, it has been assigned a CVSS score of 9.8, and Watchtowr has released a public proof-of-concept. Despite attackers scrambling to find vulnerable systems, you needn’t fear; patch details are available in the final section of this blog.
Technical Details
CGI, or Common Gateway Interface, is popularly used to generate dynamic content on web pages. PHP-CGI is a protocol that transfers information between CGI scripts and web servers, parsing HTTP requests and sending them to PHP command-line interpreters. The parsing involves the conversion of unicode characters to ASCII.
PHP command line arguments begin with hyphens, which have a Unicode value of 0x2D. These are, of course, escaped during parsing to prevent code injections. Unnoticed by the developers, however, there exists another type of Unicode hyphen! The sneaky ‘soft hyphen’, with a value of 0xAD, is not escaped during parsing since it isn’t registered as a real hyphen.
Now, this wouldn’t be a problem, if not for the ‘Best Fit’ feature. While the interpreter does its job, it will see a soft hyphen, assume that the user meant to add in a real hyphen instead, and interpret 0xAD as 0x2D – without escaping it. This means that data from the HTTP request can be interpreted as command-line PHP arguments! With this information, it’s rather easy to construct a POST request containing 0xAD characters and achieve remote code execution.
Impact and Products Affected
This CVE affects every version of PHP for Windows below PHP 8.3.8, PHP 8.2.20, and PHP 8.1.29 with PHP-CGI enabled. Exploitation can reveal the source code of scripts and let attackers run arbitrary PHP code on the server.
Since the disclosure of the bug and PoC, many IP addresses have already been found to be scanning for vulnerable servers. The sheer range of affected versions implies a great number of impacted servers worldwide.
Solutions and Remediations
Users who have supported (not EOL) versions of PHP for Windows can upgrade to PHP 8.3.8, PHP 8.2.20, or PHP 8.1.29 with patch management tools like SanerNow.
Others can apply a mod_rewrite rule to prevent attacks, like so:
RewriteEngine On
RewriteCond %{QUERY_STRING} ^%ad [NC]
RewriteRule .? – [F,L]
XAMPP has a ‘ScriptAlias’ directive in the Apache configuration file (usually at ‘C:/xampp/apache/conf/extra/httpd-xampp.conf’). Users who don’t need PHP-CGI can comment said directive out.
FastCGI, PHP-FPM, and Mod-PHP are all more secure alternatives to PHP-CGI, and it is recommended to migrate to one of them.
Instantly Fix Risks with SanerNow Patch Management
SanerNow patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. It supports all major operating systems, such as Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a main production environment. SanerNow patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.