A critical remote code execution (RCE) vulnerability has been discovered in PHP for Windows, affecting version 5.x and earlier, potentially impacting millions of servers globally. Researchers at cybersecurity firm DEVCORE identified the flaw, tracked as CVE-2024-4577.
This vulnerability allows an unauthenticated attacker to take full control of affected servers. PHP, an open-source scripting language widely used for web development, has flaws in its implementation.
The oversight in the Best-Fit feature of encoding conversion within the Windows operating system allows attackers to bypass the previous protection of CVE-2012-1823 using specific character sequences. Consequently, arbitrary code can be executed on remote PHP servers through an argument injection attack.
DEVCORE’s advisory explains, “While implementing PHP, the team did not notice the Best-Fit feature of encoding conversion within the Windows operating system. This oversight allows unauthenticated attackers to bypass the previous protection of CVE-2012-1823 by specific character sequences. Arbitrary code can be executed on remote PHP servers through the argument injection attack.”
CVE-2024-4577 is a critical argument injection vulnerability in #PHP that can be exploited to achieve remote code execution (#RCE). According to researchers from #DEVCORE, this flaw stems from character encoding conversion errors, specifically affecting the “Best Fit” function in… pic.twitter.com/EsjqVqP1Et
— Cyber Guardian Hub (@CyberGuardianHu) June 9, 2024
The vulnerability CVE-2024-4577 was reported to the PHP development team by DEVCORE researcher Orange Tsai on May 7, 2024. A patch was released on June 6, 2024.
Since the disclosure and the availability of a PoC exploit code, multiple actors have attempted to exploit the flaw, as reported by researchers from Shadowserver and GreyNoise. Shadowserver observed multiple IPs testing the vulnerability against its honeypot sensors starting on June 7th, while GreyNoise reported malicious exploitation attempts.
The advisory further notes, “As of this writing, it has been verified that when Windows is running in the following locales, an unauthorized attacker can directly execute arbitrary code on the remote server: Traditional Chinese (Code Page 950), Simplified Chinese (Code Page 936), and Japanese (Code Page 932).
For Windows running in other locales, such as English, Korean, and Western European, it is currently impossible to completely enumerate and eliminate all potential exploitation scenarios. Therefore, it is recommended that users conduct a comprehensive asset assessment, verify their usage scenarios, and update PHP to the latest version to ensure security.”
XAMPP users are particularly vulnerable due to a default configuration that exposes the PHP binary. Although XAMPP has not yet released an update, DEVCORE provided mitigation instructions. Administrators should apply a mod_rewrite rule to block attacks:
RewriteEngine On
RewriteCond %{QUERY_STRING} ^%ad [NC]
RewriteRule .? – [F,L]
XAMPP users should also find the ‘ScriptAlias‘ directive in the Apache configuration file (C:/xampp/apache/conf/extra/httpd-xampp.conf) and comment it out.
The advisory concludes, “It is strongly recommended that all users upgrade to the latest PHP versions of 8.3.8, 8.2.20, and 8.1.29. However, since PHP CGI is an outdated and problematic architecture, it’s still recommended to evaluate the possibility of migrating to a more secure architecture such as Mod-PHP, FastCGI, or PHP-FPM.”
Organizations should promptly update their PHP installations and adopt more secure architectures to mitigate potential threats.
Start Growing with Cloudways Today.
Our Clients Love us because we never compromise on these
Abdul Rehman
Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He's also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.
