Traceable ASPEN Team
PHP CGI argument Injection: (CVE-2024-4577)
Researchers discovered an RCE (remote code execution) vulnerability in PHP abusing an Argument Injection vulnerability. The vulnerability (CVE-2024-4577) was assigned a CVSS score of 9.8 (Critical). The researchers coordinated with the PHP team and announced the vulnerability on June 6 2024, at the same time when PHP released fixes for the vulnerability with versions 8.3.8, 8.2.20, and 8.1.29.
Affected Versions:
This vulnerability affects all versions of PHP installed on the Windows operating system. Please refer to the table below for details:
PHP 8.3 < 8.3.8
PHP 8.2 < 8.2.20
PHP 8.1 < 8.1.29
All versions of XAMPP installations on Windows are vulnerable by default.
High Level Summary
As part of Unicode processing, PHP applies what is known as a ‘best fit’ mapping. This mapping assumes that when the user enters a soft hyphen (0xAD), they actually intended to type a real hyphen, and PHP interprets it as such. Herein lies the vulnerability: if a CGI handler receives a soft hyphen (0xAD), it does not escape it and passes it to PHP. PHP, however, interprets it as a real hyphen, allowing an attacker to introduce extra command-line arguments, which begin with hyphens, into the PHP process.
By exploiting this vulnerability, attackers can inject arbitrary arguments into the PHP process, leading to the execution of malicious code. This effectively compromises the server’s security, granting attackers the ability to control the server remotely. This attack is particularly dangerous because it bypasses previous protections (CVE-2012-1823) and exploits a seemingly minor feature of Unicode processing.
Detailed Analysis
Analysis of the vulnerability indicates that it affects PHP’s CGI mode. Even if PHP isn’t configured in this mode, simply exposing the PHP executable binary (Default XAMPP configuration) in the CGI directory also makes it susceptible to this vulnerability.
Common Scenarios include, but aren’t limited to:
- Copying php.exe or php-cgi.exe to the /cgi-bin/ directory.
- Exposing the PHP directory via ScriptAlias directive, for instance:
- ScriptAlias /php-cgi/ “C:/xampp/php/”
In this mode, the web server parses HTTP requests and passes them to a PHP script, which then processes them. For instance, query strings are parsed and passed to the PHP interpreter on the command line—a request such as http://host/cgi.php?foo=bar might be executed as php.exe cgi.php foo=bar.
This introduces an avenue for command injection, which is why input is typically handled and sanitized before calling php.exe (as was the case with CVE-2012-1823). However, there exists a corner case that developers did not account for, allowing an attacker to break out of the command line and supply arguments interpreted by PHP itself. This corner case relates to how Unicode characters are converted into ASCII, best explained with an example.
Consider two invocations of php.exe, one malicious and one benign:
At first glance, they appear identical. However, in a hex editor, it becomes clear that the first uses a normal dash (0x2D), while the second uses a soft hyphen (0xAD). Although visually similar, they have vastly different meanings to the OS.
Apache will escape the actual hyphen (0x2D) but not the soft hyphen (0xAD). As part of its Unicode processing, PHP will apply the ‘best fit’ mapping and interpret the soft hyphen as a real hyphen, thus exposing the vulnerability. Supplying a CGI handler with a soft hyphen allows an attacker to inject additional command-line arguments into the PHP process.
This vulnerability is similar to the older PHP bug CVE-2012-1823, and some exploitation techniques developed for this older bug can be adapted. To translate the injection into RCE, it is recommended to inject the following arguments:
-d allow_url_include=1 -d auto_prepend_file=php://input
This will accept input from our HTTP request body and process it using PHP. To exploit this with our soft hyphen, the attack looks like this:
POST /test.php?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input=null HTTP/1.1
Host: <Add-host-here>
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
<?php
echo “Hello, World!”;
?>
The request uses 0xAD instead of a regular hyphen, potentially allowing it to slip through escaping mechanisms.
Recommendations
- Update PHP: Ensure that the PHP version in use is up to date with the latest security patches.
- Sanitize Input: Implement strict input validation and sanitization to prevent the injection of unexpected characters, such as the soft hyphen.
- Configure CGI Properly: Review and configure CGI handlers to escape or reject potentially dangerous characters before passing input to PHP.
The following Rewrite Rules can be used to block attacks:
RewriteEngine On
RewriteCond %{QUERY_STRING} ^%ad [NC]
RewriteRule .? – [F,L]
As of the time of writing this article, XAMPP has not released the corresponding update files for this vulnerability. If you confirm that you do not require the PHP CGI feature, you can mitigate exposure to the vulnerability by modifying the following Apache HTTP Server configuration by commenting out the following line in C:/xampp/apache/conf/extra/httpd-xampp.conf:
ScriptAlias /php-cgi/ “C:/xampp/php/”
Monitor and Audit: Regularly monitor and audit server logs for any suspicious activity that may indicate an attempted exploit.
At Traceable, we are continuously monitoring for the latest CVEs and threats to ensure that our customers are protected against those vulnerabilities or attacks. When the vulnerability was announced, we rapidly developed and deployed appropriate protection mechanisms. As of 12th June, 2024, all Traceable customers are protected against this CVE-2024-4577. We continue to look for blocked exploitation attempts via our OmniTrace Engine, and will reach out to customers who are targeted.
Traceable ASPEN
Traceable ASPEN provides vendor neutral and threat driven research in API security, investigating the latest breaches with world leading expertise and analysis. We believe in securing the world’s APIs with actionable insights from across the industry. We are offensively minded, defensively driven, and focused on your protection.
