Exploiting PHP CGI Argument Injection: CVE-2024–4577
Introduction: PHP, one of the most widely used scripting languages, has always been a target for attackers due to its extensive deployment in web servers worldwide. A recent vulnerability, CVE-2024–4577, discovered by Orange Tsai of DEVCORE and exploited by researchers at watchTowr, demonstrates a critical flaw in PHP’s CGI handling, enabling Remote Code Execution (RCE) in specific configurations. This blog will explore how the exploit works and discuss the vulnerable versions and mitigation measures.
Understanding the Vulnerability: CVE-2024–4577 is a PHP CGI Argument Injection vulnerability that allows attackers to inject arbitrary commands into a vulnerable PHP setup running on Windows. The vulnerability primarily affects:
- PHP 8.3 < 8.3.8
- PHP 8.2 < 8.2.20
- PHP 8.1 < 8.1.29
Older versions like PHP 8.0, PHP 7, and PHP 5 are end-of-life and no longer receive updates, making them potential targets if still in use.
Proof of Concept (PoC): The PoC developed by @watchTowr showcases how attackers can leverage this flaw to execute commands remotely. Below is a sample command used in the PoC:
python watchTowr-vs-php_cve-2024-4577.py -c "<?php system('calc');?>" -t http://192.168.253.132/test.sinaThis command targets a PHP server and triggers the execution of the calculator application on a Windows machine. The output highlights a successful exploit:
(*) Exploit was successfulTechnical Details: The vulnerability lies in the way PHP processes CGI requests, allowing specially crafted arguments to be interpreted as part of the script, leading to command injection. By exploiting this, attackers can gain full control over the server, potentially leading to data breaches, unauthorized access, and other critical impacts.
Mitigation Measures: Admins should immediately patch their servers by updating PHP to the latest secure versions:
- PHP 8.3.8 or later
- PHP 8.2.20 or later
- PHP 8.1.29 or later
Conclusion: CVE-2024–4577 is a stark reminder of how even minor configuration oversights can lead to severe vulnerabilities. Regular patching, vigilant monitoring, and staying informed about security advisories are key practices for maintaining secure PHP environments.
