“Urgent Alert: PHP Vulnerability on Windows Devices – Act Fast to Prevent Malicious Code Execution”
Critical PHP Vulnerability on Windows Devices: Urgent Action Required
A critical vulnerability in the PHP programming language has been discovered, which can be easily exploited to execute malicious code on Windows devices. Security researchers have issued a warning and are urging those affected to take immediate action before the weekend starts. Within just 24 hours of the vulnerability and accompanying patch being published, researchers from the nonprofit security organization Shadowserver reported Internet scans designed to identify servers that are susceptible to attacks.
The vulnerability, known as CVE-2024-4577, stems from errors in the way PHP converts unicode characters into ASCII. A feature built into Windows known as Best Fit allows attackers to use a technique known as argument injection to pass user-supplied input into commands executed by an application, in this case, PHP. This allows attackers to bypass a critical code execution vulnerability patched in PHP in 2012, known as CVE-2012-1823.
The ease of exploitation, the availability of proof-of-concept attack code, the severity of remotely executing code on vulnerable machines, and the widely used XAMPP platform being vulnerable by default, has prompted security practitioners to urge admins to check to see if their PHP servers are affected before starting the weekend.
CVE-2024-4577 affects PHP only when it runs in a mode known as CGI, in which a web server parses HTTP requests and passes them to a PHP script for processing. Even when PHP isn’t set to CGI mode, however, the vulnerability may still be exploitable when PHP executables such as php.exe and php-cgi.exe are in directories that are accessible by the web server. This configuration is set by default in XAMPP for Windows, making the platform vulnerable unless it has been modified.
One example of how the vulnerability can be exploited occurs when queries are parsed and sent through a command line. A harmless request such as http://host/cgi.php?foo=bar could be converted into php.exe cgi.php foo=bar, a command that would be executed by the main PHP engine.
Like many other languages, PHP converts certain types of user input to prevent it from being interpreted as a command for execution. This is a process known as escaping. However, the Best Fit feature fails to escape characters such as a soft hyphen (with unicode value 0xAD) and instead converts it to an unescaped regular hyphen (0x2D), a character that’s instrumental in many code syntaxes.
The vulnerability was discovered by Devcore researcher Orange Tsai, who said: “The bug is incredibly simple, but that’s also what makes it interesting.” The researchers have confirmed that XAMPP is vulnerable when Windows is configured to use the locales for Traditional Chinese, Simplified Chinese, or Japanese. They haven’t tested other locales and have urged people using them to perform a comprehensive asset assessment to test their usage scenarios.
CVE-2024-4577 affects all versions of PHP running on a Windows device. That includes version branches 8.3 prior to 8.3.8, 8.2 prior to 8.2.20, and 8.1 prior to 8.1.29. The 8.0, 7, and 5 version branches are also vulnerable, but since they’re no longer supported, admins will have to follow mitigation advice since patches aren’t available.
One option is to apply rewrite rules such as:
RewriteEngine On
RewriteCond %{QUERY_STRING} ^ [NC]
RewriteRule .? – [F,L]
The researchers caution these rules have been tested only for the three locales they have confirmed as vulnerable. XAMPP for Windows had yet to release a fix as of 06/08/2024. For admins without the need for PHP CGI, they can turn it off using the following Apache HTTP Server configuration:
C:/xampp/apache/conf/extra/httpd-xampp.conf
Locating the corresponding lines:
ScriptAlias /php-cgi/ “C:/xampp/php/”
And comment it out:
# ScriptAlias /php-cgi/ “C:/xampp/php/”.
It is critical for admins to assess their PHP servers for this vulnerability and take the necessary steps to mitigate the risk. The simplicity of the exploit and the potential for severe consequences make this an urgent matter that should not be overlooked.
