Researchers found an RCE (distant code execution) vulnerability in PHP abusing an Argument Injection vulnerability. The vulnerability (CVE-2024-4577) was assigned a CVSS rating of 9.8 (Vital). The researchers coordinated with the PHP workforce and introduced the vulnerability on June 6 2024, on the similar time when PHP launched fixes for the vulnerability with variations 8.3.8, 8.2.20, and 8.1.29. Affected Variations: This vulnerability impacts all variations of PHP put in on the Home windows working system. Please seek advice from the desk beneath for particulars:PHP 8.3 < 8.3.8PHP 8.2 < 8.2.20PHP 8.1 < 8.1.29All variations of XAMPP installations on Home windows are weak by default.
Excessive Degree Abstract
As a part of Unicode processing, PHP applies what is named a ‘best fit’ mapping. This mapping assumes that when the consumer enters a gentle hyphen (0xAD), they really meant to sort an actual hyphen, and PHP interprets it as such. Herein lies the vulnerability: if a CGI handler receives a gentle hyphen (0xAD), it doesn’t escape it and passes it to PHP. PHP, nonetheless, interprets it as an actual hyphen, permitting an attacker to introduce additional command-line arguments, which start with hyphens, into the PHP course of.By exploiting this vulnerability, attackers can inject arbitrary arguments into the PHP course of, resulting in the execution of malicious code. This successfully compromises the server’s safety, granting attackers the flexibility to manage the server remotely. This assault is especially harmful as a result of it bypasses earlier protections (CVE-2012-1823) and exploits a seemingly minor function of Unicode processing.
Detailed Evaluation
Evaluation of the vulnerability signifies that it impacts PHP’s CGI mode. Even when PHP isn’t configured on this mode, merely exposing the PHP executable binary (Default XAMPP configuration) within the CGI listing additionally makes it vulnerable to this vulnerability. Widespread Situations embody, however aren’t restricted to:
- Copying php.exe or php-cgi.exe to the /cgi-bin/ listing.
- Exposing the PHP listing by way of ScriptAlias directive, as an illustration:
- ScriptAlias /php-cgi/ “C:/xampp/php/”
On this mode, the online server parses HTTP requests and passes them to a PHP script, which then processes them. As an illustration, question strings are parsed and handed to the PHP interpreter on the command line—a request corresponding to http://host/cgi.php?foo=bar could be executed as php.exe cgi.php foo=bar.This introduces an avenue for command injection, which is why enter is usually dealt with and sanitized earlier than calling php.exe (as was the case with CVE-2012-1823). Nonetheless, there exists a nook case that builders didn’t account for, permitting an attacker to interrupt out of the command line and provide arguments interpreted by PHP itself. This nook case pertains to how Unicode characters are transformed into ASCII, finest defined with an instance.Contemplate two invocations of php.exe, one malicious and one benign:
At first look, they seem similar. Nonetheless, in a hex editor, it turns into clear that the primary makes use of a standard sprint (0x2D), whereas the second makes use of a gentle hyphen (0xAD). Though visually related, they’ve vastly totally different meanings to the OS.Apache will escape the precise hyphen (0x2D) however not the gentle hyphen (0xAD). As a part of its Unicode processing, PHP will apply the ‘best fit’ mapping and interpret the gentle hyphen as an actual hyphen, thus exposing the vulnerability. Supplying a CGI handler with a gentle hyphen permits an attacker to inject further command-line arguments into the PHP course of.This vulnerability is just like the older PHP bug CVE-2012-1823, and a few exploitation methods developed for this older bug could be tailored. To translate the injection into RCE, it is strongly recommended to inject the next arguments:
-d allow_url_include=1 -d auto_prepend_file=php://enter
This may settle for enter from our HTTP request physique and course of it utilizing PHP. To use this with our gentle hyphen, the assault seems like this:
POST /check.php?%ADd+allow_url_includepercent3d1+%ADd+auto_prepend_filepercent3dphp://enter=null HTTP/1.1Host: <Add-host-here>Content material-Sort: utility/x-www-form-urlencodedContent-Size: 30<?phpecho “Hello, World!”;?>
The request makes use of 0xAD as an alternative of an everyday hyphen, doubtlessly permitting it to slide by way of escaping mechanisms.
Suggestions
- Replace PHP: Be certain that the PHP model in use is updated with the most recent safety patches.
- Sanitize Enter: Implement strict enter validation and sanitization to forestall the injection of surprising characters, such because the gentle hyphen.
- Configure CGI Correctly: Overview and configure CGI handlers to flee or reject doubtlessly harmful characters earlier than passing enter to PHP.
The next Rewrite Guidelines can be utilized to dam assaults:
RewriteEngine OnRewriteCond %{QUERY_STRING} ^%advert [NC]RewriteRule .? – [F,L]
As of the time of writing this text, XAMPP has not launched the corresponding replace recordsdata for this vulnerability. For those who affirm that you don’t require the PHP CGI function, you’ll be able to mitigate publicity to the vulnerability by modifying the next Apache HTTP Server configuration by commenting out the next line in C:/xampp/apache/conf/additional/httpd-xampp.conf:
ScriptAlias /php-cgi/ “C:/xampp/php/”
Monitor and Audit: Commonly monitor and audit server logs for any suspicious exercise which will point out an tried exploit.At Traceable, we’re constantly monitoring for the most recent CVEs and threats to make sure that our prospects are protected towards these vulnerabilities or assaults. When the vulnerability was introduced, we quickly developed and deployed acceptable safety mechanisms. As of twelfth June, 2024, all Traceable prospects are protected towards this CVE-2024-4577. We proceed to search for blocked exploitation makes an attempt by way of our OmniTrace Engine, and can attain out to prospects who’re focused.
Traceable ASPEN
Traceable ASPEN offers vendor impartial and menace pushed analysis in API safety, investigating the most recent breaches with world main experience and evaluation. We consider in securing the world’s APIs with actionable insights from throughout the trade. We’re offensively minded, defensively pushed, and centered in your safety.
