Researchers disclose a critical severity vulnerability affecting PHP installations and provide proof-of-concept exploit code, which could lead to remote code execution.

Background

On June 6, maintainers of PHP released updates to address a critical vulnerability affecting installations where PHP is used in CGI mode. As part of a coordinated release, researchers at DEVCORE published a blog post with their analysis of the vulnerability and its impact.

Analysis

CVE-2024-4577 is a critical argument injection vulnerability in PHP that can be exploited to achieve remote code execution (RCE). According to researchers at DEVCORE, this flaw is the result of errors in character encoding conversions, affecting the “Best Fit” feature on Windows.

The DEVCORE team outlines two scenarios that administrators can use to determine if their servers may be impacted. The first is when PHP is running with CGI mode enabled. From documentation provided by PHP, CGI mode is dangerous and can open up your server to a variety of vulnerabilities.

Credit: PHP.net documentation

The second scenario involves a PHP installation in which the PHP binary is exposed in a web-accessible directory. It’s important to note that according to DEVCORE, XAMPP, a popular PHP development environment, exposes the PHP binary by default, potentially having a wide impact on systems across the internet.

CVE-2024-4577 is a patch bypass of CVE-2012-1823

Both PHP and DEVCORE note that CVE-2024-4577 is a patch bypass of CVE-2012-1823. CVE-2012-1823 was patched in PHP versions 5.13.12 and 5.4.2 on May 3, 2012 and at the time was noted to be a vulnerability that “has gone unnoticed for at least 8 years.” The vulnerability was originally discovered during a capture the flag (CTF) event in 2012. While the original blog is no longer accessible, an archived copy details the discovery and reporting of the flaw. A variety of exploit scripts exist for CVE-2012-1823 and it has been in the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) list since March 25, 2022.

Active scanning is underway

On June 7, The Shadowserver Foundation posted on X (formerly Twitter) that they have observed multiple IPs attempting to test this vulnerability against their honeypots.

Attention! We see multiple IPs testing PHP/PHP-CGI CVE-2024-4577 (Argument Injection Vulnerability) against our honeypot sensors starting today, June 7th. Vulnerability affects PHP running on Windows.

Patches released June 6th: https://t.co/jM5HgGUZJF

Exploit PoC is public.

— The Shadowserver Foundation (@Shadowserver) June 7, 2024

Proof of concept

On June 7, researchers at watchTowr released a proof-of-concept (PoC) script for CVE-2024-4577 on their GitHub page.

Solution

PHP versions of 8.1.29, 8.2.20 and 8.3.8 were released on June 6 to address this vulnerability. If you are unable to patch immediately, the DEVCORE blog does offer some mitigation guidance. As both PHP and DEVCORE note, CGI mode is insecure and dated, so it is recommended to migrate “to a more secure architecture.”

Identifying affected systems

A list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2024-4577 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.

Get more information

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.