In this long read, we delve into a recently discovered PHP vulnerability that affects specific versions of PHP (8.1.* before 8.1.29, 8.2.* before 8.2.20, and 8.3.* before 8.3.8) when used with Apache and PHP-CGI on Windows systems. The vulnerability, referenced as CVE-2024-4577, exposes a security risk that allows a malicious user to execute arbitrary PHP code on the server or even reveal the source code of scripts. This post aims to provide an in-depth analysis of the vulnerability, including code snippets, references to original reports, and details on exploiting the vulnerability.

Background

The root cause of CVE-2024-4577 lies in the "Best-Fit" behavior exhibited by certain code pages on the Windows operating system. When a system is configured to use specific code pages, Windows may replace characters in command lines passed to Win32 API functions. Consequently, the PHP-CGI module might misinterpret these characters as PHP options, and an attacker can exploit this to pass options to the PHP binary being executed.

Exploiting the Vulnerability

To exploit CVE-2024-4577, an attacker would typically target a Windows server running an affected version of PHP, configured to use one of the code pages exhibiting the problematic behavior. The attacker crafts a malicious request containing specially crafted characters, which are then used as PHP options when the system processes the request.

To illustrate, consider the following example

A vulnerable server is running PHP 8.1.28, configured to use code page 1252. An attacker sends a request containing the character 'é', which is replaced by the 'Best-Fit' behavior to the '-' (minus) character. The PHP-CGI module interprets this change as a PHP option, allowing the attacker to pass arbitrary options to the PHP binary.

Here's a code snippet illustrating the vulnerability

// vulnerable.php
echo 'Hello, the provided value is: ' . $_GET['value'];

An attacker can exploit this vulnerability by accessing the URL, in this case with the 'é' character:

http://example.com/vulnerable.php?value=éini_set'%20%20w%202%202_%20%23%20auto-prepend-file%20php://input

In this example, the 'é' character would be replaced by the '-' (minus) character, and the subsequent characters would be treated as PHP options. The attacker can then add their code to the php://input stream, leading to arbitrary code execution on the server.

Mitigation and Patching

The first line of defense against this vulnerability is to update your PHP installation to a patched version that addresses the issue:

PHP 8.3.*: Update to 8.3.8 or later

Additionally, it's essential to review and adjust the code page settings on your Windows server to limit the exposure to the "Best-Fit" behavior. Using a code page that does not exhibit this behavior can further reduce the vulnerability risk.

Conclusion

CVE-2024-4577 is a serious vulnerability that affects specific PHP versions running on Windows servers. Understanding the underlying cause of the vulnerability, the "Best-Fit" behavior, and taking appropriate steps to patch your PHP installation and review code page settings are critical in maintaining a secure server environment.

For more information on CVE-2024-4577, refer to the original disclosure and reports

- CVE Details: CVE-2024-4577
- PHP Release Announcements
- OWASP: PHP Security Cheat Sheet

Timeline

Published on: 06/09/2024 20:15:09 UTC
Last modified on: 06/13/2024 04:15:16 UTC