CVE-2024-5585 - Beware Trailing Spaces: PHP proc_open() Vulnerability Patch Incomplete

If you're a developer using PHP, you'll want to pay attention to this recent discovery - the previously released fix for CVE-2024-1874, a PHP vulnerability, is not comprehensive. Trailing spaces have been identified as a potential bypass mechanism, leaving room for exploitation. Let's delve into this issue and provide helpful advice on how to address it.

Background

CVE-2024-1874 was initially reported as a PHP urlencode() function vulnerability. It became apparent that when using the proc_open() function in combination with arrays, there was insufficient escaping. Consequently, a malicious user could exploit this vulnerability to execute arbitrary commands within the Windows shell environment.

To address this issue, PHP developers released patches in various PHP versions, including 8.1.* before 8.1.29, 8.2.* before 8.2.20, and 8.3.* before 8.3.8. Unfortunately, it turns out that the solution was incomplete and does not work as intended if the command name includes trailing spaces.

The Current Situation

As of now, developers need to be cautious when working with the proc_open() function in PHP. If the arguments within the executed command are controlled by a malicious user, it is possible to bypass the implemented patch altogether. To exploit this vulnerability, an attacker would simply need to include trailing spaces in the command name.

Here's a snippet of code that demonstrates the issue

<?php
$cmd = 'dir /b '; // Command to execute, followed by a trailing space
$descriptorspec = array(
     => array('pipe', 'r'), // STDIN
    1 => array('pipe', 'w'), // STDOUT
    2 => array('pipe', 'w')  // STDERR
);
$proc = proc_open($cmd, $descriptorspec, $pipes);
$stdout = stream_get_contents($pipes[1]);
fclose($pipes[1]);
$stderr = stream_get_contents($pipes[2]);
fclose($pipes[2]);
proc_close($proc);
echo "STDOUT: \n$stdout\n";
echo "STDERR: \n$stderr\n";
?>

The above code demonstrates a standard usage of the proc_open() function, but if the command being executed (in this case, 'dir /b') has trailing spaces, the patch to CVE-2024-1874 becomes ineffective.

Workaround

Until PHP developers release a new patch to fully address this vulnerability, developers should take additional steps to sanitize command names when using the proc_open() function. Ensure that any trailing spaces are removed before the command is executed. One way to accomplish this is to apply the rtrim() function, which removes whitespace from the end of a string:

$cmd = rtrim($cmd);

Original References

1. PHP.net's explanation of CVE-2024-1874 and related patch releases: LINK

2. CVE-2024-1874 details in the National Vulnerability Database: LINK

Conclusion

It is crucial for developers to be vigilant when working with PHP and the proc_open() function, particularly if the command name contains trailing spaces. Always keep abreast of the latest PHP updates and potential vulnerabilities. As an immediate measure, sanitize the command names by removing any whitespace to ensure that your applications remain secure. We hope this article has been helpful, and we will keep you informed as new and improved fixes for CVE-2024-5585 become available.

Timeline

Published on: 06/09/2024 19:15:52 UTC
Last modified on: 06/13/2024 04:15:17 UTC