CVE-2024-4577

Published Jun 9, 2024

Last updated a month ago

PHP

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2024-4577 is a vulnerability that enables remote code execution in PHP installations on Windows servers. It specifically affects systems running PHP in CGI mode or those exposing the PHP binary. Exploitation involves leveraging the Windows "Best-Fit" encoding feature, typically by inserting a "soft hyphen" character within a URL. This allows attackers to bypass PHP sanitization measures and execute arbitrary code via the `php.exe` executable. While initially believed to have a broader impact, further research revealed that successful exploitation primarily hinges on the system's locale being configured for Chinese (simplified or traditional) or Japanese. Other similar locales might also be susceptible. The vulnerability affects PHP versions 8.1 before 8.1.29, 8.2 before 8.2.20, and 8.3 before 8.3.8. Proof-of-concept exploits were observed shortly after the vulnerability's disclosure, highlighting its potential for misuse.

Description: In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
Source: security@php.net
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Primary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

Known exploits

Data from CISA

Vulnerability name: PHP-CGI OS Command Injection Vulnerability
Exploit added on: Jun 12, 2024
Exploit action due: Jul 3, 2024
Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Weaknesses

security@php.net: CWE-78
nvd@nist.gov: CWE-78

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "7DC2EEF8-834B-42A1-8DA3-0C2CF22A7070",
            "versionEndExcluding": "8.1.29",
            "versionStartIncluding": "8.1.0"
          },
          {
            "criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A39988FF-D854-4277-9D66-6911AF371DD3",
            "versionEndExcluding": "8.2.20",
            "versionStartIncluding": "8.2.0"
          },
          {
            "criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F579FFC1-4F81-4755-B14B-3AA73AC9FF7A",
            "versionEndExcluding": "8.3.8",
            "versionStartIncluding": "8.3.0"
          }
        ],
        "operator": "OR"
      },
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
            "vulnerable": false,
            "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"
          }
        ],
        "operator": "OR"
      }
    ],
    "operator": "AND"
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646"
          },
          {
            "criteria": "cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "CA277A6C-83EC-4536-9125-97B84C4FAF59"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]