3 min read

CVE-2024-4577 - PHP-CGI OS Command Injection Vulnerability

Executive Summary

CVE-2024-4577 is a critical vulnerability affecting PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, and 8.3.* before 8.3.8. This vulnerability presents a severe risk to systems running PHP on Windows with Apache and PHP-CGI configurations. It allows for the misinterpretation of command-line input due to "Best-Fit" behavior in certain Windows code pages, potentially leading to the exposure of source code, execution of arbitrary PHP commands, and even full remote code execution (RCE). The CVSS v3.1 base score for this vulnerability is 9.8 (Critical).

Targeted Sectors and Countries

While there is no specific information on targeted sectors and countries, sectors typically at high risk include:

- Financial institutions

- Healthcare

- Government agencies

- Technology companies

Given the widespread use of PHP, virtually any sector running the affected versions of PHP on Windows is at risk. Countries with significant technology infrastructure, such as the United States, European Union nations, and major Asian economies, are particularly vulnerable.

Technical Information

The vulnerability in CVE-2024-4577 arises from the way PHP-CGI handles command-line arguments on Windows systems configured with specific code pages. Windows' "Best-Fit" behavior can replace certain characters that PHP may misinterpret as command-line options. This allows attackers to inject options into the PHP binary being executed, leading to severe security implications.

Detailed Breakdown:

- Confidentiality: High - Attackers can reveal PHP source code, exposing sensitive information.

- Integrity: High - Arbitrary PHP code execution could alter the behavior of applications.

- Availability: High - Full remote code execution could compromise the entire system.

The vulnerability exploits the interaction between the PHP-CGI module and the Windows API, which can interpret certain characters incorrectly due to locale settings. Attackers can craft input that PHP misinterprets, leading to unintended and dangerous command execution.

Technical Details:

- Vector: Network

- Attack Complexity: Low

- Privileges Required: None

- User Interaction: None

- Scope: Unchanged

- Impact: Complete compromise of the affected system

Exploitation in the Wild

Shortly after the disclosure of CVE-2024-4577, there have been multiple reports of active exploitation:

- TellYouThePass Ransomware: This ransomware variant has been observed leveraging the vulnerability to execute malicious commands on compromised Windows servers.

- Proof-of-Concept (PoC) Exploits: Various PoCs have been published online, demonstrating the ease with which this vulnerability can be exploited. Notable PoCs include:

- watchtowrlabs/CVE-2024-4577

- 11whoami99/CVE-2024-4577

- K3ysTr0K3R/CVE-2024-4577-EXPLOIT

APT Groups using this vulnerability

At this time, there is no confirmed attribution to specific Advanced Persistent Threat (APT) groups exploiting this vulnerability. However, given the high severity and ease of exploitation, it is highly probable that sophisticated threat actors will target this flaw in future attacks.