New PHP Vulnerability Exposes Windows Servers to Remote Code Execution

11.06.2024

Details have surfaced regarding a critical security flaw in PHP that can be exploited to achieve remote code execution under specific conditions.

The vulnerability, identified as CVE-2024-4577, is a CGI argument injection flaw that affects all versions of PHP on the Windows operating system.

According to DEVCORE security researchers, this vulnerability allows bypassing protections set up for a previous flaw, CVE-2012-1823.

“While implementing PHP, the team overlooked the Best-Fit feature of encoding conversion within the Windows operating system,” said security researcher Orange Tsai.

“This oversight enables unauthenticated attackers to circumvent the previous protections of CVE-2012-1823 using specific character sequences. As a result, arbitrary code can be executed on remote PHP servers through the argument injection attack.”

Following responsible disclosure on May 7, 2024, a fix has been released in PHP versions 8.3.8, 8.2.20, and 8.1.29.

DEVCORE has cautioned that all XAMPP installations on Windows are vulnerable by default when configured to use the locales for Traditional Chinese, Simplified Chinese, or Japanese.

The Taiwanese firm also recommends that administrators move away from the outdated PHP CGI and adopt a more secure solution such as Mod-PHP, FastCGI, or PHP-FPM.

“This vulnerability is incredibly simple, which is precisely what makes it interesting,” said Tsai. “Who would have thought that a patch, which had been reviewed and deemed secure for the past 12 years, could be bypassed due to a minor Windows feature?”

The Shadowserver Foundation, in a post shared on X, reported that it has already observed exploitation attempts against its honeypot servers within 24 hours of the public disclosure.

watchTowr Labs announced that it successfully created an exploit for CVE-2024-4577, achieving remote code execution, underscoring the urgent need for users to apply the latest patches promptly.

“A nasty bug with a very simple exploit,” remarked security researcher Aliz Hammond.

“Those running in an affected configuration under one of the impacted locales – Chinese (Simplified or Traditional) or Japanese – should address this issue as quickly as possible, as the bug has a high likelihood of being exploited on a large scale due to its low complexity.”