This article provides information on the recently discovered PHP-CGI Argument Injection Vulnerability CVE-2024-4577. The vulnerability allows an attacker to remotely execute code (RCE) on targeted vulnerable systems.
CVE-2024-4577
Description
The vulnerability is tracked, and stems from errors in the way PHP converts Unicode characters into ASCII. A feature built into Windows known as Best Fit allows attackers to use a technique known as argument injection to pass user-supplied input into commands executed by an application.
Exploit
CVE-2024-4577 affects PHP only when it runs in a mode known as CGI, in which a web server parses HTTP requests and passes them to a PHP script for processing. Even when PHP is not set to CGI mode, however, the vulnerability may still be exploitable when PHP executables such as php.exe and php-cgi.exe are in directories that are accessible by the web server. This configuration is set by default in XAMPP for Windows, making the platform vulnerable unless it has been modified. The "Best-Fit" method fails to escape the soft-hyphen (with the Unicode value 0xAD), and instead converts it to an unescaped regular hyphen (0x2D), a character that is instrumental in many code syntaxes.
Mitigation
By default, the pattern "php://" mentioned in the POC can be blocked by enabling "Remote File Inclusion" in Parameter Protection.
Barracuda WAF Manual Mitigation Configuration:
Go to the ADVANCED > Libraries page, Attack Types section.
Create a new attack group and add the pattern with the "\xAD” regex.
Go to the SECURITY POLICIES > Parameter Protection page, and select the pattern you created under Custom Blocked Attack Types.
Links:
https://nvd.nist.gov/vuln/detail/CVE-2024-4577
https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/
https://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers/