Critical PHP Flaw CVE-2024-4577 Exposes Millions of Windows Servers to RCE Attacks
Critical PHP Vulnerability CVE-2024-4577 Threatens Millions of Windows Servers with Remote Code Execution
Researchers at cybersecurity firm DEVCORE have discovered a critical remote code execution (RCE) vulnerability, identified as CVE-2024-4577, in the PHP programming language. This flaw, affecting PHP version 5.x and earlier, potentially impacts millions of servers worldwide, allowing unauthenticated attackers to gain full control over affected systems.
PHP, an open-source scripting language widely used in web development, has a significant user base, making this vulnerability particularly concerning. According to DEVCORE’s advisory, the issue stems from the implementation of PHP on Windows, where the Best-Fit feature of encoding conversion was overlooked. This oversight permits attackers to bypass previous protections against CVE-2012-1823 using specific character sequences, leading to arbitrary code execution on remote PHP servers through an argument injection attack.
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
The vulnerability was reported to the PHP development team by DEVCORE researcher Orange Tsai on May 7, 2024. A patched version addressing the issue was released on June 6, 2024. However, the disclosure of the vulnerability and the availability of proof-of-concept (PoC) exploit code have prompted multiple malicious actors to attempt exploitation, as observed by researchers from Shadowserver and GreyNoise.
Shadowserver reported detecting multiple IPs testing the PHP/PHP-CGI CVE-2024-4577 vulnerability against its honeypot sensors beginning June 7th. GreyNoise also confirmed malicious attempts to exploit this vulnerability.
The advisory specifies that the vulnerability allows unauthorized attackers to execute arbitrary code on remote servers running Windows in the following locales:
- Traditional Chinese (Code Page 950)
- Simplified Chinese (Code Page 936)
- Japanese (Code Page 932)
Trending: Offensive Security Tool: PingRAT
For Windows running in other locales, such as English, Korean, and Western European, the wide range of PHP usage scenarios makes it challenging to fully enumerate and mitigate all potential exploitation methods. Consequently, users are advised to conduct comprehensive asset assessments, verify their usage scenarios, and update PHP to the latest version to ensure security.
XAMPP users are particularly vulnerable due to a default configuration that exposes the PHP binary. Although XAMPP has not yet released an update for this vulnerability, DEVCORE has provided mitigation instructions.
Administrators should apply a mod_rewrite rule to block attacks:
RewriteEngine OnRewriteCond %{QUERY_STRING} ^%ad [NC]RewriteRule .? – [F,L]
Additionally, XAMPP users should comment out the ‘ScriptAlias’ directive in the Apache configuration file (C:/xampp/apache/conf/extra/httpd-xampp.conf).
DEVCORE strongly recommends all users upgrade to the latest PHP versions: 8.3.8, 8.2.20, and 8.1.29. Despite these updates, the advisory suggests evaluating the transition to more secure architectures such as Mod-PHP, FastCGI, or PHP-FPM, given the outdated and problematic nature of PHP CGI.
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: securityaffairs.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
