PHP CGI Module Vulnerability Allows Malicious User to Reveal Source Code and Run Arbitrary PHP Code on Server
CVE-2024-4577
Key Information
- Vendor
- PHP Group
- Status
- PHP
- Vendor
- CVE Published:
- 9 June 2024
Badges
What is CVE-2024-4577?
CVE-2024-4577 is a vulnerability affecting the PHP CGI module used in conjunction with Apache on Windows systems. This vulnerability is present in specific versions of PHP, wherein a misinterpretation of command-line arguments can allow a malicious user to manipulate the PHP binary. Consequently, an attacker could disclose sensitive source code and execute arbitrary PHP code on the server. This issue is significant because it impacts widely deployed PHP applications, which are integral to many web infrastructures, making organizations vulnerable to severe security breaches.
Technical Details
The vulnerability arises from PHP versions 8.1.* prior to 8.1.29, 8.2.* prior to 8.2.20, and 8.3.* prior to 8.3.8. When running PHP-CGI on Windows with certain code page configurations, PHP may employ "Best-Fit" character replacement when passing arguments to Win32 API functions. This behavior can lead to the PHP CGI module incorrectly interpreting these characters as valid PHP options, creating a pathway for attackers to inject malicious options into the PHP command line. This flaw can enable unauthorized access and manipulation of server-side PHP applications.
Impact of the Vulnerability
-
Source Code Disclosure: Attackers can use this vulnerability to reveal the internal source code of PHP scripts, potentially leading to further exploitation of sensitive information, including database credentials and private algorithms.
-
Remote Code Execution: By executing arbitrary PHP code on the server, attackers can take control of the web server, leading to a complete compromise of the system, unauthorized access to data, and potential lateral movement within the network.
-
Increased Attack Surface: The existence of this vulnerability increases the attack surface for web applications using vulnerable PHP versions, potentially leading to data breaches and exploitation by ransomware groups who may leverage this access for financial gain.
CISA Reported
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2024-4577 as being exploited and is known by the CISA as enabling ransomware campaigns.
The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
PHP <= 8.1.*
PHP < 8.1.29
PHP < 8.2.20
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
cyfirmaCVE-2024-4577PHP CGI Argument Injection (CVE-2024-4577)- Vulnerability Analysis and Exploitation - CYFIRMA
Published On : 2024-07-08 EXECUTIVE SUMMARY CVE-2024-4577 is a critical PHP CGI vulnerability that allows for argument injection leading to remote code execution. The vulnerability is particularly...
1 month ago
@SecurelistAnalyzing the vulnerability landscape in Q2 2024
The report contains statistics on vulnerabilities and exploits, with an analysis of interesting vulnerabilities found in Q2 2024.
4 months ago
Hackers use PHP exploit to backdoor Windows systems with new malware
Unknown attackers have deployed a newly discovered backdoor dubbed Msupedge on a university's Windows systems in Taiwan, likely by exploiting a recently patched PHP remote code execution vulnerability (CVE-2024-4577).
4 months ago
Refferences
EPSS Score
95% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 🔴
Public PoC available
- 😈
Used in Ransomware
CISA Reported
- 🔥
Vulnerability reached the number 1 worldwide trending spot
Vulnerability started trending
Vulnerability published
- 👾
Exploit known to exist
First article discovered by Heise Online
Vulnerability Reserved