New PHP Vulnerability Exposes Windows Servers to Remote Code Execution

Details have emerged about a new critical security flaw impacting PHP that could be exploited to achieve remote code execution under certain circumstances.

The vulnerability, tracked as CVE-2024-4577, has been described as a CGI argument injection vulnerability affecting all versions of PHP installed on the Windows operating system.

According to DEVCORE security researchers, the shortcoming makes it possible to bypass protections put in place for another security flaw, CVE-2012-1823.

“While implementing PHP, the team did not notice the Best-Fit feature of encoding conversion within the Windows operating system,” security researcher Orange Tsai said.

“This oversight allows unauthenticated attackers to bypass the previous protection of CVE-2012-1823 by specific character sequences. Arbitrary code can be executed on remote PHP servers through the argument injection attack.”

Following responsible disclosure on May 7, 2024, a fix for the vulnerability has been made available in PHP versions 8.3.8, 8.2.20, and 8.1.29.

DEVCORE has warned that all XAMPP installations on Windows are vulnerable by default when configured to use the locales for Traditional Chinese, Simplified Chinese, or Japanese.

The Taiwanese company is also recommending that administrators move away from the outdated PHP CGI altogether and opt for a more secure solution such as Mod-PHP, FastCGI, or PHP-FPM.

“This vulnerability is incredibly simple, but that’s also what makes it interesting,” Tsai said. “Who would have thought that a patch, which has been reviewed and proven secure for the past 12 years, could be bypassed due to a minor Windows feature?”

The Shadowserver Foundation, in a post shared on X, said it has already detected exploitation attempts involving the flaw against its honeypot servers within 24 hours of public disclosure.

watchTowr Labs said it was able to devise an exploit for CVE-2024-4577 and achieve remote code execution, making it imperative that users move quickly to apply the latest patches.

“A nasty bug with a very simple exploit,” security researcher Aliz Hammond said.

“Those running in an affected configuration under one of the affected locales – Chinese (simplified, or traditional) or Japanese – are urged to do this as fast as humanely possible, as the bug has a high chance of being exploited en-mass due to the low exploit complexity.”

Update

Attack surface management company Censys said it identified about 458,800 exposures of potentially vulnerable PHP instances as of June 9, 2024, most of which are located in the U.S. and Germany. But it also noted that the number is likely an “overestimate of the true impact of this vulnerability,” given it cannot detect when CGI mode is enabled.

According to estimates shared by Wiz, 34% of cloud environments have Windows resources running vulnerable versions of PHP.

The development comes as Imperva warned of TellYouThePass ransomware actors actively exploiting the PHP flaw to deliver a .NET variant of the file-encrypting malware by means of an HTML Application (“dd3.hta”) payload.

“The initial infection is performed with the use of an HTA file (dd3.hta), which contains a malicious VBScript,” the company noted. “The VBScript contains a long base64 encoded string, which when decoded reveals bytes of a binary, which are loaded into memory during runtime.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.