CVE-2024-4577, also known as the PHP CGI Windows Remote Code Execution Vulnerability, is a critical vulnerability affecting the PHP CGI implementation on Windows platforms. PHP, a popular open-source server-side scripting language, uses the Common Gateway Interface (CGI) to process HTTP requests and generate dynamic web content. The vulnerability arises from PHP ignoring the "Best Fit" feature for character conversion on Windows, allowing attackers to construct malicious requests that can bypass the CVE-2012-1823 patch. This enables the execution of arbitrary PHP code without the need for authentication, granting attackers server privileges. Exploitation prerequisites include direct usage of PHP-CGI and affect systems configured in certain language families, such as Simplified Chinese, Traditional Chinese, and Japanese. The vulnerability's impact has been observed in various versions of PHP, particularly those used in the default installations of XAMPP on Windows platforms 23.
This vulnerability requires urgent attention and remediation due to its high severity and ease of exploitation. Immediate updates to the latest patched versions of PHP (8.3.8, 8.2.20, and 8.1.29) are strongly recommended to mitigate the risks associated with CVE-2024-4577 35.
The vulnerability identified as CVE-2024-4577 is rooted in PHP's CGI (Common Gateway Interface) mode. Specifically, the vulnerability arises from the CGI engine not properly escaping the soft hyphen character (0xAD). When PHP receives this character, it applies a "best fit" mapping, misinterpreting it as a real hyphen. This misinterpretation allows an attacker to inject additional arguments, leading to the execution of arbitrary code on the vulnerable system. This flaw bypasses existing protections for older vulnerabilities, such as CVE-2012-1823, allowing remote code execution on Windows servers running PHP in CGI mode, particularly in specific language configurations like Traditional Chinese, Simplified Chinese, and Japanese. This issue is exacerbated in default installations using XAMPP for Windows, which exposes the PHP binary in the CGI directory by default 23.
Risks:
Affected Manufacturers and Products: The vulnerability affects all versions of PHP on the Windows operating system configured in CGI mode. This includes:
The vulnerability is particularly impactful on XAMPP installations on Windows, as these configurations expose the PHP binary in the CGI directory by default. This makes all versions of XAMPP installations on Windows inherently vulnerable to exploitation 23.
The vulnerability CVE-2024-4577 leverages a flaw in the CGI engine of PHP on Windows servers, which fails to properly escape the soft hyphen (0xAD). This failure allows attackers to inject additional arguments, leading to remote command injection. The exploitation steps are as follows:
There are several publicly available Proof of Concept (PoC) codes for CVE-2024-4577, primarily hosted on GitHub. One such PoC executes a simple system command to demonstrate the vulnerability. Specific command lines from the PoC include:
bashpython watchTowr-vs-php_cve-2024-4577.py -c "<?php system('calc');?>" -t http://192.168.253.132/test.sina
The PoC can be accessed from this GitHub repository: watchtowrlabs/CVE-2024-4577 .
CVE-2024-4577 represents a critical vulnerability in PHP, specifically affecting Windows servers running PHP in CGI mode. It enables remote code execution by exploiting a CGI argument injection flaw. The vulnerability stems from the mismanagement of the soft hyphen (0xAD) character, facilitating unauthorized argument injection. Exploitation can occur in all PHP versions, including older and unsupported versions, especially in Traditional Chinese, Simplified Chinese, and Japanese language configurations.
Exploitation timeline:
| Exploiting Gang | Details |
|---|---|
| TellYouThePass | Actively exploiting CVE-2024-4577 since June 7, 2024, for ransomware distribution . |
An official fix for CVE-2024-4577 has been released. The PHP development team has issued updates to address this critical vulnerability. The patched versions include PHP 8.3.8, PHP 8.2.20, and PHP 8.1.29 235.
The primary method of fixing this vulnerability is to update the PHP software to one of the newly patched versions. Administrators should apply these updates urgently to mitigate the risk of exploitation. The fixed versions can be downloaded from the PHP official website. For environments where updating PHP immediately is not feasible, temporary mitigations include:
RewriteEngine On RewriteCond %{QUERY_STRING} ^%ad [NC] RewriteRule .? - [F,L]
httpd-xampp.conf file:# ScriptAlias /php-cgi/ "C:/xampp/php/"
Here are the links to the patched versions of PHP:
| PHP Version | Download Link |
|---|---|
| 8.3.8 | PHP 8.3.8 |
| 8.2.20 | PHP 8.2.20 |
| 8.1.29 | PHP 8.1.29 |
These steps should be implemented immediately to secure systems against the vulnerabilities associated with CVE-2024-4577 347.
CVE-2024-4577, also known as the PHP CGI Windows Remote Code Execution Vulnerability, is a critical vulnerability affecting the PHP CGI implementation on Windows platforms. PHP, a popular open-source server-side scripting language, uses the Common Gateway Interface (CGI) to process HTTP requests and generate dynamic web content. The vulnerability arises from PHP ignoring the "Best Fit" feature for character conversion on Windows, allowing attackers to construct malicious requests that can bypass the CVE-2012-1823 patch. This enables the execution of arbitrary PHP code without the need for authentication, granting attackers server privileges. Exploitation prerequisites include direct usage of PHP-CGI and affect systems configured in certain language families, such as Simplified Chinese, Traditional Chinese, and Japanese. The vulnerability's impact has been observed in various versions of PHP, particularly those used in the default installations of XAMPP on Windows platforms 23.
This vulnerability requires urgent attention and remediation due to its high severity and ease of exploitation. Immediate updates to the latest patched versions of PHP (8.3.8, 8.2.20, and 8.1.29) are strongly recommended to mitigate the risks associated with CVE-2024-4577 35.
The vulnerability identified as CVE-2024-4577 is rooted in PHP's CGI (Common Gateway Interface) mode. Specifically, the vulnerability arises from the CGI engine not properly escaping the soft hyphen character (0xAD). When PHP receives this character, it applies a "best fit" mapping, misinterpreting it as a real hyphen. This misinterpretation allows an attacker to inject additional arguments, leading to the execution of arbitrary code on the vulnerable system. This flaw bypasses existing protections for older vulnerabilities, such as CVE-2012-1823, allowing remote code execution on Windows servers running PHP in CGI mode, particularly in specific language configurations like Traditional Chinese, Simplified Chinese, and Japanese. This issue is exacerbated in default installations using XAMPP for Windows, which exposes the PHP binary in the CGI directory by default 23.
Risks:
Affected Manufacturers and Products: The vulnerability affects all versions of PHP on the Windows operating system configured in CGI mode. This includes:
The vulnerability is particularly impactful on XAMPP installations on Windows, as these configurations expose the PHP binary in the CGI directory by default. This makes all versions of XAMPP installations on Windows inherently vulnerable to exploitation 23.
The vulnerability CVE-2024-4577 leverages a flaw in the CGI engine of PHP on Windows servers, which fails to properly escape the soft hyphen (0xAD). This failure allows attackers to inject additional arguments, leading to remote command injection. The exploitation steps are as follows:
There are several publicly available Proof of Concept (PoC) codes for CVE-2024-4577, primarily hosted on GitHub. One such PoC executes a simple system command to demonstrate the vulnerability. Specific command lines from the PoC include:
python watchTowr-vs-php_cve-2024-4577.py -c "<?php system('calc');?>" -t http://192.168.253.132/test.sina
The PoC can be accessed from this GitHub repository: watchtowrlabs/CVE-2024-4577 .
CVE-2024-4577 represents a critical vulnerability in PHP, specifically affecting Windows servers running PHP in CGI mode. It enables remote code execution by exploiting a CGI argument injection flaw. The vulnerability stems from the mismanagement of the soft hyphen (0xAD) character, facilitating unauthorized argument injection. Exploitation can occur in all PHP versions, including older and unsupported versions, especially in Traditional Chinese, Simplified Chinese, and Japanese language configurations.
Exploitation timeline:
| Exploiting Gang | Details |
|---|---|
| TellYouThePass | Actively exploiting CVE-2024-4577 since June 7, 2024, for ransomware distribution . |
An official fix for CVE-2024-4577 has been released. The PHP development team has issued updates to address this critical vulnerability. The patched versions include PHP 8.3.8, PHP 8.2.20, and PHP 8.1.29 235.
The primary method of fixing this vulnerability is to update the PHP software to one of the newly patched versions. Administrators should apply these updates urgently to mitigate the risk of exploitation. The fixed versions can be downloaded from the PHP official website. For environments where updating PHP immediately is not feasible, temporary mitigations include:
RewriteEngine On
RewriteCond %{QUERY_STRING} ^%ad [NC]
RewriteRule .? - [F,L]
httpd-xampp.conf file:# ScriptAlias /php-cgi/ "C:/xampp/php/"
Here are the links to the patched versions of PHP:
| PHP Version | Download Link |
|---|---|
| 8.3.8 | PHP 8.3.8 |
| 8.2.20 | PHP 8.2.20 |
| 8.1.29 | PHP 8.1.29 |
These steps should be implemented immediately to secure systems against the vulnerabilities associated with CVE-2024-4577 347.
| IOC | Judge | Tags |
|---|---|---|
| watchtowr-vs-php_cve-2024-4577.py | Unknown | |
| CVE-2012-1823 | High | CVSS 9.8 | RCE | KEV | PoC Disclosure | Exp Disclosure |
| CVE-2024-4577 | High | CVSS 9.8 | RCE | KEV | PoC Disclosure |