Hsinchu, Taiwan – Jun 19, 2024 – The famous cybersecurity researcher from Taiwan, Orange Tsai, has discovered a critical PHP vulnerability, CVE-2024-4577, affecting numerous systems across Asia. This vulnerability is particularly significant for MS-Windows environments configured with Traditional Chinese (Code Page 950), Simplified Chinese (Code Page 936), and Japanese (Code Page 932) locales. When PHP is configured as CGI in these locales, the vulnerability could potentially allow remote code execution, posing a significant threat.
The PHP team promptly addressed this vulnerability by releasing new versions before CVE-2024-4577 was publicly disclosed. However, many organizations have yet to upgrade their PHP versions, leaving their systems vulnerable to exploitation. Cyber-criminals have developed automated programs to exploit CVE-2024-4577 and have detected unpatched PHP installations throughout Asian countries.
To develop PHP-based web applications, you usually need to set up a web server, PHP, and a database. However, installing and configuring these components can be quite complex. That’s why there are convenient open-source projects like XAMPP, which integrate Apache Web Server, MariaDB, PHP, and Perl. With a single installation, all four software packages are installed and configured, ready for use. XAMPP is very popular in MS-Windows environments. But the default configuration of XAMPP is vulnerable to attacks exploiting CVE-2024-4577. Other PHP installations on MS-Windows systems in Asia may also be vulnerable. Consequently, this vulnerability has a significant impact.
The existing anti-intrusion rules of Lionic can effectively addressing the CVE-2024-4577 vulnerability without requiring any modifications. Below is the monitoring status of CVE-2024-4577 from Lionic Corp.
After the publication of CVE-2024-4577, the activation of anti-intrusion rules designed to address this vulnerability has increased significantly.
Proof of Concept
Previously, CVE-2012-1823 and several other vulnerabilities addressed issues related to improper PHP options when used in CGI mode.
For example, the “-s” option in PHP command line outputs HTML syntax highlighted source code. Before CVE-2012-1823, the following URL would display the source code of “index.php” instead of executing it:
http://www.example.com/index.php?-s
To resolve this, CVE-2012-1823 was reported, and PHP was modified to reject hyphen “-” options in CGI mode.
However, due to MS-Windows using the Best-Fit method for converting Unicode to ASCII, CVE-2024-4577 discovered a security hole allowing the hyphen “-” to be conveyed. Specifically, the ASCII value of the hyphen “-” is 0x2D. Remarkably, 0xAD is interpreted as 0x2D in this context but is not rejected by PHP.
This reintroduces previous vulnerabilities, enabling various exploits. For instance, the following trick uses an HTTP POST request to execute the popular MS-Windows command “dir” remotely:
POST /index.php?%add+allow_url_include%3don+%add+auto_prepend_file%3dphp%3a//input HTTP/1.1
Host: example.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 31
<?php echo shell_exec("dir"); ?>
As you can see, cyber-criminals can replace the unharmful “dir” command as other harmful commands.
Lionic Actions
As of now, Lionic’s current anti-intrusion rules are capable of identifying CVE-2024-4577. The following is the partial list of anti-intrusion rules related to this vulnerability.
| Rule ID | Description |
|---|---|
| 8101535 | PHP-CGI Query String Parameter Injection |
| … | … |
Conclusion
For MS-Windows systems using other locales, such as English, Korean, and Western European, the wide range of PHP usage scenarios makes it challenging to identify and mitigate all potential exploitation paths. It’s possible that CVE-2024-4577 and other undiscovered vulnerabilities may still be present in these locales. To ensure maximum protection, it is strongly advised to upgrade PHP to the latest available version, which includes the most recent security fixes and improvements.
Updating software to the latest version is always the best method for fixing vulnerabilities. However, Lionic offers the Pico-UTM, Tera-UTM and Dual Ark-UTM equipped with the latest signatures as a “Virtual Bug Fix” solution. These network security products allow users to stay protected while taking the necessary time to patch their systems.
It is crucial for network administrators to take cybersecurity seriously and stay informed about vulnerabilities in their systems. Network administrators who want to protect their servers without the constant worry of fixing vulnerabilities can adopt Lionic security products for robust and timely protection.
References:
- “Security Alert: CVE-2024-4577 - PHP CGI Argument Injection Vulnerability”, https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/
- “CVE-2024-4577”, https://nvd.nist.gov/vuln/detail/CVE-2024-4577
About Lionic Corp.
Lionic Corporation is recognized globally as a leader in advanced Deep Packet Inspection (DPI) solutions. The technology suite includes a state-of-the-art DPI engine and comprehensive software application modules. The Security modules cover Anti-Virus, Anti-Intrusion and Anti-WebThreat, while the Content Management modules focus on application and device identification, application-based quality of service (QoS), web content filtering and parental control. Lionic’s offerings in security and content management, along with cloud-based scanning services and signature subscription services, are deployed extensively worldwide.
