With PoC code available and active Internet scans, speed is of the essence:
A critical vulnerability in the PHP programming language can be trivially exploited to execute malicious code on Windows devices, security researchers warned as they urged those affected to take action before the weekend starts.
Within 24 hours of the vulnerability and accompanying patch being published, researchers from the nonprofit security organization Shadowserver reported Internet scans designed to identify servers that are susceptible to attacks. That—combined with (1) the ease of exploitation, (2) the availability of proof-of-concept attack code, (3) the severity of remotely executing code on vulnerable machines, and (4) the widely used XAMPP platform being vulnerable by default—has prompted security practitioners to urge admins check to see if their PHP servers are affected before starting the weekend.
"A nasty bug with a very simple exploit—perfect for a Friday afternoon," researchers with security firm WatchTowr wrote.
CVE-2024-4577, as the vulnerability is tracked, stems from errors in the way PHP converts unicode characters into ASCII. A feature built into Windows known as Best Fit allows attackers to use a technique known as argument injection to pass user-supplied input into commands executed by an application, in this case, PHP. Exploits allow attackers to bypass CVE-2012-1823, a critical code execution vulnerability patched in PHP in 2012.
"While implementing PHP, the team did not notice the Best-Fit feature of encoding conversion within the Windows operating system," researchers with Devcore, the security firm that discovered CVE-2024-4577, wrote. "This oversight allows unauthenticated attackers to bypass the previous protection of CVE-2012-1823 by specific character sequences. Arbitrary code can be executed on remote PHP servers through the argument injection attack."
CVE-2024-4577 affects PHP only when it runs in a mode known as CGI, in which a web server parses HTTP requests and passes them to a PHP script for processing. Even when PHP isn't set to CGI mode, however, the vulnerability may still be exploitable when PHP executables such as php.exe and php-cgi.exe are in directories that are accessible by the web server. This configuration is set by default in XAMPP for Windows, making the platform vulnerable unless it has been modified.
[...] The vulnerability was discovered by Devcore researcher Orange Tsai, who said: "The bug is incredibly simple, but that's also what makes it interesting."
The Devcore writeup said that the researchers have confirmed that XAMPP is vulnerable when Windows is configured to use the locales for Traditional Chinese, Simplified Chinese, or Japanese. In Windows, a locale is a set of user preference information related to the user's language, environment, and/or cultural conventions. The researchers haven't tested other locales and have urged people using them to perform a comprehensive asset assessment to test their usage scenarios.
[...] XAMPP for Windows had yet to release a fix at the time this post went live. For admins without the need for PHP CGI, they can turn it off using the following Apache HTTP Server configuration:
C:/xampp/apache/conf/extra/httpd-xampp.conf
Locating the corresponding lines:
ScriptAlias /php-cgi/ "C:/xampp/php/"
And comment it out:
# ScriptAlias /php-cgi/ "C:/xampp/php/"
Additional analysis of the vulnerability is available here.
(Score: 5, Insightful) by Rosco P. Coltrane on Sunday June 09, @05:05PM (5 children)
(Score: 3, Informative) by RedGreen on Sunday June 09, @05:14PM (4 children)
"on Windows devices"
I am shocked that it is even mentioned. With most of these things you know it is for windows when it is NOT specifically mentioned with the Linux it is always being mentioned when it applies there.
"I modded down, down, down, and the flames went higher." -- Sven Olsen
(Score: 2) by RamiK on Sunday June 09, @05:57PM (3 children)
Personally I had to do a double take on that sentence before I groked someone is running a PHP server on windows.
compiling...
(Score: 1, Insightful) by Anonymous Coward on Sunday June 09, @07:09PM (1 child)
the same type of person that is using cgi mode instead of php-fpm.
(Score: 2) by RamiK on Sunday June 09, @08:52PM
Actually it being a 90s fossil makes more sense now.
compiling...
(Score: 2) by RedGreen on Monday June 10, @12:18AM
"Personally I had to do a double take on that sentence before I groked someone is running a PHP server on windows."
There is always some idiot who will drink the coolaid no matter what is in it. You would think that with nearly half a century of experience with Microsoft Software, especially Windows, being absolute trash at security it would sink into these morons heads that nothing of any importance should be run on it. But apparently not day after day exploit after exploit them fools continue to allow that garbage serve them up to all who want to take advantage. I for one fail to see how any of them are still employed with performance like that.
"I modded down, down, down, and the flames went higher." -- Sven Olsen
(Score: 5, Informative) by drussell on Sunday June 09, @06:32PM
A more accurate, corrected headline would probably be something like:
IMHO, anyone likely to be running PHP, especially PHP via CGI on Windows likely has FAR bigger problems!!
Like, perhaps check your hair to be sure it is not already afire or flip-top head already ajar!! 🙄