SoylentNews
SoylentNews is people
https://soylentnews.org/

Title    Nasty Bug With Very Simple Exploit Hits PHP
Date    Sunday June 09, @04:44PM
Author    hubie
Topic   
from the cancel-your-plans-and-get-patching dept.
https://soylentnews.org/article.pl?sid=24/06/09/1358249

upstart writes:

With PoC code available and active Internet scans, speed is of the essence:

A critical vulnerability in the PHP programming language can be trivially exploited to execute malicious code on Windows devices, security researchers warned as they urged those affected to take action before the weekend starts.

Within 24 hours of the vulnerability and accompanying patch being published, researchers from the nonprofit security organization Shadowserver reported Internet scans designed to identify servers that are susceptible to attacks. That—combined with (1) the ease of exploitation, (2) the availability of proof-of-concept attack code, (3) the severity of remotely executing code on vulnerable machines, and (4) the widely used XAMPP platform being vulnerable by default—has prompted security practitioners to urge admins check to see if their PHP servers are affected before starting the weekend.

"A nasty bug with a very simple exploit—perfect for a Friday afternoon," researchers with security firm WatchTowr wrote.

CVE-2024-4577, as the vulnerability is tracked, stems from errors in the way PHP converts unicode characters into ASCII. A feature built into Windows known as Best Fit allows attackers to use a technique known as argument injection to pass user-supplied input into commands executed by an application, in this case, PHP. Exploits allow attackers to bypass CVE-2012-1823, a critical code execution vulnerability patched in PHP in 2012.

"While implementing PHP, the team did not notice the Best-Fit feature of encoding conversion within the Windows operating system," researchers with Devcore, the security firm that discovered CVE-2024-4577, wrote. "This oversight allows unauthenticated attackers to bypass the previous protection of CVE-2012-1823 by specific character sequences. Arbitrary code can be executed on remote PHP servers through the argument injection attack."

CVE-2024-4577 affects PHP only when it runs in a mode known as CGI, in which a web server parses HTTP requests and passes them to a PHP script for processing. Even when PHP isn't set to CGI mode, however, the vulnerability may still be exploitable when PHP executables such as php.exe and php-cgi.exe are in directories that are accessible by the web server. This configuration is set by default in XAMPP for Windows, making the platform vulnerable unless it has been modified.

[...] The vulnerability was discovered by Devcore researcher Orange Tsai, who said: "The bug is incredibly simple, but that's also what makes it interesting."

The Devcore writeup said that the researchers have confirmed that XAMPP is vulnerable when Windows is configured to use the locales for Traditional Chinese, Simplified Chinese, or Japanese. In Windows, a locale is a set of user preference information related to the user's language, environment, and/or cultural conventions. The researchers haven't tested other locales and have urged people using them to perform a comprehensive asset assessment to test their usage scenarios.

[...] XAMPP for Windows had yet to release a fix at the time this post went live. For admins without the need for PHP CGI, they can turn it off using the following Apache HTTP Server configuration:

C:/xampp/apache/conf/extra/httpd-xampp.conf

Locating the corresponding lines:

ScriptAlias /php-cgi/ "C:/xampp/php/"

And comment it out:

# ScriptAlias /php-cgi/ "C:/xampp/php/"

Additional analysis of the vulnerability is available here.


Original Submission

Links

  1. "upstart" - https://soylentnews.org/~upstart/
  2. "With PoC code available and active Internet scans, speed is of the essence" - https://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers/
  3. "reported" - https://infosec.exchange/@shadowserver/112575314920464732
  4. "XAMPP" - https://en.wikipedia.org/wiki/XAMPP
  5. "wrote" - https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/
  6. "feature" - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-ucoderef/d1980631-6401-428e-a49d-d71394be7da8
  7. "argument injection" - https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html#argument-injection
  8. "CVE-2012-1823" - https://arstechnica.com/information-technology/2014/03/php-bug-allowing-site-hijacking-still-menaces-internet-22-months-on/
  9. "wrote" - https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/
  10. "said" - https://blog.orange.tw/2024/06/cve-2024-4577-yet-another-php-rce.html
  11. "here" - https://buaq.net/go-244036.html
  12. "Original Submission" - https://soylentnews.org/submit.pl?op=viewsub&subid=62991

© Copyright 2024 - SoylentNews, All Rights Reserved

printed from SoylentNews, Nasty Bug With Very Simple Exploit Hits PHP on 2024-06-21 08:28:59