Vulnerability report written by the TA team by analyzin "PHP-CGI Argument Injection"
The vulnerability is an Argument Injection vulnerability in PHP-CGI running on Windows that bypasses the Escape process by changing the hyphen (-) character used in the Argument Invention attack to a soft hyphen (0xAD) character using the "Best-Fit Mapping" feature of the Win32 API function that converts certain characters into random characters.
This vulnerability can be responded to when updating the PHP version to 8.1.29, 8.2.20, and 8.3.8, and it is normally detected in our AIWAF products by detecting malicious PHP code.
However, we are in the stage of further analysis and pattern development as we will need additional patterns for attack syntax with soft hyphens inserted.
1. Overview
We analyze the recent Argument Injection and Remote Code Execution vulnerabilities in Apache and PHP-CGI running on Windows.
image source : https://portswigger.net/daily-swig/php-package-manager-component-packagist-vulnerable-to-compromise
2. Attack Type
These vulnerabilities occur when using certain versions of PHP-based services running on Windows, and they became a major issue when watchTowr released analysis and exploit information on the vulnerabilities.
The PHP-CGI service parses HTTP requests and passes them to a php script, which basically means that a request like https://test.com/test=testfor a query string will be executed as something like php.exe cgi.php test=test.
To prevent attacks that exploit this fact to inject arbitrary commands, PHP-CGI escapes the characters used in the attack, but we found that an attacker could bypass this escape by using the "Best-Fit Mapping" feature of the Win32 API function that converts certain characters to arbitrary characters when PHP-CGI is running on Windows.
The strings below are call strings consisting of a real hyphen (-) character and a soft hyphen (0xAD) character, which at first glance don't look different, but when you check the data in hexadecimal form via HxD, you can see that they are different.
A legitimate call from php.exe utilizing a real hyphen (-) character and a malicious call utilizing a soft hyphen (0xAD) character.
Comparison of calls verified by Hxd.
While the soft hyphen character is not escaped by CGI handlers because it is not a real hyphen character, it can be interpreted as a real hyphen character in PHP due to the "Best-Fit Mapping" feature discussed earlier, allowing arbitrary command arguments to be inserted.
Thus, it injects an argument designed to perform an RCE attack, leading to the execution of malicious PHP code.
POST /test.php?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1
Host: www.test.com
User-Agent: curl/8.3.0
Accept: */*
Content-Length: 23
Content-Type: application/x-www-form-urlencoded
Connection: keep-alive
<?php
phpinfo();
?>
3. Countermeasures
Fortunately, PHP quickly releases patches to address this vulnerability when you update your PHP version to 8.1.29, 8.2.20, or 8.3.8.
Our AIWAF product natively detects requests containing malicious PHP code in the 825: Webshell pattern, so the attack is being detected normally, but additional patterns for the soft-hyphenated attack syntax are needed and are in the process of further analysis and pattern development.
4. Conclusion
The Argument Injection attack in PHP-CGI running on Windows is a simple and easy to exploit vulnerability, and since many organizations still use PHP-based services such as Apache, the impact is high and it is necessary to update to the latest version as soon as possible.
Our AIWAF product has developed patterns to respond to vulnerabilities in PHP-CGI, and we will continue to respond to related vulnerabilities as they are discovered.
5. References
- https://nvd.nist.gov/vuln/detail/CVE-2024-4577
- https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/
- https://github.com/watchtowrlabs/CVE-2024-4577
