Command Injection Vulnerability Discovered in PHP: CVE-2024-5585

CVE-2024-5585

A high-severity vulnerability (CVE-2024-5585) has been identified in multiple versions of PHP, the widely used server-side scripting language. This flaw, rated 7.7 on the CVSS scale, allows attackers to execute arbitrary commands on affected systems, even when security mechanisms are in place.

CVE-2024-5585

CVE-2024-5585 stems from an incomplete fix for a previous command injection vulnerability, CVE-2024-1874 (CVSS 9.4). While the original issue was addressed in part, security researcher Tianstcht discovered a bypass technique. By appending trailing spaces to command names within the proc_open() function, attackers can circumvent the intended protection and inject arbitrary commands on Windows systems.

The vulnerability arises due to insufficient validation of command arguments when using the proc_open() function with array syntax. On Windows, this allows malicious actors to manipulate command arguments even when the bypass_shell option is enabled, leading to command injection scenarios.

Successful exploitation of CVE-2024-5585 could result in a full compromise of affected servers. This grants attackers the ability to execute arbitrary code, potentially leading to data exfiltration, unauthorized access, and disruption of services.

The following proof-of-concept (PoC) demonstrates the vulnerability:

  1. Save the following file as test.bat
    echo hello
  2. Save the following file as 1.php, notice the space at the end of argv-filename
    <?php
    $descriptorspec = [STDIN, STDOUT, STDOUT];
    $proc = proc_open(["test.bat ", "\"&notepad.exe"], $descriptorspec, $pipes, null, null, array("bypass_shell" => true));
    proc_close($proc);
  3. Run it with PHP and confirm that notepad.exe is popped up.

The following PHP versions are vulnerable:

  • 8.1.* before 8.1.29
  • 8.2.* before 8.2.20
  • 8.3.* before 8.3.8

Organizations using PHP in their web infrastructure are strongly advised to upgrade to the latest patched versions (8.1.29, 8.2.20, or 8.3.8) immediately. Additionally, administrators should review system logs for any signs of compromise and take appropriate mitigation actions.