CVE-2024-5585
📋 TL;DR
This vulnerability allows remote command execution on Windows systems when using PHP's proc_open() function with array syntax. An attacker can inject malicious arguments that bypass the previous CVE-2024-1874 fix by adding trailing spaces to command names. Affects PHP applications running on Windows that use proc_open() with user-controlled input.
💻 Affected Systems
- PHP
📦 What is this software?
Fedora by Fedoraproject
Php by Php
Php by Php
Php by Php
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing arbitrary command execution with the privileges of the PHP process, potentially leading to data theft, ransomware deployment, or complete system takeover.
Likely Case
Limited command execution within the PHP process context, potentially allowing file system access, data exfiltration, or lateral movement within the network.
If Mitigated
No impact if proper input validation and escaping are implemented, or if the application doesn't use proc_open() with user-controlled arguments.
🎯 Exploit Status
Exploitation requires user-controlled input passed to proc_open() arguments. Public proof-of-concept available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: PHP 8.1.29, 8.2.20, 8.3.8
Vendor Advisory: https://github.com/php/php-src/security/advisories/GHSA-9fcc-425m-g385
Restart Required: Yes
Instructions:
1. Identify PHP version with 'php -v'. 2. Upgrade to patched version: PHP 8.1.29, 8.2.20, or 8.3.8. 3. Restart web server/service. 4. Test application functionality.
🔧 Temporary Workarounds
Input Validation and Sanitization
allValidate and sanitize all user input before passing to proc_open() function
Avoid proc_open() with User Input
allRefactor code to avoid using proc_open() with any user-controlled arguments
🧯 If You Can't Patch
- Implement strict input validation and escaping for all arguments passed to proc_open()
- Migrate affected applications to Linux systems where this vulnerability doesn't apply
🔍 How to Verify
Check if Vulnerable:
Check PHP version and if proc_open() is used with user-controlled arguments on Windows systemsCheck Version:
php -vVerify Fix Applied:
Verify PHP version is 8.1.29, 8.2.20, or 8.3.8 or higher📡 Detection & Monitoring
Log Indicators:
- Unusual process executions from PHP context
- Suspicious command-line arguments in process logs
- Multiple failed proc_open() attempts
Network Indicators:
- Outbound connections from PHP processes to unexpected destinations
- Command and control traffic patterns
SIEM Query:
Process Creation where Parent Process contains 'php' AND Command Line contains unusual patterns OR includes shell metacharacters🔗 References
- http://www.openwall.com/lists/oss-security/2024/06/07/1
- https://github.com/php/php-src/security/advisories/GHSA-9fcc-425m-g385
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/
- https://security.netapp.com/advisory/ntap-20240726-0002/
- http://www.openwall.com/lists/oss-security/2024/06/07/1
- https://github.com/php/php-src/security/advisories/GHSA-9fcc-425m-g385
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PKGTQUOA2NTZ3RXN22CSAUJPIRUYRB4B/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W45DBOH56NQDRTOM2DN2LNA2FZIMC3PK/
- https://security.netapp.com/advisory/ntap-20240726-0002/
- https://www.vicarius.io/vsociety/posts/command-injection-vulnerability-in-php-on-windows-systems-cve-2024-1874-and-cve-2024-5585
