PHP-CGI RCE via BestFit! - CVE-2024-4577

Hi there,

In this video we take a look at CVE-2024-4577, a vulnerability discovered by the joint research of Orange Tsai and splitline.

The vulnerability affects windows OS, and particulary instaces of Apache that support PHP-CGI. It allows attackers to obtain RCE by introducing arbitrary arguments to the executable being called.

The vulnerability makes use of "BestFit", a character conversion mechanism implemented in Windows that handles situation where UTF-16 characters need to be converted into ANSI characters.

Specifically, the vulnerability affect windows OS configuration that run with specific ANSI code pages, such as the Japanese code page. This is because during the attack the UTF-16 payload of the user is transformed into an ANSI bytes, and this transformation depends on the ANSI code page currently running in the system

During the video, the vulnerability is discussed and analyzed, and a vulnerable testbed with a PoC is showcased in order to understand how to exploit the vulnerability.

Thank you for watching, subscribe, share this video with like minded people, and leave some feedback in the comments!

-------------------------

TIMESTAMP

00:00 Introduction
03:00 Reading the Advisory
07:20 Vulnerable testbed and PoC
11:40 Understanding WorstFit
20:25 CVE-2024-4577
23:40 Payload analysis

-------------------------

REFERENCES

Material: https://github.com/LeonardoE95/yt-en/...
Advisory: https://nvd.nist.gov/vuln/detail/cve-...
Blog post from Orange: https://blog.orange.tw/posts/2025-01-...
Slides from Orange: https://worst.fit/assets/EU-24-Tsai-W...

-------------------------

CONTACTS

Blog: https://blog.leonardotamiano.xyz/
Github: https://github.com/LeonardoE95?tab=re...
Support: https://www.paypal.com/donate/?hosted...