On Mon, 17 Jun 2024 10:45:57 +1200, Peter Reutemann quoted:
'The vulnerability, tracked as CVE-2024-4577 and carrying a severity rating of 9.8 out of 10, stems from errors in the way PHP converts Unicode characters into ASCII. A feature built into Windows known as Best Fit allows attackers to use a technique known as argument injection to convert user-supplied input into characters that pass malicious commands to the main PHP application.'
Just a note that this is strictly a Windows misfeature. PHP is doing checks for potentially dangerous characters in the passed parameters. But attackers can pass certain supposedly non-dangerous characters, and Windows will helpfully convert them to their dangerous equivalents--after PHP has done its checks! Step-by-step exploit walkthrough here <https://arstechnica.com/security/2024/06/php-vulnerability-allows-attackers-to-run-malicious-code-on-windows-servers/>. How many ways can the Windows command-line be broken? Let me count the ways <https://www.theregister.com/2024/04/10/rust_critical_vulnerability_windows/>.