PsySH, CWD Poisoning to Arbitrary Code Execution, CVE-2024-XXXX (Critical)

Listen to this Post

PsySH, a PHP runtime developer console, automatically loads and executes a `.psysh.php` configuration file from the shell’s Current Working Directory (CWD) upon startup. This per-directory configuration feature lacks safety checks, such as verifying file or directory ownership and permissions. The vulnerability is a classic CWD poisoning attack: an attacker with write access to a directory can place a malicious `.psysh.php` file there. When a victim later starts PsySH from that same directory, the attacker’s file is automatically loaded and its PHP code is executed within the victim’s process context. This leads to arbitrary command execution. If the victim user has elevated privileges (e.g., root, a CI service account), the attacker achieves full Local Privilege Escalation (LPE). Downstream projects embedding PsySH, like Laravel Tinker (php artisan tinker), inherit this vulnerability.
Platform: PsySH / PHP
Version: <= v0.12.18
Vulnerability: Arbitrary Code Execution
Severity: Critical
date: 2024-01-28

Prediction: 2024-02-11

What Undercode Say:

echo "<?php system('id > poc.txt'); ?>" > /tmp/.psysh.php
cd /tmp
./psysh
cat poc.txt
<?php system('cat /etc/shadow'); ?>

How Exploit:

1. Attacker plants `.psysh.php`.

2. Victim starts PsySH there.

3. Malicious code auto-executes.

Protection from this CVE

Update PsySH. Remove automatic loading. Validate directory permissions. Use safe default CWD.

Impact:

Local Privilege Escalation. Root compromise. CI/CD pipeline takeover.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top