Devcore announced a critical remote code execution (RCE) vulnerability in PHP, designated CVE-2024-4577. This flaw affects all PHP versions from 5.x onward running on Windows servers, making it a significant concern due to PHP’s widespread use. This vulnerability stems from mishandling character encoding conversions, particularly affecting systems using certain code pages for languages like Chinese or Japanese. As the implications of this flaw continue to unfold, it is vital for organizations to understand the risk and implement necessary measures to safeguard their environments. In this advisory, we delve into the details of CVE-2024-4577, its potential impacts, and the steps you can take to protect your systems.
CVE-2024-4577 is a critical remote code execution (RCE) vulnerability in PHP that was announced by Devcore on 6 June 2024. This vulnerability affects all PHP versions, 5.x and on, running on Windows servers. The ubiquity of PHP makes vulnerabilities like this problematic, since it is used on well over 70% of websites, and touches lots of different code, including various SQL implementations, content management systems, and HTML. It’s been around long enough to have plenty of users and documentation, plus the added benefit of it being a relatively lightweight and flexible language. One of the main cautions here for those concerned is to understand where and how PHP is being used, which should be part of the risk mitigation process, and if there are any dependencies on specific versions or implementations of web applications.
This vulnerability occurs due to a mishandling of character encoding conversions, specifically the “Best-Fit” feature on Windows when PHP operates in Common Gateway Interface (CGI) mode. Specifically, this affects a system that is set up to use certain character code pages for languages like Chinese or Japanese; however, there are concerns that this could affect more implementations globally. Because of how PHP handles some characters, attackers can force servers to execute unwanted commands via simple web request.
When using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use “Best-Fit” behavior to replace characters in the command line given to Win32 API functions. The PHP CGI module may misinterpret these characters as PHP options, allowing a malicious user to pass options to the PHP binary being run.
Exploiting this vulnerability can lead to various consequences, such as revealing the source code of scripts, running arbitrary PHP code on the server, and more. The impact severity is rated as critical, with high confidentiality, integrity, and availability impacts.
Further complicating matters, Imperva released additional research tying the “TellYouThePass” ransomware group to this exploit as of 10 June 2024. TellYouThePass has been active since 2019, and by all accounts, has recently been using Go to enhance the ransomware’s effectiveness across multiple operating systems. This group operates with a traditional ransomware model, using data encryption as the extortion method and does not use a public shaming blog, much like other contemporary ransomware actors. TellYouThePass has also used other recent exploits to some effect, such as those targeting Log4j and other known vulnerabilities.
Based on the work by researchers at WatchTowr, the proof-of-concept (PoC) illustrated on GitHub is trivial and consists of one line of code sent via web request:
Bitdefender telemetry echoes findings from other researchers, with mass internet scanning showing a major uptick on 7 June 2024, a day after the vulnerability was made public. Since 8 June, scanning has increased, likely as a result of bad guys and researchers alike trying to understand the scope of the vulnerability. Censys reports over 450,000 instances of potential vulnerabilities; results on Shodan indicate similarly dire numbers, especially with multiple vulnerable versions observed in sample data.
Bitdefender threat research confirms other industry reporting, and our Labs team has observed several unique campaigns using various attacks post-exploitation. Of these attacks, all have used the same method to obtain remote code execution (RCE) as the public PoC, and have injected the following arguments into the PHP command line:
Once inside, attackers performed various discovery techniques to reconnoiter the environment. Post exploitation, attackers were able to run several PowerShell scripts that shut down the firewall and other web services, which allowed them to essentially redeploy a victim server as a malicious web server. Sideloaded DLLs injected malicious processes into affected systems that allowed for credential capture and remote command-and-control (C2). This process could continue across multiple servers, as downloaded malware continued the spread of malware on vulnerable hosts. These indicators are included in the table below.
In one case, attackers were observed using scripts within cmd.exe to download additional malware via certutil.exe from hxxp://147[.]50[.]253[.]109:35411. This malware has been seen previously on VirusTotal associated with other IP addresses and file names, indicating possible reuse from other commodity malware campaigns. Other attacks saw a variety of other post-exploitation actions, such as deploying an open-source attacker framework known as RingQ, as well as CobaltStrike. Bitdefender Labs also observed Trojans written with Rust, along with deployments of backdoors written in Go, Powercat, and PowerShell. These indicators are included in the table below.
Based on observations of community detections of these indicators on sites like VirusTotal, it is probable that attackers may be attempting to evade detection by filename alone, or there is the possibility that multiple attackers are writing their own playbooks to further obscure activity, or a combination of these. Attackers often use a variety of naming conventions for .bat files, .dll files, and .exe files, which may consist of intentional typos that resemble legitimate system files at first glance, or random strings of alphanumeric characters that may change through each attack. In these instances, higher fidelity indicators such as URLs, hashes, and IP addresses have been included in the table below.
As of this reporting, Bitdefender has observed detections for activity associated with exploits of CVE-2024-4577. Furthermore, multiple IP addresses were detected scanning for vulnerable servers. The PHP development team has released patches to address this vulnerability.
1. Users are advised to upgrade to the latest PHP patch versions – PHP 8.3.8, PHP 8.2.20, and PHP 8.1.29, which include patches for this vulnerability. Any versions before these should be considered vulnerable, especially branches no longer supported, such as PHP 8.0, PHP 7, and PHP 5.
2. Devcore states that CGI implementations can be problematic due to its age, and further recommends evaluating other secure architecture such as Mod-PHP, FastCGI, or PHP-FPM.
3. Devcore added a disclaimer regarding language settings: “For Windows running in other locales such as English, Korean, and Western European, due to the wide range of PHP usage scenarios, it is currently not possible to completely enumerate and eliminate all potential exploitation scenarios. Therefore, it is recommended that users conduct a comprehensive asset assessment, verify their usage scenarios, and update PHP to the latest version to ensure security.”
4. For systems that cannot be upgraded, temporary measures include:
a. Blocking attacks via remote rules – specific rewrite rules can block attacks such as the following:
b. Configuration adjustments for XAMPP Users: commenting out the ScriptAlias directive in httpd-xampp.config: (typically at ‘C:/xampp/apache/conf/extra/httpd-xampp.conf’).
5. Since several campaigns have been using PowerShell, organizations should consider limiting the use of PowerShell within the environment to only privileged users such as administrators.
6. For Bitdefender Intellizone users, additional information can be found here: https://intellizone.bitdefender.com/en/threat-search/threats/BDt5b2507l
Indicator |
Type |
Notes |
79.124.49[.]158 |
External scanning IP |
Discovered by SANS |
88.218.76[.]13 |
Ransomware C2 IP |
TellYouThePass |
95279881525d4ed4ce25777bb967ab87659e7f72235b76f9530456b48a00bac3 |
HTA malware |
TellYouThePass ransomware sample |
5a2b9ddddea96f21d905036761ab27627bd6db4f5973b006f1e39d4acb04a618 |
HTA malware |
TellYouThePass ransomware sample
|
hxxp[://]7h85hmbyo-1327148465[.]cos[.]ap-hongkong[.]myqcloud[.]com |
Malicious download |
Web server malware download URL (multiple files) |
6a4f16c2ac0de1c9c11946f0e92b49b4 |
Malicious DLL |
Web server malware (appverify.dll) |
565c82d9f697e1c95739bc6607a5a40e |
Malicious script |
PowerShell script file (ConfigureRegistrySettings.ps1) |
e7234ac6b02085b5b346e315d05cedaa |
Malicious script |
Visual Basic Script (1.vbs) |
4c08aa403574ddd96e952ea3740c7e00 |
Malware |
Batch file (1.bat) |
441471aaf66702f35bd6867ae176d1c4 |
Malicious script |
JavaScript file (gtagv1.js) |
b6a77e293a158f046f39ab50f276ef9f |
Malware |
Executable ade4f437[.]exe, searches for other vulnerable hosts, continues attack propagation |
8792b68ee80d0d6c8de84408cfa853e8 |
Malware |
Executable alidebug[.]exe, disables firewall, network server processes |
9d3b19c8bf21723224e6885db1eea012 |
Malware |
Executable asusdebug[.]exe, ensures persistence of alidebug[.]exe |
ne.phpbug[.]xyz |
C2 server |
Works with ade4f437[.]exe process, data capture includes victim IP address |
cl.php-cgi[.]com/idna |
C2 server |
Works with alidebug[.]exe process, data capture includes victim IP address |
www[.]eqwedasda[.]xyz |
C2 server |
Go backdoor C2 |
hxxp[:]//xss-1253555722[.]cos[.]ap-singapore[.]myqcloud[.]com/win.exe |
Malicious download |
Go backdoor download URL |
976c81f847ef5d7277abba26f4c2a5811dfd4569ef7ecd2df3f67414331e3e19 |
Backdoor hash |
Go backdoor (win.exe) |
hxxp[://]dpp-s3-data[.]s3[.]amazonaws[.]com/tpPNDWqMh5ubw |
Malicious download |
Rust Trojan download URL |
hxxp[://]buddha-common[.]s3[.]amazonaws[.]com/ybe3cjgot6x2x |
Malicious download |
Rust Trojan download URL |
hxxp[://]alien-static[.]s3[.]amazonaws[.]com/djwne6au4b0u0 |
Malicious download |
Rust Trojan download URL |
7a919c639f44d87a88c43725614084bdabb264dcf0e9df301b2f2143ec742c63 |
Trojan hash |
Trojan (1.exe) |
104.238.183[.]19 |
C2 server |
C2 associated with Powercat backdoor |
103.142.147[.]47 |
C2 server |
C2 associated with Powercat backdoor |
hxxp://147[.]50[.]253[.]109:35411 |
Malicious download |
Password stealer download URL |
146[.]19[.]100[.]7 |
C2 server |
Password stealer C2 |