Overview
The SonicWall Capture Labs threat research team became aware of an exploited-in-the-wild information disclosure vulnerability affecting the Windows-based PHP servers used in CGI mode. Identified as CVE-2024-4577 and given a CVSSv3 score of 9.8, the vulnerability is more severe than it initially appears. Labeled as an argument injection vulnerability and categorized as CWE-78 – Improper Neutralization of Special Elements used in an OS Command – this vulnerability allows an attacker to read/modify/execute any file on the system, take control and compromise affected servers.
A proof of concept is publicly available on GitHub. The Windows machines running affected versions (PHP 8.3 < 8.3.8, PHP 8.2 < 8.2.20, PHP 8.1 < 8.1.29 or end-of-life) of PHP with specific locales in PHP-CGI mode on XAMPP installations are vulnerable. Although XAMPP is popular mainly for dev environments, up to 250k exposed Apache servers are running PHP on Windows, according to Shodan. PHP has released a patch, and it is advisable to update it immediately.
Technical Overview
This vulnerability allows threat actors to circumvent the PHP CGI mode by sending a crafted POST query to the vulnerable PHP server running Japanese and Chinese locales.
PHP is a server scripting language, and a powerful tool for making dynamic and interactive web pages. It is extremely popular and is used in over 75% of all websites where the server-side programming language is known.
The vulnerability is due to the misuse of the Best-Fit feature of encoding conversion in the Windows operating system which converts 0xAD to 0x2D. That means the trick lies in that %AD will be decoded to a “soft hyphen,” which PHP will turn into a real hyphen. While implementing PHP, the team overlooked this feature, allowing unauthenticated actors to bypass the security features of CVE-2012-1823, using specific characters or queries that allow them to execute arbitrary code. The PHP CGI module may misinterpret hyphen characters as PHP options, which may allow a malicious user to pass options to the PHP binary and thus run arbitrary PHP code on the server and compromise PHP sites.
XAMPP users can be exploited directly when the Action directive is mapped to corresponding HTTP requests to a PHP-CGI executable binary in the Apache HTTP Server, as shown in Figure 1.
Figure 1: PHP-CGI Function
Figure 2: httpd-xampp.conf
In another methodology, default XAMPP servers are vulnerable, because the PHP directory is exposed via ScriptAlias directive.
ScriptAlias /php-cgi/ “C:/xampp/php/”
Triggering the Vulnerability
Before execution, there are a few basic vulnerability checks.
- Primarily, the operating system should be Windows.
- To ensure that CVE-2024-4577 would exploit a vulnerable PHP server, some lines related to the PHP-CGI function in httpd-xampp.conf should be enabled, as shown in Figures 1 and 2.
- The vulnerable PHP servers should be set to either Japanese or Chinese (Simplified or Traditional) locales. This setting can be performed as shown in Figure 3.
An example POST request to trigger the vulnerability would look like:
http[:]//target-ip:port/?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input
This allows an attacker to inject command-line options into PHP when it is running in a CGI-based or default XAMPP setup. Malicious code can be passed through “php://input” and executed using the “auto_prepend_file” option to call “include_path.”. Additionally, the “auto_append_file” option is also accepted by vulnerable PHP servers.
Exploiting the Vulnerability
The necessary and sufficient condition to exploit the issue is a crafted POST request to vulnerable Apache servers with an enabled PHP-CGI function. An attacker only needs to be able to access the instance remotely which could be over the internet or a local network. A working PoC with a crafted POST query aids in exploiting this vulnerability.
Leveraging the publicly available PoC, a demonstration of exploitation can be seen in Figure 4.
Figure 3: Control Panel
Figure 4: CVE-2024-4577 Exploitation
Out of the 250k exposed Apache servers running PHP on Windows, according to Shodan, multiple events were observed wherein attackers leveraged this vulnerability to upload malware in the second week of June 2024. According to Imperva analysis, it was peculiarly observed that the malware activity was a part of “TellYouThePass” ransomware. The ransomware appears to alter the service to an open directory, encrypt files and add ransom notes (with filenames including READ_ME9.html, READ_ME10.html, READ_ME11.html).
There are around 1,000 compromised hosts online as of June 13, primarily in China, likely because Windows systems with Chinese or Japanese locales are inherently vulnerable due to their default XAMPP configuration.
SonicWall Protections
To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:
- IPS: 4451 – PHP CGI Argument Injection.
Remediation Recommendations
Considering the severe consequences of this vulnerability and the trend of nefarious activists trying to leverage the exploit in the wild, users are strongly encouraged to upgrade their instances to PHP’s new releases, 8.3.8, 8.2.20 and 8.1.29, to address the vulnerability.
Relevant Links
Source: Original Post