Windows PHP Servers in CGI Mode Vulnerable to Exploitation (CVE-2024-4577)

Overview 

The SonicWall Capture Labs threat research team became aware of an exploited-in-the-wild information disclosure vulnerability affecting the Windows-based PHP servers used in CGI mode. Identified as CVE-2024-4577 and given a CVSSv3 score of 9.8, the vulnerability is more severe than it initially appears. Labeled as an argument injection vulnerability and categorized as CWE-78 – Improper Neutralization of Special Elements used in an OS Command – this vulnerability allows an attacker to read/modify/execute any file on the system, take control and compromise affected servers. 

A proof of concept is publicly available on GitHub. The Windows machines running affected versions (PHP 8.3 < 8.3.8, PHP 8.2 < 8.2.20, PHP 8.1 < 8.1.29 or end-of-life) of PHP with specific locales in PHP-CGI mode on XAMPP installations are vulnerable. Although XAMPP is popular mainly for dev environments, up to 250k exposed Apache servers are running PHP on Windows, according to Shodan. PHP has released a patch, and it is advisable to update it immediately.  

Technical Overview  

This vulnerability allows threat actors to circumvent the PHP CGI mode by sending a crafted POST query to the vulnerable PHP server running Japanese and Chinese locales. 

PHP is a server scripting language, and a powerful tool for making dynamic and interactive web pages. It is extremely popular and is used in over 75% of all websites where the server-side programming language is known.  

The vulnerability is due to the misuse of the Best-Fit feature of encoding conversion in the Windows operating system which converts 0xAD to 0x2D. That means the trick lies in that %AD will be decoded to a “soft hyphen,” which PHP will turn into a real hyphen. While implementing PHP, the team overlooked this feature, allowing unauthenticated actors to bypass the security features of CVE-2012-1823, using specific characters or queries that allow them to execute arbitrary code. The PHP CGI module may misinterpret hyphen characters as PHP options, which may allow a malicious user to pass options to the PHP binary and thus run arbitrary PHP code on the server and compromise PHP sites. 

XAMPP users can be exploited directly when the Action directive is mapped to corresponding HTTP requests to a PHP-CGI executable binary in the Apache HTTP Server, as shown in Figure 1. 

Figure 1: PHP-CGI Function 

Figure 2: httpd-xampp.conf 

In another methodology, default XAMPP servers are vulnerable, because the PHP directory is exposed via ScriptAlias directive. 

ScriptAlias /php-cgi/ “C:/xampp/php/” 

Triggering the Vulnerability 

Before execution, there are a few basic vulnerability checks.  

  • Primarily, the operating system should be Windows. 
  • To ensure that CVE-2024-4577 would exploit a vulnerable PHP server, some lines related to the PHP-CGI function in httpd-xampp.conf should be enabled, as shown in Figures 1 and 2.  
  • The vulnerable PHP servers should be set to either Japanese or Chinese (Simplified or Traditional) locales. This setting can be performed as shown in Figure 3.

An example POST request to trigger the vulnerability would look like: 

http[:]//target-ip:port/?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input 

This allows an attacker to inject command-line options into PHP when it is running in a CGI-based or default XAMPP setup. Malicious code can be passed through “php://input” and executed using the “auto_prepend_file” option to call “include_path.”. Additionally, the “auto_append_file” option is also accepted by vulnerable PHP servers. 

Exploiting the Vulnerability 

The necessary and sufficient condition to exploit the issue is a crafted POST request to vulnerable Apache servers with an enabled PHP-CGI function. An attacker only needs to be able to access the instance remotely which could be over the internet or a local network.  A working PoC with a crafted POST query aids in exploiting this vulnerability.  

Leveraging the publicly available PoC, a demonstration of exploitation can be seen in Figure 4. 

Figure 3: Control Panel 

Figure 4: CVE-2024-4577 Exploitation 

Out of the 250k exposed Apache servers running PHP on Windows, according to Shodan, multiple events were observed wherein attackers leveraged this vulnerability to upload malware in the second week of June 2024. According to Imperva analysis, it was peculiarly observed that the malware activity was a part of “TellYouThePass” ransomware. The ransomware appears to alter the service to an open directory, encrypt files and add ransom notes (with filenames including READ_ME9.html, READ_ME10.html, READ_ME11.html).  

There are around 1,000 compromised hosts online as of June 13, primarily in China, likely because Windows systems with Chinese or Japanese locales are inherently vulnerable due to their default XAMPP configuration. 

SonicWall Protections 

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released: 

  • IPS: 4451 – PHP CGI Argument Injection. 

Remediation Recommendations 

Considering the severe consequences of this vulnerability and the trend of nefarious activists trying to leverage the exploit in the wild, users are strongly encouraged to upgrade their instances to PHP’s new releases, 8.3.8, 8.2.20 and 8.1.29, to address the vulnerability.  

Relevant Links 

 

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.

Source: Original Post