Threat Research

Windows PHP Servers in CGI Mode Vulnerable to Exploitation (CVE-2024-4577)

CTI

Two sentences: SonicWall reports a high-severity vulnerability (CVE-2024-4577) in Windows PHP CGI mode that can read/modify/execute files and take control of affected servers. A public PoC and real-world malware activity (TellYouThePass) have been observed; patching PHP to the latest releases is strongly advised. #CVE-2024-4577 #TellYouThePass #XAMPP #Windows #Shodan

Keypoints

  • The vulnerability CVE-2024-4577 is a critical information-disclosure/command-execution flaw in Windows-based PHP CGI mode with a CVSSv3 score of 9.8.
  • It stems from how Windows Best-Fit encoding converts 0xAD to 0x2D, enabling crafted POST requests to bypass security and execute arbitrary PHP code on vulnerable servers.
  • A PHP-CGI post-attack vector can read/modify/execute files on the server, potentially taking control and compromising sites running XAMPP.
  • A PoC exists publicly (GitHub) and exploits can target locales (Japanese/Chinese) to trigger the flaw via PHP-CGI.
  • Malware activity in the wild has included TellYouThePass ransomware, which encrypts files and drops ransom notes on affected systems.
  • Shodan data suggested up to 250k exposed Windows PHP servers running on Windows, with many in China due to locale-default configurations.
  • Remediation centers on upgrading PHP to 8.3.8, 8.2.20, or 8.1.29 (or newer) and applying the PHP patch promptly, with additional hardening of XAMPP configurations.

MITRE Techniques

  • [T1190] Exploitation for Public-Facing Application – The necessary and sufficient condition to exploit the issue is a crafted POST request to vulnerable Apache servers with an enabled PHP-CGI function. An attacker only needs to be able to access the instance remotely. ‘The necessary and sufficient condition to exploit the issue is a crafted POST request to vulnerable Apache servers with an enabled PHP-CGI function. An attacker only needs to be able to access the instance remotely.’
  • [T1059] Command and Scripting Interpreter – This vulnerability allows threat actors to circumvent the PHP CGI mode by sending a crafted POST query to the vulnerable PHP server running Japanese and Chinese locales. ‘This vulnerability allows threat actors to circumvent the PHP CGI mode by sending a crafted POST query to the vulnerable PHP server running Japanese and Chinese locales.’
  • [T1486] Data Encrypted for Impact – The ransomware appears to alter the service to an open directory, encrypt files and add ransom notes (with filenames including READ_ME9.html, READ_ME10.html, READ_ME11.html). ‘The ransomware appears to alter the service to an open directory, encrypt files and add ransom notes (with filenames including READ_ME9.html, READ_ME10.html, READ_ME11.html).’
  • [T1595] Active Scanning – Out of 250k exposed Apache servers running PHP on Windows, attackers leveraged this vulnerability; Shodan data highlights broad exposure. ‘Shodan … 250k exposed Apache servers are running PHP on Windows.’

Indicators of Compromise

  • [File] Ransom notes – READ_ME9.html, READ_ME10.html
  • [URL] Public PoC repository – https://github.com/watchtowrlabs/CVE-2024-4577
  • [Malware] TellYouThePass ransomware family
  • [Software Version] Vulnerable PHP versions – PHP 8.3.x before 8.3.8; PHP 8.2.x before 8.2.20; PHP 8.1.x before 8.1.29

Read more: https://blog.sonicwall.com/en-us/2024/06/windows-php-servers-in-cgi-mode-vulnerable-to-exploitation-cve-2024-4577/