Devcore announced a critical remote code execution (RCE) vulnerability in PHP, designated CVE-2024-4577. This flaw affects all PHP versions from 5.x onward running on Windows servers, making it a significant concern due to PHP's widespread use. This vulnerability stems from mishandling character encoding conversions, particularly affecting systems using certain code pages for languages like Chinese or Japanese. As the implications of this flaw continue to unfold, it is vital for organizations to understand the risk and implement necessary measures to safeguard their environments. In this advisory, we delve into the details of CVE-2024-4577, its potential impacts, and the steps you can take to protect your systems.

Background

CVE-2024-4577 is a critical remote code execution (RCE) vulnerability in PHP that was announced by Devcore on 6 June 2024. This vulnerability affects all PHP versions, 5.x and on, running on Windows servers. The ubiquity of PHP makes vulnerabilities like this problematic, since it is used on well over 70% of websites, and touches lots of different code, including various SQL implementations, content management systems, and HTML. It’s been around long enough to have plenty of users and documentation, plus the added benefit of it being a relatively lightweight and flexible language. One of the main cautions here for those concerned is to understand where and how PHP is being used, which should be part of the risk mitigation process, and if there are any dependencies on specific versions or implementations of web applications.

This vulnerability occurs due to a mishandling of character encoding conversions, specifically the "Best-Fit" feature on Windows when PHP operates in Common Gateway Interface (CGI) mode. Specifically, this affects a system that is set up to use certain character code pages for languages like Chinese or Japanese; however, there are concerns that this could affect more implementations globally. Because of how PHP handles some characters, attackers can force servers to execute unwanted commands via simple web request.

When using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in the command line given to Win32 API functions. The PHP CGI module may misinterpret these characters as PHP options, allowing a malicious user to pass options to the PHP binary being run.

Exploiting this vulnerability can lead to various consequences, such as revealing the source code of scripts, running arbitrary PHP code on the server, and more. The impact severity is rated as critical, with high confidentiality, integrity, and availability impacts.

Further complicating matters, Imperva released additional research tying the “TellYouThePass” ransomware group to this exploit as of 10 June 2024. TellYouThePass has been active since 2019, and by all accounts, has recently been using Go to enhance the ransomware’s effectiveness across multiple operating systems. This group operates with a traditional ransomware model, using data encryption as the extortion method and does not use a public shaming blog, much like other contemporary ransomware actors. TellYouThePass has also used other recent exploits to some effect, such as those targeting Log4j and other known vulnerabilities.

Details

Based on the work by researchers at WatchTowr, the proof-of-concept (PoC) illustrated on GitHub is trivial and consists of one line of code sent via web request:

Bitdefender telemetry echoes findings from other researchers, with mass internet scanning showing a major uptick on 7 June 2024, a day after the vulnerability was made public. Since 8 June, scanning has increased, likely as a result of bad guys and researchers alike trying to understand the scope of the vulnerability. Censys reports over 450,000 instances of potential vulnerabilities; results on Shodan indicate similarly dire numbers, especially with multiple vulnerable versions observed in sample data.

Bitdefender threat research confirms other industry reporting, and our Labs team has observed several unique campaigns using various attacks post-exploitation. Of these attacks, all have used the same method to obtain remote code execution (RCE) as the public PoC, and have injected the following arguments into the PHP command line:

Once inside, attackers performed various discovery techniques to reconnoiter the environment. Post exploitation, attackers were able to run several PowerShell scripts that shut down the firewall and other web services, which allowed them to essentially redeploy a victim server as a malicious web server. Sideloaded DLLs injected malicious processes into affected systems that allowed for credential capture and remote command-and-control (C2). This process could continue across multiple servers, as downloaded malware continued the spread of malware on vulnerable hosts. These indicators are included in the table below.

In one case, attackers were observed using scripts within cmd.exe to download additional malware via certutil.exe from hxxp://147[.]50[.]253[.]109:35411. This malware has been seen previously on VirusTotal associated with other IP addresses and file names, indicating possible reuse from other commodity malware campaigns. Other attacks saw a variety of other post-exploitation actions, such as deploying an open-source attacker framework known as RingQ, as well as CobaltStrike. Bitdefender Labs also observed Trojans written with Rust, along with deployments of backdoors written in Go, Powercat, and PowerShell. These indicators are included in the table below.

Based on observations of community detections of these indicators on sites like VirusTotal, it is probable that attackers may be attempting to evade detection by filename alone, or there is the possibility that multiple attackers are writing their own playbooks to further obscure activity, or a combination of these. Attackers often use a variety of naming conventions for .bat files, .dll files, and .exe files, which may consist of intentional typos that resemble legitimate system files at first glance, or random strings of alphanumeric characters that may change through each attack. In these instances, higher fidelity indicators such as URLs, hashes, and IP addresses have been included in the table below.

Recommendations

As of this reporting, Bitdefender has observed detections for activity associated with exploits of CVE-2024-4577. Furthermore, multiple IP addresses were detected scanning for vulnerable servers. The PHP development team has released patches to address this vulnerability.

1. Users are advised to upgrade to the latest PHP patch versions – PHP 8.3.8, PHP 8.2.20, and PHP 8.1.29, which include patches for this vulnerability. Any versions before these should be considered vulnerable, especially branches no longer supported, such as PHP 8.0, PHP 7, and PHP 5.

2. Devcore states that CGI implementations can be problematic due to its age, and further recommends evaluating other secure architecture such as Mod-PHP, FastCGI, or PHP-FPM.

3. Devcore added a disclaimer regarding language settings: “For Windows running in other locales such as English, Korean, and Western European, due to the wide range of PHP usage scenarios, it is currently not possible to completely enumerate and eliminate all potential exploitation scenarios. Therefore, it is recommended that users conduct a comprehensive asset assessment, verify their usage scenarios, and update PHP to the latest version to ensure security.”

4. For systems that cannot be upgraded, temporary measures include:

a. Blocking attacks via remote rules - specific rewrite rules can block attacks such as the following:

b. Configuration adjustments for XAMPP Users: commenting out the ScriptAlias directive in httpd-xampp.config: (typically at 'C:/xampp/apache/conf/extra/httpd-xampp.conf').

5. Since several campaigns have been using PowerShell, organizations should consider limiting the use of PowerShell within the environment to only privileged users such as administrators.

6. For Bitdefender Intellizone users, additional information can be found here: https://intellizone.bitdefender.com/en/threat-search/threats/BDt5b2507l

Indicators of Compromise

Indicator	Type	Notes
79.124.49[.]158	External scanning IP	Discovered by SANS
88.218.76[.]13	Ransomware C2 IP	TellYouThePass
95279881525d4ed4ce25777bb967ab87659e7f72235b76f9530456b48a00bac3	HTA malware	TellYouThePass ransomware sample
5a2b9ddddea96f21d905036761ab27627bd6db4f5973b006f1e39d4acb04a618	HTA malware	TellYouThePass ransomware sample
hxxp[://]7h85hmbyo-1327148465[.]cos[.]ap-hongkong[.]myqcloud[.]com	Malicious download	Web server malware download URL (multiple files)
6a4f16c2ac0de1c9c11946f0e92b49b4	Malicious DLL	Web server malware (appverify.dll)
565c82d9f697e1c95739bc6607a5a40e	Malicious script	PowerShell script file (ConfigureRegistrySettings.ps1)
e7234ac6b02085b5b346e315d05cedaa	Malicious script	Visual Basic Script (1.vbs)
4c08aa403574ddd96e952ea3740c7e00	Malware	Batch file (1.bat)
441471aaf66702f35bd6867ae176d1c4	Malicious script	JavaScript file (gtagv1.js)
b6a77e293a158f046f39ab50f276ef9f	Malware	Executable ade4f437[.]exe, searches for other vulnerable hosts, continues attack propagation
8792b68ee80d0d6c8de84408cfa853e8	Malware	Executable alidebug[.]exe, disables firewall, network server processes
9d3b19c8bf21723224e6885db1eea012	Malware	Executable asusdebug[.]exe, ensures persistence of alidebug[.]exe
ne.phpbug[.]xyz	C2 server	Works with ade4f437[.]exe process, data capture includes victim IP address
cl.php-cgi[.]com/idna	C2 server	Works with alidebug[.]exe process, data capture includes victim IP address
www[.]eqwedasda[.]xyz	C2 server	Go backdoor C2
hxxp[:]//xss-1253555722[.]cos[.]ap-singapore[.]myqcloud[.]com/win.exe	Malicious download	Go backdoor download URL
976c81f847ef5d7277abba26f4c2a5811dfd4569ef7ecd2df3f67414331e3e19	Backdoor hash	Go backdoor (win.exe)
hxxp[://]dpp-s3-data[.]s3[.]amazonaws[.]com/tpPNDWqMh5ubw	Malicious download	Rust Trojan download URL
hxxp[://]buddha-common[.]s3[.]amazonaws[.]com/ybe3cjgot6x2x	Malicious download	Rust Trojan download URL
hxxp[://]alien-static[.]s3[.]amazonaws[.]com/djwne6au4b0u0	Malicious download	Rust Trojan download URL
7a919c639f44d87a88c43725614084bdabb264dcf0e9df301b2f2143ec742c63	Trojan hash	Trojan (1.exe)
104.238.183[.]19	C2 server	C2 associated with Powercat backdoor
103.142.147[.]47	C2 server	C2 associated with Powercat backdoor
hxxp://147[.]50[.]253[.]109:35411	Malicious download	Password stealer download URL
146[.]19[.]100[.]7	C2 server	Password stealer C2