Ransomware Attackers Quickly Weaponize PHP Vulnerability With 9.8 Severity Rating (arstechnica.com) 20
A critical vulnerability in the PHP programming language (CVE-2024-4577) has been exploited by ransomware criminals, leading to the infection of up to 1,800 servers primarily in China with the TellYouThePass ransomware. This vulnerability, which affects PHP when run in CGI mode, allows attackers to execute malicious code on web servers. Ars Technica's Dan Goodin reports: As of Thursday, Internet scans performed by security firm Censys had detected 1,000 servers infected by a ransomware strain known as TellYouThePass, down from 1,800 detected on Monday. The servers, primarily located in China, no longer display their usual content; instead, many list the site's file directory, which shows all files have been given a .locked extension, indicating they have been encrypted. An accompanying ransom note demands roughly $6,500 in exchange for the decryption key. The vulnerability, tracked as CVE-2024-4577 and carrying a severity rating of 9.8 out of 10, stems from errors in the way PHP converts Unicode characters into ASCII. A feature built into Windows known as Best Fit allows attackers to use a technique known as argument injection to convert user-supplied input into characters that pass malicious commands to the main PHP application. Exploits allow attackers to bypass CVE-2012-1823, a critical code execution vulnerability patched in PHP in 2012.
CVE-2024-4577 affects PHP only when it runs in a mode known as CGI, in which a web server parses HTTP requests and passes them to a PHP script for processing. Even when PHP isn't set to CGI mode, however, the vulnerability may still be exploitable when PHP executables such as php.exe and php-cgi.exe are in directories that are accessible by the web server. This configuration is extremely rare, with the exception of the XAMPP platform, which uses it by default. An additional requirement appears to be that the Windows locale -- used to personalize the OS to the local language of the user -- must be set to either Chinese or Japanese. The critical vulnerability was published on June 6, along with a security patch. Within 24 hours, threat actors were exploiting it to install TellYouThePass, researchers from security firm Imperva reported Monday. The exploits executed code that used the mshta.exe Windows binary to run an HTML application file hosted on an attacker-controlled server. Use of the binary indicated an approach known as living off the land, in which attackers use native OS functionalities and tools in an attempt to blend in with normal, non-malicious activity.
In a post published Friday, Censys researchers said that the exploitation by the TellYouThePass gang started on June 7 and mirrored past incidents that opportunistically mass scan the Internet for vulnerable systems following a high-profile vulnerability and indiscriminately targeting any accessible server. The vast majority of the infected servers have IP addresses geolocated to China, Taiwan, Hong Kong, or Japan, likely stemming from the fact that Chinese and Japanese locales are the only ones confirmed to be vulnerable, Censys researchers said in an email. Since then, the number of infected sites -- detected by observing the public-facing HTTP response serving an open directory listing showing the server's filesystem, along with the distinctive file-naming convention of the ransom note -- has fluctuated from a low of 670 on June 8 to a high of 1,800 on Monday. Censys researchers said in an email that they're not entirely sure what's causing the changing numbers.
CVE-2024-4577 affects PHP only when it runs in a mode known as CGI, in which a web server parses HTTP requests and passes them to a PHP script for processing. Even when PHP isn't set to CGI mode, however, the vulnerability may still be exploitable when PHP executables such as php.exe and php-cgi.exe are in directories that are accessible by the web server. This configuration is extremely rare, with the exception of the XAMPP platform, which uses it by default. An additional requirement appears to be that the Windows locale -- used to personalize the OS to the local language of the user -- must be set to either Chinese or Japanese. The critical vulnerability was published on June 6, along with a security patch. Within 24 hours, threat actors were exploiting it to install TellYouThePass, researchers from security firm Imperva reported Monday. The exploits executed code that used the mshta.exe Windows binary to run an HTML application file hosted on an attacker-controlled server. Use of the binary indicated an approach known as living off the land, in which attackers use native OS functionalities and tools in an attempt to blend in with normal, non-malicious activity.
In a post published Friday, Censys researchers said that the exploitation by the TellYouThePass gang started on June 7 and mirrored past incidents that opportunistically mass scan the Internet for vulnerable systems following a high-profile vulnerability and indiscriminately targeting any accessible server. The vast majority of the infected servers have IP addresses geolocated to China, Taiwan, Hong Kong, or Japan, likely stemming from the fact that Chinese and Japanese locales are the only ones confirmed to be vulnerable, Censys researchers said in an email. Since then, the number of infected sites -- detected by observing the public-facing HTTP response serving an open directory listing showing the server's filesystem, along with the distinctive file-naming convention of the ransom note -- has fluctuated from a low of 670 on June 8 to a high of 1,800 on Monday. Censys researchers said in an email that they're not entirely sure what's causing the changing numbers.
So ... (Score:5, Informative)
... this in only vulnerable on Windows servers running PHP, and Windows locale must be set to either Chinese or Japanese??
And out of php being the main environment powering the web ... "has fluctuated from a low of 670 on June 8 to a high of 1,800 on Monday".
Somehow the headlines made this sound a lot more horrific.
Re:So ... (Score:5, Informative)
This appears to be specific to Windows operating systems.
https://nvd.nist.gov/vuln/deta... [nist.gov]
"In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc."
So it sounds like Windows, when interpreting string data using Chinese or Japanese locale, may predictably remap certain characters [wikipedia.org] because of the way it tries to unify all the different ways those languages are encoded. This ultimately allows attackers to sneak bytes past Apache which I presume would normally filter out for security reasons.
=Smidge=
Re: (Score:3)
Re: (Score:2)
Who runs PHP on Windows? That's a UNIX stalwart (Score:3)
Who runs PHP on Windows anymore? That application server has always been a staunch UNIX stalwart, most recently paired with nginx.
Re:Who runs PHP on Windows? That's a UNIX stalwart (Score:4, Insightful)
I was running PHP on Windows 7, though not internet-exposed. It turned out to make more sense to just put Linux in a VM and run it there.
Re: (Score:2)
It turned out to make more sense to just put Linux in a VM and run it there.
That's a bingo.
Re: (Score:2)
For PHP development these days I recommend using DDEV and keeping everything in its own container. Changing PHP versions for example becomes a simple matter of changing a value in a DDEV preference file [readthedocs.io] and ddev restart.
** installs ddev **
sudo apt install ddev
** To change PHP, MySQL, NGINX, etc. versions ** /.ddev/config.yaml
sudo nano {project directory}
CMS quickstarts [readthedocs.io]
= = = =
DDEV also runs on OSX and Windows.
= = = =
You can expose DDEV to the internet using ngrok along with a few other techniques. [readthedocs.io]
Speaking pe
Re: (Score:2)
The whole reason I even read into this story in the first place is that I use PHP-FPM which is CGI, but it's CGI with a daemon so it stays running and there are performance benefits compared to normal CGI. I do this specifically so that I can have multiple PHP versions installed and switch between them by just editing a config. I use the sura.org repo on Devuan 5.
PHP is obsolete garbage (Score:1, Flamebait)
If you are still starting new projects in PHP then you need to be hung up on the wall in the the museum right next to obsolete PHP. There is not a single good reason to use PHP today, unless your goal is to inflict maximal pain on the entire food chain from user to developer.
Re: (Score:2)
People who talk shit on PHP are morons that need their handheld apparently.
Re: PHP is obsolete garbage (Score:3)
Before saying things like that, take a look at what PHP is *actually* like today. It's 2024, not 2004. Things change...
12 years.... really? (Score:4, Interesting)
Re: (Score:2)
They just did.
Re: (Score:3)
Umm if someone hasn't updated their server in 12 years, they can get fucked
that's not what is meant here, but that this 12 year old patch was incomplete and can be bypassed by specific character sequences.
anyway your wish might still apply to people publicly exposing services on windows in general ... which explains the lot of chinese servers getting fucked. i never really understood their fondness of windows, specially old versions. why bother cracking something when you have better alternatives readily available? maybe they'll learn now ...
It's a bit worse than what's posted here (Score:2)
Someone can craft a URL to send via email to a target or put into an img tag or clickable link on a website. There are plenty of ways to exploit this that don't involve communicating with servers that are directly facing the Internet. Targets can be running on localhost. The 1,800 servers mentioned are just the Internet facing servers running Windows - probably mostly people who punched holes in their network to run a server from home. But there are plenty of devs who still run Apache + PHP in the backg
Windows only PHP injection attack .. (Score:2)
Grudging respect (Score:2)
Open source not less vulnerable (Score:2)
There is a common misconception that open source software is somehow less vulnerable to hacking, because everyone can see the source code and will find vulnerabilities, while commercial software is closed source and therefore hidden.
This is a demonstration of how vulnerabilities can hide in plain sight.