Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security

Ransomware Attackers Quickly Weaponize PHP Vulnerability With 9.8 Severity Rating (arstechnica.com) 20

A critical vulnerability in the PHP programming language (CVE-2024-4577) has been exploited by ransomware criminals, leading to the infection of up to 1,800 servers primarily in China with the TellYouThePass ransomware. This vulnerability, which affects PHP when run in CGI mode, allows attackers to execute malicious code on web servers. Ars Technica's Dan Goodin reports: As of Thursday, Internet scans performed by security firm Censys had detected 1,000 servers infected by a ransomware strain known as TellYouThePass, down from 1,800 detected on Monday. The servers, primarily located in China, no longer display their usual content; instead, many list the site's file directory, which shows all files have been given a .locked extension, indicating they have been encrypted. An accompanying ransom note demands roughly $6,500 in exchange for the decryption key. The vulnerability, tracked as CVE-2024-4577 and carrying a severity rating of 9.8 out of 10, stems from errors in the way PHP converts Unicode characters into ASCII. A feature built into Windows known as Best Fit allows attackers to use a technique known as argument injection to convert user-supplied input into characters that pass malicious commands to the main PHP application. Exploits allow attackers to bypass CVE-2012-1823, a critical code execution vulnerability patched in PHP in 2012.

CVE-2024-4577 affects PHP only when it runs in a mode known as CGI, in which a web server parses HTTP requests and passes them to a PHP script for processing. Even when PHP isn't set to CGI mode, however, the vulnerability may still be exploitable when PHP executables such as php.exe and php-cgi.exe are in directories that are accessible by the web server. This configuration is extremely rare, with the exception of the XAMPP platform, which uses it by default. An additional requirement appears to be that the Windows locale -- used to personalize the OS to the local language of the user -- must be set to either Chinese or Japanese. The critical vulnerability was published on June 6, along with a security patch. Within 24 hours, threat actors were exploiting it to install TellYouThePass, researchers from security firm Imperva reported Monday. The exploits executed code that used the mshta.exe Windows binary to run an HTML application file hosted on an attacker-controlled server. Use of the binary indicated an approach known as living off the land, in which attackers use native OS functionalities and tools in an attempt to blend in with normal, non-malicious activity.

In a post published Friday, Censys researchers said that the exploitation by the TellYouThePass gang started on June 7 and mirrored past incidents that opportunistically mass scan the Internet for vulnerable systems following a high-profile vulnerability and indiscriminately targeting any accessible server. The vast majority of the infected servers have IP addresses geolocated to China, Taiwan, Hong Kong, or Japan, likely stemming from the fact that Chinese and Japanese locales are the only ones confirmed to be vulnerable, Censys researchers said in an email. Since then, the number of infected sites -- detected by observing the public-facing HTTP response serving an open directory listing showing the server's filesystem, along with the distinctive file-naming convention of the ransom note -- has fluctuated from a low of 670 on June 8 to a high of 1,800 on Monday. Censys researchers said in an email that they're not entirely sure what's causing the changing numbers.

This discussion has been archived. No new comments can be posted.

Ransomware Attackers Quickly Weaponize PHP Vulnerability With 9.8 Severity Rating

Comments Filter:
  • So ... (Score:5, Informative)

    by cascadingstylesheet ( 140919 ) on Friday June 14, 2024 @07:49PM (#64550441) Journal

    ... this in only vulnerable on Windows servers running PHP, and Windows locale must be set to either Chinese or Japanese??

    And out of php being the main environment powering the web ... "has fluctuated from a low of 670 on June 8 to a high of 1,800 on Monday".

    Somehow the headlines made this sound a lot more horrific.

    • Re:So ... (Score:5, Informative)

      by Smidge204 ( 605297 ) on Friday June 14, 2024 @08:01PM (#64550477) Journal

      This appears to be specific to Windows operating systems.

      https://nvd.nist.gov/vuln/deta... [nist.gov]

      "In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc."

      So it sounds like Windows, when interpreting string data using Chinese or Japanese locale, may predictably remap certain characters [wikipedia.org] because of the way it tries to unify all the different ways those languages are encoded. This ultimately allows attackers to sneak bytes past Apache which I presume would normally filter out for security reasons.
      =Smidge=

      • PHP in CGI mode is accepting inputs from the internet and passing those through without escaping characters that may have meaning on the command line it is running ... which is kind of the point of CGI mode. PHP in turn has a feature that it can run arbitrary code from the body of the POST if you can just get the correct parameters configured. Why is this feature of PHP enabled by default? How many web clients generate a PHP script to be executed on the server? This seems like feature that was dreamed u
  • Comment removed based on user account deletion
  • Who runs PHP on Windows anymore? That application server has always been a staunch UNIX stalwart, most recently paired with nginx.

  • If you are still starting new projects in PHP then you need to be hung up on the wall in the the museum right next to obsolete PHP. There is not a single good reason to use PHP today, unless your goal is to inflict maximal pain on the entire food chain from user to developer.

  • 12 years.... really? (Score:4, Interesting)

    by Kelxin ( 3417093 ) on Saturday June 15, 2024 @02:36AM (#64550945)
    "Exploits allow attackers to bypass CVE-2012-1823, a critical code execution vulnerability patched in PHP in 2012." ..... Umm if someone hasn't updated their server in 12 years, they can get fucked.
    • They just did.

    • by znrt ( 2424692 )

      Umm if someone hasn't updated their server in 12 years, they can get fucked

      that's not what is meant here, but that this 12 year old patch was incomplete and can be bypassed by specific character sequences.

      anyway your wish might still apply to people publicly exposing services on windows in general ... which explains the lot of chinese servers getting fucked. i never really understood their fondness of windows, specially old versions. why bother cracking something when you have better alternatives readily available? maybe they'll learn now ...

  • Someone can craft a URL to send via email to a target or put into an img tag or clickable link on a website. There are plenty of ways to exploit this that don't involve communicating with servers that are directly facing the Internet. Targets can be running on localhost. The 1,800 servers mentioned are just the Internet facing servers running Windows - probably mostly people who punched holes in their network to run a server from home. But there are plenty of devs who still run Apache + PHP in the backg

  • CVE-2024-4577 [nist.gov]: “In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the se
  • I'd be fascinated to hear more about how this exploit was even found - it sounds more complex than actually inventing something positive
  • There is a common misconception that open source software is somehow less vulnerable to hacking, because everyone can see the source code and will find vulnerabilities, while commercial software is closed source and therefore hidden.

    This is a demonstration of how vulnerabilities can hide in plain sight.

The world will end in 5 minutes. Please log out.

Working...