Detect and Block Exploitation Attempts of the CVE-2024-4577 PHP-CGI Argument Injection Vulnerability
Just in time for the weekend, Orange Tsai created a buzz around CVE-2024-4577. The vulnerability affects PHP on Windows and has been covered in detail in a number of articles, notably here, here and here.
The vulnerability was reported in early May, but the official CVE and blog post only landed on 7 June.
What makes CVE-2024-4577 interesting
One might ask — who runs PHP on Windows and exposes it online? XAMPP is popular mostly for dev environments, but up to 250k exposed Apache servers are running PHP on Windows, according to Shodan and censys. However, we need to beware as recent news and analysis have shown that honeypots bring a huge bias in those numbers.
TL;DR, on some vulnerabilities, more than 95% of said “vulnerable machines exposed on the internet” are honeypots, and it’s hard to tell how many of those services are using php-cgi (and thus are vulnerable).
On the other hand, the exploit is trivial. The payloads that we are seeing look like this:
/php-cgi/php-cgi.exe?%ADd+allow_url_include%3D1+%ADd+auto_prepend_file%3Dphp://input
To some, it will look similar to the older CVE-2012-1823 vulnerability. How can such a vulnerability resurface 12 years later? Well, it was there for the whole time. The CVE-2012-1823 vulnerability was about the ability to inject command-line switches to PHP when it is running in a CGI-based setup.
Here, the trick lies in that %AD will be decoded to a “soft hyphen”, which PHP will turn into a real hyphen thanks to (because of ?) a best-fit mapping feature. This allows the attacker to inject command-line options to PHP when running in a CGI-based setup, similar to the 2012 CVE.
Exploitation in the wild
Following the disclosure of the CVE-2024-4577 vulnerability, we deployed a first rule on Friday morning and saw around 50 distinct IP addresses by Monday morning, and around 100 by Tuesday morning (time of writing) that were trying to exploit the vulnerability.
We did notice a few interesting things about those IPs.
- Legitimate scanners are underrepresented in this list, while they are usually pretty quick at scanning for those vulnerabilities.
- Surprisingly, the IPs we see are not among the most noisy. It is common for actors focusing on PHP vulnerabilities to scan for some outrageously old CVE(s), which doesn’t seem to be the case for most IPs on this list.
- While the number of IPs reported remains low, those have been very active, reported by nearly ten thousand users over the weekend.
- The exploitations have spiked starting Saturday, baddies don’t take weekends.
Distribution of the most represented categories
The identified aggressive IPs do not show a dominant trait; we see a mix and match of Microtik router, compromised cpanel server, and your other usual outdated machines. Some IPs were already in public blocklists, such as AlienVault OTX Webscanners, or Firehol.
What else are they exploiting?
Funnily enough, the IPs caught exploiting CVE-2024-4577 do not seem to exploit CVE-2017-9841, usually the bread and butter of PHP exploitation.
How can you detect and block CVE-2024-4577 exploits?
After initial detection during the weekend, we decided it was worth publishing rules, even if our community is significantly more Linux-based than Windows-based. Several users mentioned protecting some Windows machines as well, and we found out that the IPs scanning the internet were (as mentioned) more real malevolent actors than scanner companies surfing the hype.
Here’s what you can do to detect malicious IPs attempting to exploit the CVE-2024-4577 vulnerability and protect your systems against them.
- Install the AppSec Component for the Security Engine and install the dedicated protection rule we published. This rule is part of the virtual patching collection and is enabled for most users running the AppSec Component.
- Install the http-cve-probing scenario, used to detect trendy CVEs, to your Security Engine and take advantage of the new CVE-2024-4577 detection rule we added. This rule is part of the base HTTP collection and is enabled for most users running a web server.
- The IPs that were identified as malicious trying to exploit the CVE-2024-4577 vulnerability are now part of a dedicated blocklist. This blocklist contains IPs most aggressively probing for this vulnerability and will be updated for as long as the CVE-2024-4577 vulnerability remains relevant. You can subscribe to the blocklist for free via the CrowdSec Console.
If you have any questions, don’t hesitate to reach out to us on Discord or Discourse.
Good luck patching, and stay safe out there, folks!