Overview 

The SonicWall Capture Labs threat research team became aware of an exploited-in-the-wild information disclosure vulnerability affecting the Windows-based PHP servers used in CGI mode. Identified as CVE-2024-4577 and given a CVSSv3 score of 9.8, the vulnerability is more severe than it initially appears. Labeled as an argument injection vulnerability and categorized as CWE-78 – Improper Neutralization of Special Elements used in an OS Command – this vulnerability allows an attacker to read/modify/execute any file on the system, take control and compromise affected servers. 

A proof of concept is publicly available on GitHub. The Windows machines running affected versions (PHP 8.3 < 8.3.8, PHP 8.2 < 8.2.20, PHP 8.1 < 8.1.29 or end-of-life) of PHP with specific locales in PHP-CGI mode on XAMPP installations are vulnerable. Although XAMPP is popular mainly for dev environments, up to 250k exposed Apache servers are running PHP on Windows, according to Shodan. PHP has released a patch, and it is advisable to update it immediately.  

Technical Overview  

This vulnerability allows threat actors to circumvent the PHP CGI mode by sending a crafted POST query to the vulnerable PHP server running Japanese and Chinese locales. 

PHP is a server scripting language, and a powerful tool for making dynamic and interactive web pages. It is extremely popular and is used in over 75% of all websites where the server-side programming language is known.  

The vulnerability is due to the misuse of the Best-Fit feature of encoding conversion in the Windows operating system which converts 0xAD to 0x2D. That means the trick lies in that %AD will be decoded to a “soft hyphen,” which PHP will turn into a real hyphen. While implementing PHP, the team overlooked this feature, allowing unauthenticated actors to bypass the security features of CVE-2012-1823, using specific characters or queries that allow them to execute arbitrary code. The PHP CGI module may misinterpret hyphen characters as PHP options, which may allow a malicious user to pass options to the PHP binary and thus run arbitrary PHP code on the server and compromise PHP sites. 

XAMPP users can be exploited directly when the Action directive is mapped to corresponding HTTP requests to a PHP-CGI executable binary in the Apache HTTP Server, as shown in Figure 1. 

Figure 1: PHP-CGI Function 

Figure 2: httpd-xampp.conf 

In another methodology, default XAMPP servers are vulnerable, because the PHP directory is exposed via ScriptAlias directive. 

ScriptAlias /php-cgi/ “C:/xampp/php/” 

Triggering the Vulnerability 

Before execution, there are a few basic vulnerability checks.  

• Primarily, the operating system should be Windows. 

• To ensure that CVE-2024-4577 would exploit a vulnerable PHP server, some lines related to the PHP-CGI function in httpd-xampp.conf should be enabled, as shown in Figures 1 and 2.  

• The vulnerable PHP servers should be set to either Japanese or Chinese (Simplified or Traditional) locales. This setting can be performed as shown in Figure 3.
  

An example POST request to trigger the vulnerability would look like: 

http[:]//target-ip:port/?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input 

This allows an attacker to inject command-line options into PHP when it is running in a CGI-based or default XAMPP setup. Malicious code can be passed through “php://input” and executed using the “auto_prepend_file” option to call “include_path.”. Additionally, the “auto_append_file” option is also accepted by vulnerable PHP servers. 

Exploiting the Vulnerability 

The necessary and sufficient condition to exploit the issue is a crafted POST request to vulnerable Apache servers with an enabled PHP-CGI function. An attacker only needs to be able to access the instance remotely which could be over the internet or a local network.  A working PoC with a crafted POST query aids in exploiting this vulnerability.  

Leveraging the publicly available PoC, a demonstration of exploitation can be seen in Figure 4. 

Figure 3: Control Panel 

Figure 4: CVE-2024-4577 Exploitation 

Out of the 250k exposed Apache servers running PHP on Windows, according to Shodan, multiple events were observed wherein attackers leveraged this vulnerability to upload malware in the second week of June 2024. According to Imperva analysis, it was peculiarly observed that the malware activity was a part of “TellYouThePass” ransomware. The ransomware appears to alter the service to an open directory, encrypt files and add ransom notes (with filenames including READ_ME9.html, READ_ME10.html, READ_ME11.html).  

There are around 1,000 compromised hosts online as of June 13, primarily in China, likely because Windows systems with Chinese or Japanese locales are inherently vulnerable due to their default XAMPP configuration. 

SonicWall Protections 

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released: 

• IPS: 4451 – PHP CGI Argument Injection. 

Remediation Recommendations 

Considering the severe consequences of this vulnerability and the trend of nefarious activists trying to leverage the exploit in the wild, users are strongly encouraged to upgrade their instances to PHP’s new releases, 8.3.8, 8.2.20 and 8.1.29, to address the vulnerability.  

Relevant Links 

• NVD 

• GitHub PoC 

• PHP  

• Patched Versions 

• Best-Fit in Windows 

• TellYouThePass 

• CVE-2024-4577-blog 

 

Overview

The SonicWall Capture Labs threat research team became aware of an exploited-in-the-wild information disclosure vulnerability affecting the Check Point Security Gateways. Identified as CVE-2024-24919 and given a CVSSv3 score of 8.6, the vulnerability is more severe than it initially appears. While labeled as a sensitive information disclosure vulnerability, it is actually a path traversal attack leading to an arbitrary read, allowing an attacker to read any file on the system. A proof of concept is publicly available on GitHub. To be vulnerable, the gateway needs to have Remote Access VPN or Mobile Access Software Blades enabled. Check Point has made a patch available, and it is advisable to update immediately.

Technical Overview

The flaw is a path traversal bug in the “/clients/MyCRL” endpoint, which can be exploited via manipulated POST requests containing the string “CSHELL/” somewhere in the request. Due to the use of the “strstr” function without proper sanitizing and validation of user input, an attacker can leverage path traversal sequences like “../” within the POST request (Figure 1). This ultimately allows access to sensitive files like /etc/shadow, which contain the password hashes for the system. For our analysis, we used version R80.

 

Figure 1: Vulnerable Code

To trigger and exploit this vulnerability, an attacker must send a POST request containing the string “CSHELL/” and include a path traversal sequence like “../”. This can be done in Python, as shown in the publicly available PoC and Figure 2 below, where “path” is the file the attacker wants access to.

Figure 2: Creating a POST request to obtain sensitive information

Leveraging this code, we can demonstrate dumping the gateway’s “/etc/shadow” file to obtain the system’s hashed credentials, as seen in Figure 3. An attacker can then attempt to crack these hashes to obtain administrative access to the firewall. The attack allows access to any file on the system and is not limited. Note that this is being done against the WAN interface, showing that it is accessible over the Internet.

Figure 3: Dumping Hashed Credentials

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

• IPS: 4440 Check Point Security Gateway Path Traversal

Remediation Recommendations

Check Point’s gateway users are advised to apply the hotfix found in the advisory immediately.  Check Point has labeled this a mandatory patch to express the criticality of the fix.

Relevant Links

• https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• https://support.checkpoint.com/results/sk/sk182336
• https://github.com/LucasKatashi/CVE-2024-24919/blob/main/CVE-2024-24919.py

 

 

 

 

 

 

The SonicWall Capture Labs threat research team has been observing a growth of malware built using the Chaos ransomware builder. The sample we have analyzed here is built using this kit, however, it is not intended to work as traditional ransomware, but rather, as a file destroyer. The intent appears to be the destruction of files in response to Italy’s stance on the Israel-Palestine conflict. It purports to be created on behalf of the Italian Socialist Party and is likely aimed at infecting machines within the Italian government’s infrastructure.

Infection Cycle

The malware uses the following icon:

Upon infection, files on the system are encrypted. Each file is given a file extension consisting of four random alphanumeric characters. As this malware is intended to destroy files, the decryption key is probably not stored by the attackers for file retrieval later on in exchange for money. A file named “Leggimi.txt” (“Read me” in Italian) is dropped into directories containing encrypted files. It contains the following message in Italian:

A rough translation of that message is as follows:

—————————- -Ransomware route

Italy must be punished for its alliance with the fascist state
By Israel, this malware was scheduled by Marxisti-Leninisti-Maoisti
To spread the anti -medical thought. Of the Palestinians are dying for Your actions, I will kill your files. There is no way to recover them.

Palestine Libera
Italy Red Unit and Socialists

The message makes no mention of file decryption for payment and no contact information is presented. Any encrypted files are therefore irretrievable.

Reverse engineering the malware reveals a list of targeted file extensions:

We can also see a list of directories that are targeted:

An image file is embedded in the malware executable file. It is base64 encoded:

After decoding the image, it is displayed as the desktop wallpaper:

SonicWall Capture Labs provides protection against this threat via the following signature:

• GAV: Cambiare_Rotta.RSM (Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Overview

This week, the SonicWall Capture Labs threat research team investigated a sample of the RemcosRAT that uses a PrivateLoader module to provide additional data and persistence on the victim’s machine. By installing VB scripts, altering the registry and setting up services to restart the malware at variable times or by control, this malware is able to infiltrate a system completely and remain undetected.

Infection Cycle

The sample is detected as a 32-bit PE file with no packer or protector.

Figure 1: Initial detection

When looking into the sections and API calls of the file, different tools give different reports. Detect It Easy shows API calls that have been cleared (to obfuscate what they’re doing), and TLS (Thread Local Storage) functionality, meaning that malicious code can be prepared or run before the main file has started at its entry point. PEStudio, however, shows all available API calls but no TLS functionality.

Figure 2: Every call from ws2_32.dll has been obfuscated

Figure 3: A separate tool shows all hidden calls

Once functions are properly labeled, the file is shown to have the following capabilities:

• Anti-analysis/ Anti-VM
  • GetSystemTimeAsFileTime
  • GetTickCount
  • IsDebuggerPresent
  • IsProcessorFeaturePresent
  • QueryPerformanceCounter
  • QueryPerformanceFrequency
• System Enumeration
  • CreateToolhelp32Snapshot
  • EnumDisplaySettingsW
  • EnumServicesStatusW
  • EnumSystemLocalesW
  • EnumWindows
  • FindFirstFileA/Ex/W
  • FindNextFileA/Ex/W
  • GetClipboardData
  • GetCurrentProcessId
  • GetCurrentThreadId
  • GetEnvironmentStrings
  • GetLogicalDriveStringsA
  • GetLocalTime
  • GetLocaleInfoA/W
  • GetNativeSystemInfo
  • GetStartupInfo
  • GetTimeZoneInformation
  • GetUserDefaultLCID
  • GetWindowThreadProcessId
  • IsLocaleValid
  • OpenClipboard
  • RegEnumKeyA/W
  • RegEnumValueA/W
  • SystemParametersInfoW
• Monitoring
  • GetCursorPos
  • GetForegroundWindow
  • GetKeyState
  • GetKeyboardLayout
  • GetKeyboardState
  • Mouse_event
  • ReadProcessMemory
  • SetWindowsHookExA
  • waveInAddBuffer
  • waveInStart
• Process Injection
  • GetProcessId
  • GetModuleHandleA/Ex/W
  • CreateProcessA/W
  • Process32FirstW
  • ProcessNextW
  • VirtualAlloc
  • VirtualFree
  • VirtualProtect
  • WriteProcessMemory
• Persistence
  • AdjustTokenPrivilege
  • ControlService
  • GetTempFileNameW
  • LookupPrivilegeValueA
  • OpenProcess
  • OpenProcessToken
  • RegCreateKeyA/Ex/W
  • RegDeleteKeyA/Ex/W
  • RegDeleteValueA/Ex/W
  • RegSetValueA/Ex/W
  • ShellExecuteExA/W
  • WriteFile
• Communication
  • InternetOpenUrlW
  • InternetReadFile
  • URLDownloadToFileW
  • URLOpenBlockingStreamW
  • Inet_addr
  • Gethostbyaddr
  • Gethostbyvalue
  • getservbyvalue
  • Connect
  • Send
  • socket
  • Recv

Runtime shows that if security checks are not initially cleared by modules within ntdll.dll, the main portion of the executable will not be touched before it exits. No files are dropped, and nothing is injected into memory.

Figure 4: Beginning of the security check function

Once security has been passed, which consists of VM, locale, timezone and analysis tool enumeration, two files are dropped.

• C:\Users\user\AppData\Local\Temp\install.vbs
• C:\Users\user\AppData\Roaming\data\notepads.exe

Notepads.exe is a copy of the parent executable placed for persistence. The script contains the following four lines and is deleted once executed – there is no check on whether or not this action is successful. The script will simply delete itself if it is run before ‘notepads.exe’ is dropped.

Figure 5: Install.vbs contents

User security access is then checked. If applicable, Windows User Access Control is disabled with the following command to allow for privileged access:

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

Figure 6: UAC is disabled

At this point, the system is enumerated fully and hooks are implemented to track keystrokes, mouse actions, audio and screen grabs. Targeted software includes browsers by searching the following locations for logins and cookie data, as well as the clipboard data being pulled:

\AppData\Local\Google\Chrome\User Data\Default\Login Data

\AppData\Local\Google\Chrome\User Data\Default\Cookies

\AppData\Roaming\Mozilla\Firefox\Profiles\

\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

\AppData\Local\Microsoft\Edge\

\Opera Software\Opera Stable\

\User Data\Default\Network\Cookies

This information is stored in ‘logins.json’ and ‘key3.db’, also seen in the screenshot below.

Figure 7: Browser paths and storage files

Once complete, ‘notepads.exe’ will open a socket on the system and reach out to two URLs. The first is a GET request to geoplugin(dot)net/json.gp, which returns geographic information pertaining to the victim’s IP address. The second is to nuevosremcs.duckdns.org. Once a connection is made, a config file is created and sent to the server. Here is the configuration observed during runtime:

{

“Host:Port:Password”: “nuevosremcs.duckdns.org:9090:1”,

“Assigned name”: “Nuevos”,

“Connect interval”: “1”,

“Install flag”: “Enable”,

“Setup HKCU\Run”: “Enable”,

“Setup HKLM\Run”: “Enable”,

“Install path”: “AppData”,

“Copy file”: “notepads.exe”,

“Startup value”: “system32”,

“Hide file”: “Disable”,

“Mutex”: “Rmc-WRNU47”,

“Keylog flag”: “1”,

“Keylog path”: “Application path”,

“Keylog file”: “logs.dat”,

“Keylog crypt”: “Disable”,

“Hide keylog file”: “Disable”,

“Screenshot flag”: “Disable”,

“Screenshot time”: “10”,

“Take Screenshot option”: “Disable”,

“Take screenshot title”: “”,

“Take screenshot time”: “5”,

“Screenshot path”: “AppData”,

“Screenshot file”: “Screenshots”,

“Screenshot crypt”: “Disable”,

“Mouse option”: “Disable”,

“Delete file”: “Disable”,

“Audio record time”: “5”

}

At this point the C2 has assumed control and can remotely stop, start and engage further monitoring or file downloads for other functionality.

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this malware, the following signatures have been released:

• PrivateLoader

IOCs

Parent sample / Notepads.exe: 27bb3968cc18fb0df5b14e6d1b805552

Install.vbs: a7fe45cc57afb3dba91ab77483fffa0a

Mutex Created

• \Sessions\1\BaseNamedObjects\Rmc-WRNU47

IP Addresses

• 246.82.10
• 237.33.50

URLs

• http://geoplugin.net/json.gp
• duckdns.org