Xampp Exploit

[Suanne Forte]

TheExploit Database is maintained by OffSec, an information security training company that provides various Information Security Certifications as well as high end penetration testing services. The Exploit Database is a non-profit project that is provided as a public service by OffSec.

The Exploit Database is a CVE compliant archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. Our aim is to serve the most comprehensive collection of exploits gathered through direct submissions, mailing lists, as well as other public sources, and present them in a freely-available and easy-to-navigate database. The Exploit Database is a repository for exploits and proof-of-concepts rather than advisories, making it a valuable resource for those who need actionable data right away.

The Google Hacking Database (GHDB) is a categorized index of Internet search engine queries designed to uncover interesting, and usually sensitive, information made publicly available on the Internet. In most cases, this information was never meant to be made public but due to any number of factors this information was linked in a web document that was crawled by a search engine that subsequently followed that link and indexed the sensitive information.

After nearly a decade of hard work by the community, Johnny turned the GHDB over to OffSec in November 2010, and it is now maintained as an extension of the Exploit Database. Today, the GHDB includes searches for other online search engines such as Bing, and other online repositories like GitHub, producing different, yet equally valuable results.

If pwd (present working directory) command is executed you can see that the Meterpreter session has been opened in C:\xampp\webdav directory. The database files of the desired website are not located in this directory, therefore we need to search for it in the C:\xampp directory.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) security/xamppsecurity.php in XAMPP 1.6.8 performs an extract operation on the SERVER superglobal array, which allows remote attackers to spoof critical variables, as demonstrated by setting the REMOTE_ADDR variable to 127.0.0.1.

This exploit is especially dangerous since PHP and XAMPP are widely used and the vulnerability is easy to exploit, involves remote code execution (RCE), and a malicious payload proof-of-concept (PoC) is already available.

This vulnerability has been assigned the identifier CVE-2024-4577 with a CVSS score of 9.8 (Critical). Known exploit code exists and it is listed in the CISA KEV (Known Exploited Vulnerabilities) catalog. As of June 13th, it has an EPSS Probability Score of 93.20%, indicating that it is very likely to be exploited in the near future wherever the vulnerability exists.

For this reason, it is extremely important to follow the mitigation instructions described below, to ensure that your environment is not vulnerable. But before you can start mitigating, you first need to understand if and where you are vulnerable.

XAMPP is a cross-platform web server solution based on Apache HTTP Server, MariaDB database server, and script interpreters PHP and Perl. Because of the ease of deployment and the support for common applications such as WordPress and Joomla!, XAMPP is a popular platform for hosting web applications and might be the most common deployment of PHP.

The original exploit, which allows RCE on PHP servers, was discovered back in 2012 and patched as CVE-2012-1823. Recently, however, a new exploit has been detected that reopens this vulnerability. The attack targets XAMPP PHP servers running on Windows operating systems, specifically when PHP is configured to run in CGI mode (Common Gateway Interface).

The known exploit code affects XAMPP running on Windows with traditional/simplified Chinese or Japanese settings. However, workloads using other languages besides English should be considered potentially exploitable.

To protect against this vulnerability, organizations should upgrade to the latest PHP versions: 8.3.8, 8.2.20, and 8.1.29. If you are unable to upgrade at this time, you should take additional action to mitigate the issue.

For administrators who do not need CGI, it is recommended to disable it:

The Orca Cloud Security Platform performs comprehensive vulnerability management and automatically detects CVE-2024-4577 in vulnerable workloads on AWS, Azure, Google Cloud, Kubernetes, and more. Once detected, Orca helps you remove any risk by providing easy-to-follow mitigation instructions. Orca can also create custom mitigation code for your tool of choice (e.g. CLI, console, IaC tools) using built-in Generative AI remediation.

Since Orca has full visibility into your cloud environments, it ensures that no vulnerable assets are overlooked or missed through blind spots.

On June 7, 2024, a new critical PHP vulnerability CVE-2024-4577 was revealed, mainly impacting XAMPP on Windows. It happens when PHP runs in CGI mode with specific language settings, like Chinese or Japanese.

Hackers try to exploit the vulnerability within a day of its disclosure. The availability of proof-of-concept (PoC) attack code and active scans online underscores the urgency to apply immediate patches.

The default configuration of XAMPP, a widely used PHP development environment, is susceptible to exploitation. Even if PHP is not configured in CGI mode, simply exposing the PHP executable binary in the CGI directory makes it vulnerable.

In addition to relying on patches from the software vendor, the Indusface managed security team has developed rules specifically designed to swiftly detect injection vulnerabilities in PHP and prevent exploitation attempts.

Leveraging the expertise of our managed service team, along with built-in DAST Scanner and autonomous patching capabilities, AppTrana WAAP ensures that our customers remain protected from both new and existing exploits.

That means this vulnerability allows unauthenticated attackers to bypass the previous protection of CVE-2012-1823 by specific character sequences. Arbitrary code can be executed on remote PHP servers through the argument injection attack.

Based on the article from Devcore, it seems that exploitation has been verified in Windows in some specific languages, and an unauthorized attacker can directly execute arbitrary code on those vulnerable servers. The verified affected languages are:

This does not mean that the other languages are not affected by the vulnerability, so the recommended action is to upgrade your XAMPP installation, as this is the type of vulnerability that could be exploited massively.

The exploit code sends a POST HTTP Request to the URL and includes in the POST data the PHP code and a simple way to detect whether the exploit has been successful or not. The POST data can be any PHP code, like , that will pop the calculator in the vulnerable server.

In the image we can see that the Apache Server (httpd.exe) creates a new process (php-cgi.exe) for handling the request, that creates a child process cmd.exe /s /c whoami after exploiting the vulnerability.

The commands they are executing are getting information from the compromised host (network, processes, local and domain users, AD domains, etc.) that will help them to understand the size of the compromised organization. This is the typical behavior for an Initial Access Broker (IAB) role that will probably sell the access in a marketplace.

The majority of the exploitations we have been tracking since the publication of the vulnerability are very similar to what we have described, with some minor variations of some other checks that the attacker is doing in order to gather more information, like listing the Tomcat users or the phpMyAdmin configuration included in XAMPP.

Today someone sent me an exploit for the Windows version of XAMPP: Using our xampp/adodb.php and a buffer overflow vulnerability in mssql_connect() the exploit is able to call arbitrary(!) commands on the targeted system.

"This vulnerability is incredibly simple, but that's also what makes it interesting," Tsai said. "Who would have thought that a patch, which has been reviewed and proven secure for the past 12 years, could be bypassed due to a minor Windows feature?"

Attack surface management company Censys said it identified about 458,800 exposures of potentially vulnerable PHP instances as of June 9, 2024, most of which are located in the U.S. and Germany. But it also noted that the number is likely an "overestimate of the true impact of this vulnerability," given it cannot detect when CGI mode is enabled.

3a8082e126