Giters

PhinehasNarh / CVE-2024-4577-Defend

Repository from Github https://github.comPhinehasNarh/CVE-2024-4577-DefendRepository from Github https://github.comPhinehasNarh/CVE-2024-4577-Defend

Incident Response Walkthrough: Mitigating a Zero-Day Attack (CVE-2024-4577)

[LetsDefend Write-up] PHP-CGI (CVE-2024–4577)

Scenario: Our Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) identified a potential attack targeting a critical system component at 12:05 PM UTC. This write-up details the investigation process to confirm the exploitation attempt and understand the attacker's actions.

Investigation:

  1. Understanding the Vulnerability (CVE-2024-4577):

    • Resources provided valuable insights into the vulnerability and potential exploitation methods.

  2. Identifying the Vulnerable PHP Version:

    • Two methods were employed:
      • Analyzing news.txt for PHP update history.
      • Directly running php.exe -v to determine the version.
    • Vulnerable Version: 8.2.19

  3. Verifying PHP-CGI Configuration:

    • Analyzed httpd.conf to confirm the directive enabling exploitability through php-cgi.exe.

  4. Identifying Attacker's IP:

    • Examined access.log within the Apache logs directory.
    • Attacker IP: 192.168.110.1

  5. Targeted Page:

    • While the application primarily uses upload.php, the attacker might have used an index.html for testing purposes.
    • Targeted Page: ( Likely upload.php)

  6. Apache Version:

    • Inspected error.log to determine the Apache version.
    • Apache Version: 2.4.59

  7. Analyzing Executed Processes:

    • Initial investigation using PECmd and Timeline Explorer revealed no suspicious activity.
    • Correlating access and error logs identified successful attack attempts.
    • Timeline Explorer identified the following processes executed after successful exploitation:
      • whoami.exe
      • calc.exe

Exploit Identification: The attacker exploited the zero-day vulnerability (CVE-2024-4577).

Learning Outcomes:

  • This challenge provided hands-on experience with:
    • Investigating zero-day vulnerabilities (CVE-2024-4577)
    • Identifying vulnerable software versions
    • Analyzing exploit methods
    • Utilizing Prefetch for potential command detection

Note: This write-up excludes specific details like vulnerable version, attacker IP, and targeted page to avoid providing a blueprint for attackers.

Badge Acquired Cve 2024 4577 Php Cgi Cybersecurity Lets Defend Letsdefendio

Writeup By: ph1n3y

About