ProHoster > Blog > internet news > Vulnerability in php-fpm that allows remote code execution on the server

Vulnerability in php-fpm that allows remote code execution on the server

Available correction releases of PHP 7.3.11, 7.1.33 and 7.2.24, in which eliminated critical vulnerability (CVE-2019-11043) in the PHP-FPM (FastCGI Process Manager) extension that allows you to remotely execute your code on the system. To attack servers that use PHP-FPM to run PHP scripts in conjunction with Nginx, it is already publicly available working exploit.

The attack is possible in nginx configurations in which forwarding in PHP-FPM is carried out by splitting parts of the URL using "fastcgi_split_path_info" and defining the PATH_INFO environment variable, but without first checking the existence of the file with the "try_files $fastcgi_script_name" directive or the "if (!-f $ document_root$fastcgi_script_name)". problem including is manifested in the settings offered for the NextCloud platform. For example, configurations with constructions of the form are vulnerable:

location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^ (. +? \. php) (/.*) $;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass php:9000;
}

You can follow the troubleshooting in distributions on these pages: Debian, RHEL, Ubuntu, SUSE/openSUSE, FreeBSD, Arch, Fedora. As a security workaround, after the "fastcgi_split_path_info" line, you can add a check for the existence of the requested PHP file:

try_files $fastcgi_script_name =404;

The problem is caused by an error while manipulating pointers in the file sapi/fpm/fpm/fpm_main.c. When assigning a pointer, it is assumed that the value of the PATH_INFO environment variable necessarily contains a prefix that matches the path to the PHP script.
If the fastcgi_split_path_info directive specifies splitting the path to the script using a regular expression that is sensitive to the transmission of the newline character (for example, in many examples it is suggested to use "^(.+?\.php)(/.*)$"), then the attacker can achieve writing an empty value to the PATH_INFO environment variable. In this case, further along the execution is writing path_info[0] to zero and calling FCGI_PUTENV.

By requesting a URL formatted in a certain way, an attacker can move the path_info pointer to the first byte of the “_fcgi_data_seg” structure, and writing zero to this byte will move the “char * pos” pointer to the previously going memory area. The FCGI_PUTENV called next will overwrite the data in this memory with a value that the attacker can control. The specified memory also stores the values ​​of other FastCGI variables, and by writing their data, the attacker can create a dummy PHP_VALUE variable and achieve the execution of his code.

Source: opennet.ru

Add a comment