Hossam Elshahawi

Hossam Elshahawi

Software Engineer ❤️ Web

New vulnerability would affect web servers using Nginx and PHP-FPM

 

If you’re running any server running PHP and based on NGINX  with a PHP-FPM feature enabled for better performance, then beware of a newly disclosed vulnerability that could allow unauthorized attackers to do a RCE “Remote Code Execution”website server as a new vulnerability in PHP-FPM discovered.

The CVE-2019-11043 flaw doesn’t request specific skills to be exploited and take over servers, it is an env_path_info underflow flaw in PHP-FPM’s fpm_main.c. Thin means that the issue only impacts NGINX servers with PHP-FPM enabled.

Which servers running PHP are vulnerable?

Though the publicly released PoC exploit is designed to specifically target vulnerable servers running PHP 7+ versions, the PHP-FPM underflow bug also affects earlier PHP versions and could be weaponized in a different way.

In brief, a website is vulnerable, if:

  1. NGINX is configured to forward PHP pages requests to PHP-FPM processor,
  2. fastcgi_split_path_info directive is present in the configuration and includes a regular expression beginning with a ‘^’ symbol and ending with a ‘$’ symbol,
  3. PATH_INFO variable is defined with fastcgi_param directive,
  4. There are no checks like try_files $uri =404 or if (-f $uri) to determine whether a file exists or not.

This vulnerable NGINX and PHP-FPM configuration looks like the following example:

```
   location ~ [^/]\.php(/|$) {
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
        fastcgi_param PATH_INFO       $fastcgi_path_info;
        fastcgi_pass   php:9000;
        ...
  }
}
```

 

Test Script

To reproduce the issue, take take the following steps:

  1. Build php with –enable-fpm and ASAN enabled.
  2. Download https://www.dropbox.com/s/igh986udgzqoagh/reproducer.tar.xz?dl=0
  3. (The following steps assume you’re in thereproducerdirectory from the archive.)
  4. Run nginx using 
    sudo /usr/sbin/nginx -p $PWD -c nginx.conf
  5. Run
    php-fpm usingpath/to/php-fpm -y ./php-fpm.conf -F
  6. Visit a (pretty long) link from the crash_link.txt using another tool, like curl $(cat crash_link.txt).

Expected Result

No crash should happen.

Actual Result

You will get a crash.

So if you got the crash output your server is in danger and you should update PHP .

Patch/Fix

Current Stable PHP 7.3.11 & Old Stable PHP 7.2.24 have been released to address this issue. Please update as soon as possible. For further information, please visit the links below.

Since the PoC exploit is already available and the patch released just yesterday, it’s likely possible that hackers might have already started scanning the Internet in search for vulnerable websites.

So, users are strongly advised to update PHP to the latest PHP 7.3.11 and PHP 7.2.24. Just do it, even if you are not using the vulnerable configuration.

DROP A COMMENT

Your email address will not be published. Required fields are marked *