PHP FPM (FastCGI Process Manager) is an advanced PHP FastCGI implementation with added features and is very useful for heavily loaded sites. A vulnerability was discovered in PHP FPM which has been exploited in-the-wild.
NGINX servers with PHP-FPM are found to be vulnerable. The vulnerability is tracked as CVE-2019-11043 and classified as buffer underflow (CWE-124). A buffer underflow vulnerability is one where the pointer directs to a location before the referenced buffer. This can be used by an attacker to leak sensitive information or execute arbitrary code.
In this case, the flaw exists in env_path_info in file sapi/fpm/fpm/fpm_main.c which contains a certain pointer arithmetic which assumes that it points correctly to the php_script. The absence of verification of the existence of path or file leads to storing of an incorrect pointer value in ‘path_info‘ variable.
The advisory explains that in case the nginx configuration looks as above, then a crafted url with newline character can be used to break the regex in ‘fastcgi_split_path_info‘ directive which leads to code execution. This type of configuration is not uncommon. The value of path_info is set to zero going further in the code, FCGI_PUTENV is then called. Here, an attacker can use a crafted url with a carefully chosen length of the URL path and query string to modify path_info to point to the first byte of _fcgi_data_seg structure. When zeros are added to this, the pointer char* pos moves backwards and FCGI_PUTENV overwrites some fast cgi variables and other data with the new script path. A set of config values with a fake PHP_VALUE fcgi variable can be used for remote code execution.
Emil Lerner first reported the vulnerability to the vendor in September,2019. Omar Ganiev, a security researcher tweeted about the vulnerability in PHP-FPM and also published a PoC.
A certain set of pre-conditions are to be met for the server to be vulnerable:
- Location directive in nginx forwards requests to php-fpm
fastcgi_split_path_infomust be present and must contain a regex which starts with ‘^’ and ends with ‘$’.
- fastcgi_param must be assigned with a value using the variable
- file existence checks like
try_files $uri =404or
if (-f $uri)must not be present.
PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 are found to be vulnerable.
An attacker can exploit the vulnerability to execute code remotely.
The vendor has fixed this vulnerability with the release of PHP 7.3.11 (current stable) and PHP 7.2.24 (old stable). Those using nginx with PHP-FPM , we urge users to update their machines with the installation of latest patches.