PHP Remote Code Execution Vulnerability Analysis (CVE2019-11043)

PHP Remote Code Execution Vulnerability Analysis (CVE2019-11043)

Recently, Mechuang Security Lab monitored that PHP officially disclosed a remote code execution high-risk vulnerability (CVE2019-11043) under some configurations of Nginx + php-fpm. An attacker could use this vulnerability to conduct a remote code execution attack on a target website. Although the impact of this vulnerability is limited, due to the openness of the configuration file, please use the operation and maintenance personnel of niginx + php-fpm to do self-check and self-check in time.

0x00 vulnerability timeline

From September 14th to 18th , foreign security researcher Andrew Danau found that when participating in the Real World CTF, when sending the% 0a symbol to the target server URL, the service returned an exception, suspecting a vulnerability.
On September 26 , PHP officially issued a vulnerability notice, which pointed out that: using the Nginx + php-fpm server, under some configurations, there is a remote code execution vulnerability, and the configuration has been widely used to cause greater harm.
From October 21 to 22 , PHP officially released the vulnerability update, and the vulnerability POC was made public.
On October 24th, Lab No. 59 issued a vulnerability warning.

0x01 vulnerability description

When processing a request with% 0a on fastcgi_split_path_info on Nginx, PATH_INFO is empty because of a line break \ n. And php-fpm has a logic flaw when dealing with PATH_INFO being empty. Attackers can cause remote code execution through carefully constructed and utilized PAYLOAD. But the fastcgi configuration used by Nginx is not the default configuration of Nginx.

0x02 affected version

When using the server configured with Nginx + php-fpm, and the following configuration is adopted in the nginx / conf / nginx.confg configuration file, there will be RCE vulnerabilities

Location ~[^/]\.php(/|$){
  ...
  fastcgi_split_path_info  ^(.+?\.php)(/.*)$;
  fastcgi_param PATH_INFO       $fastcgi_path_info;
  fastcgi_pass   php:9000;
  ...
}

When the fastcgi_split_path_info field is configured as ^ (. + ?. php) (/.*) $ ;, an attacker can trigger a remote code execution vulnerability through a carefully constructed payload. The POC code published by GitHub is written into a Webshell to the website directory To open the backdoor creation. Although after PHP> = 5.3.3, php-fpm is integrated into the php core, the server with the above configuration is still in danger of being attacked.

0x03 vulnerability principle

The server-side configuration is as follows:

The POC sent to the server is fpm_main.c The connection is as follows:
https://github.com/php/php-src/blob/master/sapi/fpm/fpm/fpm_main.c

The vulnerability was mainly caused by the underflow of env_path_info in the sapi / fpm / fpm / fpm_main.c file in PHP-FPM, which was caused by the introduction of \ n (% 0a) in line 1150 of the "fpm_main.c" file The PATH_INFO passed by nginx to php-fpm is empty. In turn, the combination of FCGI_PUTENV and PHP_VALUE can be used to modify the php configuration in the current php-fpm process. Arbitrary code execution can be triggered when the specially constructed configuration takes effect.

0x04 vulnerability recurrence

Using the vulhub environment, reproduce the CVE2019-11043 vulnerability.
Run docker-compose up -d in the path of vulub / php / CVE-2019-11043 to generate the vulnerability environment

. View the server configuration information in the vulhub / php / CVE-2019-11043 directory.default.conf

Use the phuip-fpizdam tool to exploit the vulnerability .
Visit wget https://github.com/neex/phuip-fpizdam, unzip and enter the directory and execute go build to generate phuip-fpizdam (this tool will automatically generate the corresponding OS version according to the OS)

Use the tool phuip-fpizdam just generated to send data The package

can be seen, here has been successfully executed, then visit http: // localhost: 8080 / index.php and bring the parameter a, where a is the injection point where command injection can be performed, using / bin / sh ± c 'PAYLOAD' & , Inject command codes such as id or whoami into it, you can find that there is a return result to prove the successful use.


There is a place to note here, because php-fpm will start multiple sub-processes, so it needs to be accessed multiple times during command injection until the polluted process is accessed

0x05 emergency mitigation measures

High-risk: The details of the vulnerability and the test code have been made public. It is recommended to update the security update patch or enable the officially recommended configuration example, or deploy WAF and other security protection equipment to monitor the vulnerability utilization.

Threat deduction: This vulnerability is a remote code execution vulnerability. Based on the number of users who use the product worldwide, a malicious attacker may develop an automated attack program that targets the vulnerability, implements the automatic implantation of backdoor programs after the vulnerability is exploited, and further releases the miner program Or malicious programs such as DDOS zombies and Trojan horses can spread the worm, which affects the normal provision of Web services.

Security development suggestions: PHP family products have reported multiple security vulnerabilities in the history. It is recommended that companies using this product strengthen their user input filtering through security development codes and pay attention to security update announcements at any time.

0x06 repair defense method

1. Modify the regular expression of fastcgi_split_path_info in the Nginx configuration file to not allow non-displayable characters after .php
2. If circumstances permit, please suspend the use of Nginx + php-fpm service
3. According to the business requirements of your actual production environment, delete the following configuration
   fastcgi_split_path_info ^ (. + ?. php) (/.*) $;
   fastcgi_param PATH_INFO $ fastcgi_path_info;