Shulou(Shulou.com)06/01 Report--

In this issue, Xiaobian will bring you warnings on how to solve PHP remote code execution vulnerabilities. The article is rich in content and analyzes and narrates from a professional perspective. After reading this article, I hope you can gain something.

On September 26, 2019, PHP officially released a vulnerability bulletin, which officially disclosed a remote code execution vulnerability caused by the env_path_info underflow of the fpm_main.c file in PHP-FPM. The vulnerability exists when PHP-FPM + Nginx is used in combination and configured. The PoC vulnerability was published on October 22, 2019. PHP and Nginx are widely used in combination, and attackers can use this vulnerability to remotely execute arbitrary code, so it is more harmful.

PHP-FPM Component Introduction

PHP-FPM (FastCGI Process Manager) is another PHP FastCGI implementation with a few additional features that can be used for sites of all sizes, especially busy ones.

For PHP prior to PHP 5.3.3, PHP-FPM is a patch package designed to integrate FastCGI process management into PHP packages. If you are using PHP prior to PHP 5.3.3, you must patch it into your PHP source code and use it after compiling and installing PHP. PHP 5.3.3 has integrated php-fpm and is no longer a third-party package. PHP-FPM provides better PHP process management, effective control over memory and processes, and smooth overloading of PHP configurations.

vulnerability description

The vulnerability is caused by an env_path_info underflow in the fpm_main.c file in PHP-FPM, which contains pointer arithmetics at line 1140 in sapi/fpm/fpm_main.c that assume that the prefix of env_path_info is equal to the path of the php script. However, the code doesn't check whether these assumptions are satisfied, and the lack of checking causes the pointer in the "path_info" variable to be invalid.

Such conditions can be implemented in standard Nginx configurations. If there is such an Nginx configuration:

An attacker could use a newline character (encoded in %0a) to corrupt regexp in the fastcgi_split_path_info directive. Regexp corruption will cause an empty PATH_INFO, triggering this error.

This error can lead to code execution vulnerabilities. In the following code, path_info[0] is set to 0 and FCGI_PUTENV is called. An attacker could use a carefully chosen URL path length and query string to make path_info point precisely to the first byte of the_fcgi_data_seg structure. Then put a 0 in it to move the 'char* pos' field backwards, and FCGI_PUTENV overwrites some data (including other quick cgi variables) with the script path. Using this technique, an attacker could create a pseudo-PHP_VALUE fcgi variable and execute code using a series of carefully chosen configuration values.

Affected Products:

PHP-FPM downloaded before the 2019-09-26 update and must be configured as follows for Nginx + php-fpm servers will be affected.

Convinced Solutions

Convinced that next-generation firewalls can defend against this vulnerability, it is recommended that users deploying next-generation firewalls turn on security defense modules to easily defend against this high-risk.

Convinced that Cloud Shield has automatically updated the protection rules from the cloud in the first time, Cloud Shield users can easily and quickly defend against this high-risk without operation.

Repair suggestions

1. If the business does not require the following configuration, it is recommended that the user delete:

2. Use the latest PHP version in github

The above is how to solve the PHP remote code execution vulnerability warning shared by Xiaobian for everyone. If there is a similar doubt, please refer to the above analysis for understanding. If you want to know more about it, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.