Shulou(Shulou.com)06/01 Report--

This article introduces the relevant knowledge of "the impact and repair of PHP-fpm remote code execution vulnerabilities". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Loophole recurrence

In order to reproduce the vulnerability more conveniently, we use vulhub to build the vulnerability environment.

Https://github.com/vulhub/vulhub/tree/master/php/CVE-2019-11043

Git pull and docker-compose up-d

Visit http://{your_ip}:8080/

Download the exp exposed on github (requires a go environment).

Go get github.com/neex/phuip-fpizdam

And then compile

Go install github.com/neex/phuip-fpizdam

Use exp to attack demo websites

Phuip-fpizdam http://{your_ip}:8080/

The attack succeeded

Loophole analysis

Before analyzing the principle of the vulnerability, we can follow directly into the fixed commit here.

Https://github.com/php/php-src/commit/ab061f95ca966731b1c84cf5b7b20155c0a1c06a#diff-624bdd47ab6847d777e15327976a9227

From the commit, we can clearly see that the cause of the vulnerability should be caused by the controllable address of the path_info, combined with the vulnerability information disclosed by the vulnerability discoverer.

The regexp in `fastcgi_split_path_ info` directive can be broken using the newline character (in encoded form,% 0a). Broken regexp leads to empty PATH_INFO, which triggers the bug.

That is, when the path_info is truncated by% 0a, the path_info will be left empty, and it will be easy for me to find the problem back in the code.

Where env_path_info is the address of the variable path_info. If path_info is 0, plien is 0.

The slen variable comes from the length of the url after the request

Int ptlen = strlen (pt); int slen = len-ptlen

Among them

Int len = script_path_translated_len;len is the url path length if the request url is http://127.0.0.1/index.php/123%0atest.phpscript_path_translated from the configuration of nginx, and / var/www/html/index.php/123\ ntest.phpptlen is the content length before the first slash of the url path when the request url is http://127.0.0.1/index.php/123%0atest.phppt and / var/www/html/index.php

The difference between these two variables is the following path length, and because the path is controllable, path_info is controllable.

Because path_info is controllable, we can set the value of the specified address to zero at line 1222. According to the description of the vulnerability discoverer, we can control the char* pos of the _ fcgi_data_seg structure to zero by setting the value of the specified address to zero.

The script_name also comes from the requested configuration.

And why does it affect the result of FCGI_PUTENV if we set the char* pos of the _ fcgi_data_seg structure to zero?

Here we take an in-depth look at the definition of FCGI_PUTENV.

Char* fcgi_quick_putenv (fcgi_request * req, char* var, int var_len, unsigned int hash_value, char* val)

Follow the function fcgi_quick_putenv

Https://github.com/php/php-src/blob/5d6e923d46a89fe9cd8fb6c3a6da675aa67197b4/main/fastcgi.c#L1703

The function directly manipulates the env of request, and this parameter is predefined earlier.

Https://github.com/php/php-src/blob/5d6e923d46a89fe9cd8fb6c3a6da675aa67197b4/main/fastcgi.c#L908

Continue to follow up on the initialization function fcgi_hash_init.

Https://github.com/php/php-src/blob/5d6e923d46a89fe9cd8fb6c3a6da675aa67197b4/main/fastcgi.c#L254

That is, request- > env is the fcgi_data_seg structure mentioned earlier, and request- > env here is the global variable that nginx stores when communicating with fastcgi.

Some global variables are defined in the configuration of nginx

Where the variables are stored in the corresponding location on the heap

Back in the process of utilization, here we set request- > env- > pos to zero by controlling path_info to point to request- > env.

Go back to the assignment function, fcgi_hash_set function.

Then enter the fcgi_hash_strndup.

Here the lowest bit of h-> data- "pos is set to 0, and the str is controllable, which means we can write data earlier.

The question is, how can we write data to the location we want? How do you write a file to the configuration we specify?

Here we take the use of packets sent by exp as an example.

GET / index.php/PHP_VALUE%0Asession.auto_start=1;;;?QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ HTTP/1.1Host: ubuntu.local:8080User-Agent: Mozilla/5.0D-Gisos: 8==DEbut: mamku tvoyu

In the packet, the last two parts of the header are to complete this part of the function, in which the D-Gisos is responsible for displacement and writing data to the specified location.

Ebut will be converted to one of the global variables in HTTP_EBUT, which is a fastcgi_param, and then we need to know how to get data from global variables in fastcgi.

Https://github.com/php/php-src/blob/5d6e923d46a89fe9cd8fb6c3a6da675aa67197b4/main/fastcgi.c#L328

You can see that when fastcgi wants to get a global variable, it reads the length character of the specified position for comparison, and then reads a string as value.

That is, as long as the location is reasonable, the varvalue is the same, and the length is the same, fastcgi will read the corresponding data.

HTTP_EBUT and PHP_VALUE are exactly the same length, which can be confirmed by the changes in the data on the heap.

Before overwriting, the corresponding data for this address is

Then execute fcgi_quick_putenv

The data corresponding to the address is changed to

We successfully write PHP_VALUE and control its contents, which means that we can control any global variable of PHP.

There are many ways to attack when we can control any global variable of PHP. Here is an example of the attack used in EXP.

The exp author turns on auto-include and sets the include directory to / tmp, then sets the log address to / tmp/an and writes payload to the log file, and constructs the backdoor file by automatically including / tmp/a file through auto_prepend_file.

Vulnerability repair

After an in-depth study of the vulnerability, we recommend two solutions to fix this vulnerability.

Temporary repair:

Modify the corresponding configuration of nginx and add it to the configuration related to php

Try_files $uri = 404

In this case, nginx will check to see if the file exists, and when the file does not exist, the request will not be passed to php-fpm.

Official repair:

Update PHP 7.1.x to 7.1.33 https://github.com/php/php-src/releases/tag/php-7.1.33

Update PHP 7.2.x to 7.2.24 https://github.com/php/php-src/releases/tag/php-7.2.24

Update PHP 7.3.x to 7.3.11 https://github.com/php/php-src/releases/tag/php-7.3.11

Vulnerability impact

Combined with the utilization conditions mentioned in EXP github, we can summarize the exploitation conditions and the scope of impact of the vulnerability as much as possible.

1. Nginx + php_fpm, and configure location ~ [^ /]\ .php (/ | $) to forward the request to php-fpm.

2. Nginx configures fastcgi_split_path_info and starts with ^ with $. Only under this condition can regular expression judgment be broken by newline characters. Ps: allow index.php/321-> index.php

Fastcgi_split_path_info ^ (. +?\ .php) (/. *) $

3. PATH_INFO will be defined in fastcgi_param through fastcgi_param PATH_INFO $fastcgi_path_info;,. Of course, this variable will be defined by default in fastcgi_params.

4. There is no file check defined at the nginx level, such as try_files $uri = 404.If a file check is done at the nginx level, the request will not be forwarded to php-fmp.

This vulnerability has limited harm to the real world in the actual research process, mainly because most nginx configurations carry the inspection of files, and the default nginx configuration does not include this problem.

But it is precisely for this reason that this problem occurs in many online sample code or some environments that do not take into account this problem, such as the sample configuration in Nginx official documents and the default environment of NextCloud, and this vulnerability is a real threat to the security of many servers.

In this case, this loophole is really caught in the dark forest law. Once a problematic configuration is spread, it may result in a large number of services being affected. Ensuring timely updates is always the best means of protection: >

This is the end of the content of "the impact of PHP-fpm remote code execution vulnerabilities and their fixes". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.