CVE-2019-11043 PHP-FPM/Nginx Vulnerability

rotame

Verified User
Joined
Jul 4, 2019
Messages
50
Hi,

Lets understand the exploit

This is an exploit for a bug in php-fpm (CVE-2019-11043). In certain nginx + php-fpm configurations, the bug is possible to trigger from the outside. This means that a web user may get code execution if you have vulnerable config.

## What's vulnerable

If a webserver runs nginx + php-fpm and nginx have a configuration like

```
location ~ [^/]\.php(/|$) {
...
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass php:9000;
...
}
```

which also lacks any script existence checks (like `try_files`), then you can probably hack it with this sploit.

Seems this exploit works only for PHP 7+, but the bug itself is present in earlier versions.


According to Tenable:

CVE-2019-11043 is an env_path_info underflow flaw in PHP-FPM’s fpm_main.c. The vulnerability was first reported to the PHP bug-tracker by security researcher Emil Lerner on September 26, 2019.

On October 24, PHP 7.3.11 (current stable) and PHP 7.2.24 (old stable) were released to address this vulnerability along with other scheduled bug fixes. Those using nginx with PHP-FPM are encouraged to upgrade to a patched version as soon as possible.

According to Lerner, under certain configurations where a web server is using nginx and PHP-FPM, the vulnerability can be exploited to gain remote code execution. These configurations require a certain set of preconditions in order for it to be exploitable.

These preconditions include:
* The nginx location directive forwards requests to PHP-FPM
* The fastcgi_split_path_info directive is present and includes a regular expression beginning with a ‘^’ symbol and ending with a ‘$’ symbol
* The fastcgi_param directive is used to assign the PATH_INFO variable

There are no checks in place to determine whether or not a file exists (e.g., using try_files or an if statement) but it appears such configurations and preconditions are not uncommon.

https://lqwb.us/33ZvifR



From LiquidWeb :

To reproduce the issue, take take the following steps:

Build php with –enable-fpm and ASAN enabled.
Download https://www.dropbox.com/s/eio9zikkg1juuj7/reproducer.tar.xz?dl=0. (The following steps assume you’re in the
reproducer
directory from the archive.)
Run nginx using
sudo /usr/sbin/nginx -p $PWD -c nginx.conf
Run php-fpm using
path/to/php-fpm -y ./php-fpm.conf -F
Visit a (pretty long) link from the crash_link.txt using another tool, like curl $(cat crash_link.txt).
Expected Result
No crash should happen.

Actual Result
You will get a crash. Here is the output error:

==6629==ERROR: AddressSanitizer: SEGV on unknown address 0x620000005203 (pc 0x7efd1341a47f bp 0x7ffe980574e0 sp 0x7ffe98056c98 T0)
==6629==The signal is caused by a WRITE memory access.
#0 0x7efd1341a47e in memcpy /build/glibc-OTsEL5/glibc-2.27/string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:140
#1 0x4b7c57 in __asan_memcpy /home/emil/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
#2 0x13a88df in fcgi_hash_strndup /home/emil/php-src/main/fastcgi.c:322:2
#3 0x13a88df in fcgi_hash_set /home/emil/php-src/main/fastcgi.c:359:11
#4 0x13c4121 in init_request_info /home/emil/php-src/sapi/fpm/fpm/fpm_main.c:1154:12
#5 0x13c4121 in main /home/emil/php-src/sapi/fpm/fpm/fpm_main.c:1864:4
#6 0x7efd13380b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#7 0x440219 in _start (/home/emil/php-src/builded/sbin/php-fpm+0x440219)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/glibc-OTsEL5/glibc-2.27/string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:140 in memcpy
URL : https://www.liquidweb.com/kb/php-fpm-nginx-vulnerability-cve-2019-11043/
 
Last edited:

Arieh

Verified User
Joined
May 27, 2008
Messages
1,200
Location
The Netherlands
Just to clarify a bit, the CVE has been fixed at PHP versions 7.3.11, 7.2.24 and 7.1.33 on Oct. 24. Not sure if DA setups were affected.
 

smtalk

Administrator
Staff member
Joined
Aug 22, 2006
Messages
8,339
Location
LT, EU
DA used:
Code:
try_files $uri =404;
Since the beginning of nginx support :)
 
Top