Foreword:
On September 26, 2019, PHP officially released a vulnerability bulletin. In this vulnerability bulletin, a remote code execution vulnerability was officially disclosed. , this vulnerability is caused by the underflow of env_path_info in the fpm_main.c file in PHP-FPM.
This vulnerability exists when PHP-FPM Nginx is used in combination with certain configurations. The PoC of this vulnerability was announced on October 22, 2019. The combination of PHP and Nginx is widely used. Attackers can use this vulnerability to remotely execute arbitrary code, so it is more harmful.
Introduction to PHP-FPM components
PHP-FPM (FastCGI Process Manager) is another PHP FastCGI implementation with some additional features and can be used at various scales sites, especially busy sites.
For PHP before PHP 5.3.3, PHP-FPM is a patch package designed to integrate FastCGI process management into the PHP package. If you are using PHP before PHP 5.3.3, you must patch it into your PHP source code, and you can use it after compiling and installing PHP.
And PHP 5.3.3 has integrated php-fpm and is no longer a third-party package. PHP-FPM provides a better PHP process management method, which can effectively control memory and processes, and smoothly reload PHP configuration.
(Study recommendation: java video tutorial)
Vulnerability description
This vulnerability is fpm_main in PHP-FPM. The underflow of env_path_info in the c file causes that line 1140 in the sapi/fpm/fpm/fpm_main.c file contains pointer arithmetic. These pointer arithmetic assume that the prefix of env_path_info is equal to the path of the php script. However, the code does not check whether these assumptions are met, and the lack of checks results in an invalid pointer in the "path_info" variable.
Such conditions can be implemented in standard Nginx configuration. If you have an Nginx configuration like this:
location ~ [^/]\.php(/|$) { fastcgi_split_path_info ^(.+?\.php)(/.*)$; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_pass php:9000; ... }
An attacker can use newline characters (encoded as %0a) to break the regexp in the `fastcgi_split_path_info` directive. A corrupted regexp will result in an empty PATH_INFO, triggering the error.
This error can lead to code execution vulnerabilities. In the code behind, the value of path_info[0] is set to 0 before calling FCGI_PUTENV. An attacker can use carefully chosen URL path length and query string to make path_info point to exactly the first byte of the _fcgi_data_seg structure. Then putting 0 into it moves the 'char* pos' field backwards, and then FCGI_PUTENV overwrites some data (including other fast cgi variables) with the script path.
Using this technique, an attacker can create a fake PHP_VALUE fcgi variable and then use a series of carefully chosen configuration values to execute code.
Affected products:
PHP-FPM downloaded before the 2019-09-26 update, and the following configuration must be used for the Nginx php-fpm server, will be affected Influence.
location ~ [^/]\.php(/|$) { fastcgi_split_path_info ^(.+?\.php)(/.*)$; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_pass php:9000; ... }
Repair Suggestions
If the business does not require the following configuration, it is recommended that the user delete:
fastcgi_split_path_info ^(.+?\.php)(/.*)$; fastcgi_param PATH_INFO $fastcgi_path_info;
Recommended tutorial: Server Security Tutorial
The above is the detailed content of Introduction to PHP remote code execution vulnerabilities. For more information, please follow other related articles on the PHP Chinese website!