Allele Security Alert
ASA-2019-00595
Identifier(s)
ASA-2019-00595, CVE-2019-11043
Title
env_path_info underflow in fpm_main.c can lead to Remote Code Execution (RCE)
Vendor(s)
The PHP Development Team
Product(s)
PHP
Affected version(s)
PHP versions before 7.3.11
PHP versions before 7.2.24
PHP versions before 7.1.33
Fixed version(s)
PHP version 7.3.11
PHP version 7.2.24
PHP version 7.1.33
Proof of concept
Yes
Description
In PHP in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.
Technical details
The line 1140 in file sapi/fpm/fpm/fpm_main.c (https://github.com/php/php-src/blob/master/sapi/fpm/fpm/fpm_main.c#L1140) contains pointer arithmetics that assumes that env_path_info has a prefix equal to the path to the php script. However, the code does not check this assumption is satisfied. The absence of the check can lead to an invalid pointer in the “path_info” variable.
Such conditions can be achieved in a pretty standard Nginx configuration. If one has Nginx config like this:
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass php:9000;
...
}
The regexp in `fastcgi_split_path_info` directive can be broken using the newline character (in encoded form, %0a). Broken regexp leads to empty PATH_INFO, which triggers the bug.
This issue leads to code execution. Later in the code, the value of path_info[0] is set to zero (https://github.com/php/php-src/blob/master/sapi/fpm/fpm/fpm_main.c#L1150); then FCGI_PUTENV is called. Using a carefully chosen length of the URL path and query string, an attacker can make path_info point precisely to the first byte of _fcgi_data_seg structure. Putting zero into it moves `char* pos` field backwards, and following FCGI_PUTENV overwrites some data (including other fast cgi variables) with the script path. Using this technique, it’s possible to create a fake PHP_VALUE fcgi variable and then use a chain of carefully chosen config values to get code execution.
Credits
neex, beched and d90pwn
Reference(s)
Sec Bug #78599 env_path_info underflow in fpm_main.c can lead to RCE
https://bugs.php.net/bug.php?id=78599
Fix bug #78599 (env_path_info underflow can lead to RCE) (CVE-2019-11043)
https://github.com/php/php-src/commit/ab061f95ca966731b1c84cf5b7b20155c0a1c06a
php-src/fpm_main.c
https://github.com/php/php-src/blob/master/sapi/fpm/fpm/fpm_main.c#L1140
PHP-FPM Remote Code Execution Vulnerability (CVE-2019-11043) Analysis
https://paper.seebug.org/1064/
Testing CVE-2019-11043 (php-fpm security vulnerability) with LXD system containers
https://blog.simos.info/testing-cve-2019-11043-php-fpm-security-vulnerability-with-lxd-system-containers/
Addressing the PHP-FPM Vulnerability (CVE-2019-11043) with NGINX
https://www.nginx.com/blog/php-fpm-cve-2019-11043-vulnerability-nginx/
Exploit for CVE-2019-11043
https://github.com/neex/phuip-fpizdam
PHP 7.3.11 Released
https://www.php.net/archive/2019.php#2019-10-24-3
Version 7.3.11 – Changelog
https://www.php.net/ChangeLog-7.php#7.3.11
PHP 7.1.33 Released
https://www.php.net/archive/2019.php#2019-10-24-2
Version 7.3.11 – Changelog
https://www.php.net/ChangeLog-7.php#7.1.33
PHP 7.2.24 Released
https://www.php.net/archive/2019.php#2019-10-24-1
Version 7.2.24 – Changelog
https://www.php.net/ChangeLog-7.php#7.2.24
CVE-2019-11043 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2019-11043
CVE-2019-11043
https://security-tracker.debian.org/tracker/CVE-2019-11043
CVE-2019-11043 | SUSE
https://www.suse.com/security/cve/CVE-2019-11043
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11043.html
CVE-2019-11043
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11043
CVE-2019-11043
https://nvd.nist.gov/vuln/detail/CVE-2019-11043
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: November 5, 2019