tl;dr – CVE-2019-11043 PHP-FPM & NGINX RCE was publicly disclosed and a Proof-of-Concept exploit code was made available on GitHub. We received the report from our Crowdsource community, and now the CVE-2019-11043 Nginx/PHP-FPM RCE vulnerability is detected by Detectify.
What is Nginx/PHP-FPM RCE?
Nginx is a common web server used to run web applications. PHP-FPM (FastCGI Process Manager) is a processor for PHP scripts that is efficient at handling heavy website traffic and is commonly used by websites that have e.g. web forums or login gateways, which rely on a PHP framework.
The specific vulnerability exists exclusively in Nginx and PHP-FPM implementations due to the way data is read from URL and how it is firstly read by Nginx and then how it is forwarded to PHP-FPM. Affected PHP versions are 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11.
Impact
PHP-FPM is not part of the standard Nginx installations, but it is used by many web applications and service providers due to its good performance. If a server is running a vulnerable configuration of Nginx and PHP-FPM, the underlying service can be fully compromised. This means that an attacker can pivot to other internal services, or steal any data stored on the server(s).
Details
The issue lies in the default way in which Nginx forwards data to the PHP-FPM handler. Nginx constructs a variable from URL path and query string, which is then processed by the PHP-FPM handler.
The following Nginx configuration uses regular expression, or regex, to determine the URL path and query string:
location ~ [^/].php(/|$) {
fastcgi_split_path_info ^(.+?.php)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass php:9000;
...
}
}
The fastcgi_split_path_info regex pattern can be broken with an encoded newline character “%0a”, which overwrites the PATH_INFO variable with an empty value. Arbitrary input can then be inserted into the PATH_INFO value after the newline character.
When the PATH_INFO variable is processed in PHP-FPM’s fpm_main.c, certain length of input used as URL path and query string can overflow FPM’s path_info variable in such a manner that it points to the beginning of the _fcgi_data_seg variable structure. This can then be used to create a new variable that points to a specifically crafted script path.
Once the PHP-FPM worker has been “poisoned” successfully, by using for example the publicly available exploit code, arbitrary code is executable on the remote server by appending the script path “?a=” to the URL. Any server command can be run in the query string, for example:
Image: Example of vulnerable configuration that allows execution of arbitrary code
If you want to read a more detailed break down of the vulnerability, researcher going by the name Orange Tsai published an analysis of the vulnerability.
Remediation
Update your PHP 7 installation to fix how data is processed by the PHP-FPM handler.
Since also Nginx plays a part in the vulnerability, it is recommended to harden Nginx configurations. Nginx should be configured to check for existing scripts and files with try_files directive or an if-statement if (-f $uri).
How can Detectify help?
We’ve released the security test for CVE-2019-11043 Nginx/PHP-FPM exploit in our latest batch of modules. You can start scanning to see if your web applications are running a vulnerable version, along with 1500+ other known vulnerabilities reported to us from Detectify Crowdsource, our private community of top-ranked ethical hackers.
Check the security status of your web apps with Detectify today.
Get started your 14-day free trial.