oss-sec mailing list archives
RCE through open PHP-FPM ports
From: Hanno Böck <hanno () hboeck de>
Date: Sat, 27 Jul 2019 14:13:59 +0200
Hi, I recently reported here [1] that open FPM ports may be used to exfiltrate data and this particularly affected HHVM. Originally I assumed that this is much less of an issue with upstream PHP. However swagpgs [2] pointed out to me that this is actually much more dangerous than I originally thought. Background: FPM is a method to execute PHP in modern environments. A daemon is listening for incoming connections, so PHP doesn't need to be started for each request, the web server will forward requests to FPM. It can run either on a file socket or on a TCP port. The TCP port should never be exposed to the public. Here's how this can be used for remote code execution: The FPM daemon supports passing PHP configuration options via the PHP_VALUE variable. This can be used to inject PHP code via the auto_prepend_file configuration option (this is basically an option to provide a script that will be prependet to every other script execution). This may be prevented by settings for allow_url_include or allow_url_fopen. However these settings can be changed with PHP_VALUE as well, so this is no protection. The only thing an attacker needs is a file with a .php or .phar extension on the target systems (other files won't be executed due to to an option "security.limit_extensions" in the FPM daemon that by default only allows these two). However this is usually not very hard to achieve by guessing files on standard paths. For example on Debian/Ubuntu systems a file /usr/bin/phar.phar exists, alternatively on systems that have PEAR installed this can be used. I've put this all together in a bash script [3] that should illustrate how this attack works. Notably HHVM is not affected by this attack vector, as it doesn't support PHP_VALUE [4]. However it is affected more severely by the original file exfiltration issue [1]. tl;dr Never run FPM on a public network interface. With HHVM this means arbitrary file exfiltration, with PHP it means remote code execution. [1] https://www.openwall.com/lists/oss-security/2019/07/09/2 [2] https://twitter.com/swapgs [3] https://github.com/hannob/fpmvuln/blob/master/fpmrce [4] https://github.com/facebook/hhvm/issues/3730 -- Hanno Böck https://hboeck.de/ mail/jabber: hanno () hboeck de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Current thread:
- RCE through open PHP-FPM ports Hanno Böck (Jul 27)