Date: Sat, 27 Jul 2019 14:13:59 +0200 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com Subject: RCE through open PHP-FPM ports Hi, I recently reported here [1] that open FPM ports may be used to exfiltrate data and this particularly affected HHVM. Originally I assumed that this is much less of an issue with upstream PHP. However swagpgs [2] pointed out to me that this is actually much more dangerous than I originally thought. Background: FPM is a method to execute PHP in modern environments. A daemon is listening for incoming connections, so PHP doesn't need to be started for each request, the web server will forward requests to FPM. It can run either on a file socket or on a TCP port. The TCP port should never be exposed to the public. Here's how this can be used for remote code execution: The FPM daemon supports passing PHP configuration options via the PHP_VALUE variable. This can be used to inject PHP code via the auto_prepend_file configuration option (this is basically an option to provide a script that will be prependet to every other script execution). This may be prevented by settings for allow_url_include or allow_url_fopen. However these settings can be changed with PHP_VALUE as well, so this is no protection. The only thing an attacker needs is a file with a .php or .phar extension on the target systems (other files won't be executed due to to an option "security.limit_extensions" in the FPM daemon that by default only allows these two). However this is usually not very hard to achieve by guessing files on standard paths. For example on Debian/Ubuntu systems a file /usr/bin/phar.phar exists, alternatively on systems that have PEAR installed this can be used. I've put this all together in a bash script [3] that should illustrate how this attack works. Notably HHVM is not affected by this attack vector, as it doesn't support PHP_VALUE [4]. However it is affected more severely by the original file exfiltration issue [1]. tl;dr Never run FPM on a public network interface. With HHVM this means arbitrary file exfiltration, with PHP it means remote code execution. [1] https://www.openwall.com/lists/oss-security/2019/07/09/2 [2] https://twitter.com/swapgs [3] https://github.com/hannob/fpmvuln/blob/master/fpmrce [4] https://github.com/facebook/hhvm/issues/3730 -- Hanno Böck https://hboeck.de/ mail/jabber: hanno@...eck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.