'[oss-security] RCE through open PHP-FPM ports'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] RCE through open PHP-FPM ports
From:       Hanno =?iso-8859-1?q?B=F6ck?= <hanno () hboeck ! de>
Date:       2019-07-27 12:13:59
Message-ID: 20190727141359.07cf0a8c () computer
[Download RAW message or body]

Hi,

I recently reported here [1] that open FPM ports may be used to
exfiltrate data and this particularly affected HHVM. Originally I
assumed that this is much less of an issue with upstream PHP. However
swagpgs [2] pointed out to me that this is actually much more dangerous
than I originally thought.

Background: FPM is a method to execute PHP in modern environments. A
daemon is listening for incoming connections, so PHP doesn't need to be
started for each request, the web server will forward requests to FPM.
It can run either on a file socket or on a TCP port.
The TCP port should never be exposed to the public.

Here's how this can be used for remote code execution:
The FPM daemon supports passing PHP configuration options via the
PHP_VALUE variable. This can be used to inject PHP code via the
auto_prepend_file configuration option (this is basically an option to
provide a script that will be prependet to every other script
execution).
This may be prevented by settings for allow_url_include or
allow_url_fopen. However these settings can be changed with PHP_VALUE
as well, so this is no protection.

The only thing an attacker needs is a file with a .php or .phar
extension on the target systems (other files won't be executed due to
to an option "security.limit_extensions" in the FPM daemon that by
default only allows these two). However this is usually not very hard
to achieve by guessing files on standard paths. For example on
Debian/Ubuntu systems a file /usr/bin/phar.phar exists, alternatively
on systems that have PEAR installed this can be used.

I've put this all together in a bash script [3] that should illustrate
how this attack works.

Notably HHVM is not affected by this attack vector, as it doesn't
support PHP_VALUE [4]. However it is affected more severely by the
original file exfiltration issue [1].

tl;dr Never run FPM on a public network interface. With HHVM this means
arbitrary file exfiltration, with PHP it means remote code execution.


[1] https://www.openwall.com/lists/oss-security/2019/07/09/2
[2] https://twitter.com/swapgs
[3] https://github.com/hannob/fpmvuln/blob/master/fpmrce
[4] https://github.com/facebook/hhvm/issues/3730
-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic