Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20191024183230.GA4963@openwall.com>
Date: Thu, 24 Oct 2019 20:32:30 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2019-11043: PHP: env_path_info underflow in fpm_main.c can lead to RCE

Hi,

Although I had nothing to do with discovery nor handling of this issue,
I was asked off-list to bring it to the attention of distros.  Since the
issue is already public, I am simply posting in here.  (I'd appreciate
it if people post stuff on their own instead of asking me, though.)

This bug was reported against PHP a month ago:

https://bugs.php.net/bug.php?id=78599

| Sec Bug #78599 	env_path_info underflow in fpm_main.c can lead to RCE
| 
| [2019-09-26 16:17 UTC] neex dot emil+phpeb at gmail dot com
| 
| Description:
| ------------
| The line 1140 in file sapi/fpm/fpm/fpm_main.c
| (https://github.com/php/php-src/blob/master/sapi/fpm/fpm/fpm_main.c#L1140)
| contains pointer arithmetics that assumes that env_path_info has a
| prefix equal to the path to the php script. However, the code does not
| check this assumption is satisfied. The absence of the check can lead to
| an invalid pointer in the "path_info" variable.
| 
| Such conditions can be achieved in a pretty standard Nginx
| configuration. If one has Nginx config like this:
| 
| ```
|    location ~ [^/]\.php(/|$) {
|         fastcgi_split_path_info ^(.+?\.php)(/.*)$;
|         fastcgi_param PATH_INFO       $fastcgi_path_info;
|         fastcgi_pass   php:9000;
|         ...
|   }
| }
| ```
| 
| The regexp in `fastcgi_split_path_info` directive can be broken using
| the newline character (in encoded form, %0a). Broken regexp leads to
| empty PATH_INFO, which triggers the bug.
| 
| This issue leads to code execution. Later in the code, the value of
| path_info[0] is set to zero
| (https://github.com/php/php-src/blob/master/sapi/fpm/fpm/fpm_main.c#L1150);
| then FCGI_PUTENV is called. Using a carefully chosen length of the URL
| path and query string, an attacker can make path_info point precisely to
| the first byte of _fcgi_data_seg structure. Putting zero into it moves
| `char* pos` field backwards, and following FCGI_PUTENV overwrites some
| data (including other fast cgi variables) with the script path. Using
| this technique, I was able to create a fake PHP_VALUE fcgi variable and
| then use a chain of carefully chosen config values to get code
| execution.
| 
| I have a working exploit PoC, but I'm not sure how to share it using
| this form. This security research is done by three people: me, @beched
| and @d90pwn.

This is followed with steps to reproduce the bug on a PHP build "with
--enable-fpm and ASAN enabled."  There are many further comments,
including suggestion to fix the issue in "the next security relevant
releases" on October 24, which is today.

PHP 7.2.24 and 7.3.11 released today are documented to include the fix.

There are also exploits here:

https://github.com/neex/phuip-fpizdam
https://github.com/jas502n/CVE-2019-11043

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.