PHP Bug Allows Remote Code-Execution on NGINX Servers

CVE-2019-11043 is trivial to exploit — and a proof of concept is available.

A buffer underflow bug in PHP could allow remote code-execution (RCE) on targeted NGINX servers.

First discovered during a hCorem Capture the Flag competition in September, the bug (CVE-2019-11043) exists in the FastCGI directive used in some PHP implementations on NGINX servers, according to researchers at Wallarm.

PHP powers about 30 percent of modern websites, including popular web platforms like WordPress and Drupal – but NGINX servers are only vulnerable if they have PHP-FPM enabled (a non-default optimization feature that allows servers to execute scripts faster). The issue is patched in PHP versions 7.3.11, 7.2.24 and 7.1.33, which were released last week.

In a Monday posting, Wallarm researchers said that the bug can be exploited by sending specially crafted packets to the server by using the “fastcgi_split_path” directive in the NGINX configuration file. That file is configured to process user data, such as a URL. If an attacker creates a special URL that includes a “%0a” (newline) byte, the server will send back more data than it should, which confuses the FastCGI mechanism.

“In particular, [the bug can be exploited] in a fastcgi_split_path directive and a regexp trick with newlines,” according to Wallarm security researcher Andrew Danau, who found the bug. “Because of %0a character, NGINX will set an empty value to this variable, and fastcgi+PHP will not expect this….[as a result], it’s possible to put [in] arbitrary FastCGI variables, like PHP_VALUE.”

Another security researcher participating in the CTF exercise, Emil Lerner, offered more details in the PHP bug tracker: “The regexp in `fastcgi_split_path_info` directive can be broken using the newline character (in encoded form, %0a). Broken regexp leads to empty PATH_INFO, which triggers the bug,” he said.

Lerner posted a zero-day proof-of-concept exploit for the flaw that works in PHP 7 to allow code execution. The exploit makes use of an optimization used for storing FastCGI variables, _fcgi_data_seg.

“Usually, that sort of [buffer underflow] response is related to memory-corruption attacks and we expected to see an attack on the type of information disclosure,” Wallarm researchers said. “Information disclosure is bad enough as it can result in leaking sensitive or financial data. Even worse, from time to time, although quite rarely, such behavior can indicate a remote code-execution vulnerability.”

Researchers added that without patching, this issue can be a dangerous entry point into web applications given the trivial nature of mounting an exploit.

Admins can identify vulnerable FastCGI directives in their NGINX configurations with a bash command, “egrep -Rin –color ‘fastcgi_split_path’ /etc/nginx/,” according to Wallarm.

What are the top mistakes leading to data breaches at modern enterprises? Find out: Join experts from SpyCloud and Threatpost senior editor Tara Seals on our upcoming free Threatpost webinar, “Trends in Fortune 1000 Breach Exposure.” Click here to register.

Suggested articles

Discussion

  • GT500 on

    This is only exploitable under the following conditions (copied from an article on tenable): * The nginx location directive forwards requests to PHP-FPM * The "fastcgi_split_path_info" directive is present and includes a regular expression beginning with a ^ symbol and ending with a $ symbol * The "fastcgi_param" directive is used to assign the PATH_INFO variable * There are no checks in place to determine whether or not a file exists (e.g., using try_files or an if statement) Following the recommendation from NGINX in their article "Pitfalls and Common Mistakes" to use the following in location blocks (or other methods to test if a file exists before passing to PHP-FPM) should mitigate this: try_files $uri =404;

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.