Jump to content
OpenSecurity.global
  • Recently Browsing   0 members

    No registered users viewing this page.

Recommended Posts

Sadly PHP continues to show how not to write code, especially if you use it and not want to give free shells to all. A couple of weeks ago, neex, dropped a bug on the PHP sec bug list that detailed a rather ugly condition in fpm_main.c 

2043798664_ScreenShot2019-10-23at09_07_33.png.72ec0dab6be8fe3975093f6e9694f7eb.png

This function assumes that the env_path_info has a prefix that equals that of the php script being called. Now usually we'd validate this, but no, this is where they failed to abide by dem rules and this led to an invalid pointer. Add a newline character and a skip, hop and a jump later and boom, RCE.

A lot of people who use PHP-FPM have configs like 

try_files $uri $uri/ /index.php$is_args$args;) 

and this is where the issue comes in. The code before the patch was

path_info = env_path_info ? env_path_info + pilen - slen : NULL;
tflag = (orig_path_info != path_info);

 

That's pretty crap, you assume so much here and this is why it should have been

path_info = (env_path_info && pilen > slen) ? env_path_info + pilen - slen : NULL;
tflag = path_info && (orig_path_info != path_info);

Neex published his exploit yesterday after the PHP crew stopped arguing about how bad it was and made the patch and I thought I'd build the exploit and see what we could do to detect it. 

 

EHhQxggWsAAX903.thumb.png.ef162e76090787eea71807a38c647d64.png

Running it is simple once you have your Go environment up and running, and all it needs is a url and php file. What I wanted to see was the URI sent, so rather than supply a legitimate resource, I opted for a non-existent one. As you can see, he is appending  PHP%0Ais_the_shittiest_lang.php? and a load of Q's to the supplied URL. 

On the server side, you see 

EHhQxgmXkAADcuL.thumb.png.e8495ecc047024d0e4b6427ab68a9c3d.png 

So relatively easy to see and block in the original format, which most skids wont change. Here's a Cloudflare rule to block it

EHhQyITWsAIFDBz.thumb.png.ce524d7c1b2e203201f7ceb9735cca20.png

 

Hope this is of some help to someone?

  • Like 1

Share this post


Link to post

Cheers.  It looks like you need to have a pretty specific config to end up vulnerable to this.

Share this post


Link to post

did you see - Emil Lerner : "Single byte write to RCE: exploiting a bug in php-fpm" in next month's ZeroDays19 ?

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Members online now

    No members to show

×
×
  • Create New...

Important Information

We use cookies as we're cookie monsters. Privacy Policy