Exploit PHP-FPM with Nginx as Target (CVE-2019-11043)

PHP-FPM with Nginx as Target

As business more actively using digital channels as part of their business operations, the number of traffic that comes through their website and applications is increasing significantly. especially for e-commerce such as Tokopedia or Bukalapak that has more than 100 million visitors per month. For their website to be able to effectively handle such heavy traffic, they need to use PHP FPM, a processor for PHP scripts that is efficient at handling heavy website traffic. However, PHP-FPM can be leveraged by malicious actors to access your website server remotely, especially for businesses that run their PHP based website on NGINX server.  

The vulnerability, designated as CVE-2019-11043, was discovered by a security researcher named Andrew Danau, and was reported to the PHP bug tracker thread by Emil Lerner. Under certain configurations, the vulnerability can be exploited to achieve remote code execution. These configurations require a certain set of preconditions in order for it to be exploitable.

The vulnerability works for a specific configuration, as shown below. If an encoded newline (%0a) character is introduced in the uniform resource identifier (URI), the regular expression in fastcgi_split_path_info will break. This will make the PATH_INFO variable empty and the unpatched version assumes that env_path_info would always contain a value. Therefore, the vulnerability is triggered and the system crashes.

Afterward, the FCGI_PUTENV function will overwrite the variables with a script path to create an arbitrary PHP_VALUE fcgi variable. This will enable the attacker to have access for remote code execution. The vulnerable server can be exploited by sending a crafted HTTP GET request with code to be injected ("$_GET[a]`?>") immediately after the newline character (%0A), as seen below:

Once the code is injected, a persistent web shell is created and can be accessed through the parameter ‘a’ (http://vulnserver/index.php?a=). Then, the vulnerability can be exploited by attackers to modify the parameter name and obscured the injected code, achieve code execution persistence, and the vulnerability can be triggered by accessing any .PHP file apart from index.php.

The vulnerability explained above can be closed by updating your PHP to their latest or stable versions (7.2.24 or 7.3.11), which have addressed the vulnerability along with other bugs. Through this article, Defenxor as one of the IT security experts in Indonesia, shares an update about the latest security threat so that your business can avoid this threat from happening.