Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 27 Jul 2019 14:13:59 +0200
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: RCE through open PHP-FPM ports

Hi,

I recently reported here [1] that open FPM ports may be used to
exfiltrate data and this particularly affected HHVM. Originally I
assumed that this is much less of an issue with upstream PHP. However
swagpgs [2] pointed out to me that this is actually much more dangerous
than I originally thought.

Background: FPM is a method to execute PHP in modern environments. A
daemon is listening for incoming connections, so PHP doesn't need to be
started for each request, the web server will forward requests to FPM.
It can run either on a file socket or on a TCP port.
The TCP port should never be exposed to the public.

Here's how this can be used for remote code execution:
The FPM daemon supports passing PHP configuration options via the
PHP_VALUE variable. This can be used to inject PHP code via the
auto_prepend_file configuration option (this is basically an option to
provide a script that will be prependet to every other script
execution).
This may be prevented by settings for allow_url_include or
allow_url_fopen. However these settings can be changed with PHP_VALUE
as well, so this is no protection.

The only thing an attacker needs is a file with a .php or .phar
extension on the target systems (other files won't be executed due to
to an option "security.limit_extensions" in the FPM daemon that by
default only allows these two). However this is usually not very hard
to achieve by guessing files on standard paths. For example on
Debian/Ubuntu systems a file /usr/bin/phar.phar exists, alternatively
on systems that have PEAR installed this can be used.

I've put this all together in a bash script [3] that should illustrate
how this attack works.

Notably HHVM is not affected by this attack vector, as it doesn't
support PHP_VALUE [4]. However it is affected more severely by the
original file exfiltration issue [1].

tl;dr Never run FPM on a public network interface. With HHVM this means
arbitrary file exfiltration, with PHP it means remote code execution.


[1] https://www.openwall.com/lists/oss-security/2019/07/09/2
[2] https://twitter.com/swapgs
[3] https://github.com/hannob/fpmvuln/blob/master/fpmrce
[4] https://github.com/facebook/hhvm/issues/3730
-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.