Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 27 Jul 2019 14:13:59 +0200
From: Hanno Böck <>
Subject: RCE through open PHP-FPM ports


I recently reported here [1] that open FPM ports may be used to
exfiltrate data and this particularly affected HHVM. Originally I
assumed that this is much less of an issue with upstream PHP. However
swagpgs [2] pointed out to me that this is actually much more dangerous
than I originally thought.

Background: FPM is a method to execute PHP in modern environments. A
daemon is listening for incoming connections, so PHP doesn't need to be
started for each request, the web server will forward requests to FPM.
It can run either on a file socket or on a TCP port.
The TCP port should never be exposed to the public.

Here's how this can be used for remote code execution:
The FPM daemon supports passing PHP configuration options via the
PHP_VALUE variable. This can be used to inject PHP code via the
auto_prepend_file configuration option (this is basically an option to
provide a script that will be prependet to every other script
This may be prevented by settings for allow_url_include or
allow_url_fopen. However these settings can be changed with PHP_VALUE
as well, so this is no protection.

The only thing an attacker needs is a file with a .php or .phar
extension on the target systems (other files won't be executed due to
to an option "security.limit_extensions" in the FPM daemon that by
default only allows these two). However this is usually not very hard
to achieve by guessing files on standard paths. For example on
Debian/Ubuntu systems a file /usr/bin/phar.phar exists, alternatively
on systems that have PEAR installed this can be used.

I've put this all together in a bash script [3] that should illustrate
how this attack works.

Notably HHVM is not affected by this attack vector, as it doesn't
support PHP_VALUE [4]. However it is affected more severely by the
original file exfiltration issue [1].

tl;dr Never run FPM on a public network interface. With HHVM this means
arbitrary file exfiltration, with PHP it means remote code execution.

Hanno Böck

GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.