{"id":9498,"date":"2019-10-29T02:56:54","date_gmt":"2019-10-29T02:56:54","guid":{"rendered":"https:\/\/nsfocusglobal.com\/?p=9498"},"modified":"2019-10-29T02:56:54","modified_gmt":"2019-10-29T02:56:54","slug":"php-fpm-remote-code-execution-vulnerability-cve-2019-11043-threat-alert","status":"publish","type":"post","link":"https:\/\/nsfocusglobal.com\/pt-br\/php-fpm-remote-code-execution-vulnerability-cve-2019-11043-threat-alert\/","title":{"rendered":"Php-fpm Remote Code Execution Vulnerability (CVE-2019-11043) Threat Alert"},"content":{"rendered":"

Overview <\/strong><\/h2>\n

Recently, security researchers have published a vulnerability in php-fpm (CVE-2019-11043) that could lead to remote code execution in certain Nginx configurations.<\/p>\n

The vulnerability exists in the file sapi\/fpm\/fpm\/fpm_main.c (https:\/\/github.com\/php\/php-src\/blob\/master\/sapi\/fpm\/fpm\/fpm_main.c#L1140), which assumes the prefix of env_path_info Equal to the path of the php script, but in fact the code does not check if this assumption is met, and the lack of this check will invalidate the pointer in the “path_info” variable. In some Nginx configurations, an attacker can use a line break (encoded at %0a) to destroy the regexp in the `fastcgi_split_path_info` directive, which can cause a null PATH_INFO, which triggers the vulnerability.<\/p>\n

It is understood that the vulnerability was discovered by researcher Andrew Danau during a CTF game. When he sent %0a to the server URL, the server returned an exception and discovered the vulnerability after further research.<\/p>\n

References:<\/p>\n

https:\/\/lab.wallarm.com\/php-remote-code-execution-0-day-discovered-in-real-world-ctf-exercise\/<\/a><\/p>\n

Affected Versions\u00a0<\/strong><\/h2>\n

In the Nginx + php-fpm environment, all of the PHP 7+ versions are affected (PHP 7.0, PHP 7.1, PHP 7.2, PHP 7.3) using the following Nginx configuration, and currently crash on PHP 5.6.<\/p>\n

The specific Nginx configuration is as follows:<\/p>\n\n\n\n
\u00a0\u00a0 location ~ [^\/]\\.php(\/|$) {<\/p>\n

fastcgi_split_path_info ^(.+?\\.php)(\/.*)$;<\/p>\n

fastcgi_param PATH_INFO\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 $fastcgi_path_info;<\/p>\n

fastcgi_pass\u00a0\u00a0 php:9000;<\/p>\n

…<\/p>\n

}<\/p>\n

}<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Security Recommendations<\/strong><\/h2>\n