On the 22nd of October a new vulnerability in PHP-FPM was disclosed after it was patched by PHP. The vulnerability allows an attacker to execute remote code after exploiting a buffer underflow in the PHP-FPM code. Buffer underflow occurs when an index or pointer references a memory location prior to the allocated buffer.
The vulnerability is triggered by a misconfigured NGINX server allowing the attacker to pass an empty PATH_INFO variable to PHP-FPM resulting in a controllable memory address. For the attack to be successful, there are 5 preconditions that needed to be fulfilled:
NGINX configuration forwards .php requests the PHP-FPM.
PHP 7+ is in use.
The fastcgi_split_path_info directive contains a regex starting with ^ and ends with a $.
A PATH_INFO variable must be assigned using fastcgi_param PATH_INFO statement.
The configuration does not check for non-existing files using try_files or if statement.
A publicly available proof-of-concept was published on Github by the researcher who had discovered vulnerability. The tool exploits the buffer underflow and sets a FastCGI PHP_VALUE parameter to reconfigure php.ini leading to the execution the attacker’s code.
Mitigation with BIG-IP ASM
A new attack signature was released to provide a more accurate detection and mitigation of the vulnerability: "PHP-FPM path_info Remote Code Execution" (ID 200004996) in the "Server Side Code Injection" signature set.
ASM customers under any supported BIG-IP version are already protected against this vulnerability. While exploiting this vulnerability attacker will try to send specially crafted HTTP GET requests containing multiple command and PHP injections.
Figure 1: Request example containing the exploitation attempt
The exploitation attempt will be detected by many existing attack signatures. Signatures which can be found in signature sets that include "Command Execution" and "Server Side Code Injection" attack types or "PHP" system.
Figure 2: Exploit blocked with Attack Signature (200003045)
Figure 3: Exploit blocked with Attack Signature (200003924)
Figure 4: Exploit blocked with Attack Signature (200004025)