PHP-FPM Local Root Vulnerability by Charles Fol PHP-FPM (F | PT SWARM

PHP-FPM Local Root Vulnerability

by Charles Fol

PHP-FPM (FastCGI Process Manager) is the official PHP FastCGI server. It is used in conjunction with an HTTP server such as Apache or NGINX to handle the processing of PHP files. It generally listens for connections over either a UNIX socket or on TCP port 9000. When the HTTP server needs to run a PHP file, it will forward parameters, such as the file path, PHP variables, and configuration to PHP-FPM, which will send back a response.

A low-privilege process can read and write an array of pointers used by the main process, running as root, through shared memory. An attacker can leverage this problem to change a 32-bit integer from zero to one in the main process's memory, or clear a memory region. By leveraging the primitive multiple times, it is possible to reach another bug, make the main process execute code, and thus escalate privileges.

Due to the growing adoption of NGINX instead of Apache, a good look at PHP-FPM was in order. An oversight in the design of the shared memory region lead to half-decent exploitation primitives, which in turn lead to a root privilege escalation.

Contents:
• Introduction
• Overview of the bug
• Overview of PHP-FPM
• Main process and workers
• Scoreboards
• IPC through SHM
• Proecss scoreboard management and the bad primitive
• An example
• Exploitation
• Tailoring the primitive
• Reaching the heap: setting catch_workers_output
• Good enough ?
• All your bases
• Persistent worker control
• Capping the number of workers
• Closed FD
• Error-free PHP
• Problem-free exploitation tactics
• Managing streams: zlog_stream
• Unreachable heap overflow
• Faking the streams, getting root
• Heap overflow
• Arbitrary write
• Demo
• Vulnerable versions
• Conclusion and Remarks

https://ambionics.io/blog/php-fpm-local-root