Security researchers at F5 Networks constantly monitor web traffic at various locations all over the world. This allows us to detect “in the wild” malware and get insights into the current threat landscape.
In November 2019, new malicious campaign activity was down 40 percent compared to October 2019. While this seems like a large decline, there was a spike in new campaign activity in October 2019, and the new malicious activity is in line with what we detected in September 2019. Here’s an overview of the new threat activity we saw in November 2019:
- Two campaigns targeting Atlassian Confluence servers vulnerable to Widget Connector RCE vulnerability (CVE-2019-3396)
- One campaign targeting Nginx servers vulnerable to PHP-FPM RCE vulnerability (CVE-2019-11043)
- In addition, the following notable campaigns were also detected:
- MACCMS vod-search RCE (CVE-2017-17733): This campaign aims to exploit servers running MACCMS that are vulnerable to an RCE vulnerability. The threat actor tries to upload a web shell on a vulnerable server.
- Rejetto HTTP File Server RCE (CVE-2014-6287): This campaign aims to identify Rejetto HTTP File Servers vulnerable to Rejetto HTTP File Server RCE vulnerability. The threat actor instructs the server to download and execute a DDoS malware.
- rConfig ajaxServerSettingsChk unauthenticated RCE (CVE-2019-16662): This campaign aims to identify rConfig servers that are vulnerable to rConfig ajaxServerSettingsChk RCE vulnerability. The threat actor instructs the server to calculate the MD5 checksum of the string 'HelloConfig' and send it back to the threat actor.
Nginx PHP-FPM Remote Code Execution (CVE-2019-11043)
Following the trend of malicious activity seen in November 2019, threat actors are exploiting new vulnerabilities. On October 22, a security researcher tweeted1 about a vulnerability found during a Capture the Flag (CTF) competition. The vulnerability affects servers running Nginx with PHP-FPM under certain conditions. The researcher posted a working POC exploit showing how the vulnerability leads to remote code execution (RCE).2
There are multiple ways to configure Nginx. The FastCGI Process Manager (FPM) is an alternative PHP FastCGI implementation with some additional features mostly useful for heavy-loaded sites. Although PHP-FPM is not a core component of Nginx, several web hosting providers, such as Nextcloud, provide it for use. The vulnerability arises due to an improper configuration of PHP-FPM.
Vulnerability Analysis
As mentioned, the vulnerability arises due to misconfiguration when certain preconditions are met:
- The Nginx location directive must forward requests to PHP-FPM.
- The assignment of variable PATH_INFO and SCRIPT_FILENAME must be done using a fastcgi_param directive.
- A fastcgi_split_path_info directive exists and contains a RegExp starting with ^ and ending with $.
- Nginx does not drop requests to non-existing scripts before forwarding to FPM.
Various installations of Nginx contain the following RegEx lines in the configuration file. This is not a problem within Nginx, but a problem with the PHP-FPM configuration, one that developers often copy and paste from other resources and the internet. While it is not in the standard configuration, it is a common configuration for developers to use.
location ~ [^/]\.php(/|$)
{
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_pass php:9000;
...
}
The RegExp in the fastcgi_split_path_info directive splits the URI into two groups: the first contains the PHP script name, and the second contains the path within the PHP script. For example, a string like "F5Labs.php/PHP-FPM" will be split into two different strings: "F5Labs.php" and "/PHP-FPM." The second capturing group of the RegExp (/.*), however, does not catch for newline (%0a) characters. For example, a string like "F5Labs.php/%0aPHP-FPM" results in an empty path string. This path string is assigned to the PATH_INFO variable in the configuration file.
The length of PATH_INFO (pilen) variable is later used to calculate the pointer address for variable PATH_INFO. Since the length of PATH_INFO is 0 (due to %0a), the result of PATH_INFO points to a location before the actual location of PATH_INFO.
This vulnerability in the validation of RegEx therefore results in a buffer underflow for character pointer path_info. A few lines later in the same file,3 the value of path_info[0] is set to 0. Since path_info points to an address before the actual address for PATH_INFO, this allows a malicious actor to insert a NULL (0) byte at an address.
This is notable because the CGI environment within PHP-FPM is managed using a data structure called fcgi_data_seg4 and is managed by another data structure called fcgi_hash.5 An attacker can construct a URL path and query string to point at the first byte of fcgi_data_seg data structure. Using path_info[0], an attacker can replace this first byte with a NULL byte. Putting a NULL byte into it moves the structure member fcgi_data_seg→pos to a new location. This new location is in the middle of existing environment variables.
Since the pos pointer now points to an address where the CGI environment variables are, a call to FCGI_PUTENV function by PHP-FPM will overwrite some of these existing variables. As we can see in Figure 1, PHP-FPM calls FCGI_PUTENV to replace the value of ORIG_SCRIPT_NAME and replaces it with the value controlled by an attacker. This allows an attacker to create a fake PHP_VALUE fcgi variable and use a chain of carefully chosen config values to get remote code execution.
Initial Request
Since %0a in URI is necessary to trigger this vulnerability, an exploitation request will contain that along with modified values of CGI environment variables.