Hello,

A small update.
The bug has been present since the first fpm_scoreboard implementation (PHP 5.3.7). I now have a reliable exploit for PHP 8+, which I can provide if needed.

Hello, any update on this ?

Hi, yeah this look like an issue. I have attached a dirty patch (needs more work) if you could check if it fixes the problem. Please let me know and if good I will polish it...

Hello,

I can't view the patch: "You have no access to bug #81026".
Will you require a CVE for this, or should I ?

Have a great day!
Charles Fol

There is a mistake in the v1 patch. The proc_end part is wrong - should replace scoreboard size with proc_start. Will send new patch later.

@bukka, the bug reporter can't see attached patches.  It is
usually preferable to post patches as secret Gists[1], and to post
the link here.  If the patch is short, just posting it inline is
also fine.

@c dot fol: CVEs are assigned by the PHP security team.

[1] <https://gist.github.com/>

Fixed patch gist: https://gist.github.com/bukka/72a0408e027b85e72d6f4e622974eb01

Hello,


-- 1 -------------

The patch does not fix every read/write access to scoreboard->procs[].

Example funcs:

fpm_scoreboard_proc_alloc() -> scoreboard->procs[i]->used = 1;
fpm_scoreboard_proc_free() -> memset(scoreboard->procs[child_index], 0, sizeof(struct fpm_scoreboard_proc_s));

-- 2 -------------

Also, there is a mistake in the patch: fpm_scoreboard_proc_get_from_child() tries to find the lower and upper bounds for ptr addresses, but the computation of the lower bound is wrong:

ptrdiff_t proc_end = proc_start + (wp->config->pm_max_children - 1) * sizeof(struct fpm_scoreboard_proc_s *);

The last operand should be sizeof(struct fpm_scoreboard_proc_s), not sizeof(struct fpm_scoreboard_proc_s *)

-- 3 -------------

Lastly, I kindly reiterate my suggestion of making scoreboard_s.procs an array of fpm_scoreboard_proc_s instead of an array of *pointers* to fpm_scoreboard_proc_s. In the current design, every time you want to access a scoreboard_proc, you will use its index (child->scoreboard_i). As a consequence, the change won't cause a loss of usability.

Even better, you don't have to change the prototype of fpm_scoreboard_proc_get() !

You'd have (pseudo-ish code):

```
struct fpm_scoreboard_s {
	...
	struct fpm_scoreboard_proc_s procs[];
};

int fpm_scoreboard_init_main() /* {{{ */
{
	...
	scoreboard_size        = sizeof(struct fpm_scoreboard_s) + (wp->config->pm_max_children) * sizeof(struct fpm_scoreboard_proc_s);
	...
}

struct fpm_scoreboard_proc_s *fpm_scoreboard_proc_get(struct fpm_scoreboard_s *scoreboard, int child_index) /* {{{*/
{
	...
	return &scoreboard->procs[child_index]; // no prototype change, we just return pointer
}
/* }}} */
```

Charles

Yeah I wanted to first try approach that wouldn't change the current paths for normal run that much as it's meant for the branch with security only fixes (PHP-7.3). But missed that alloc and free parts which would make it much messier looking at it. Will have to change the structure of the procs as you say though. Will also need to put together some tests for this which will be the hardest part so will take some time.

There's not that much rush though as we classify those as a low security impact because one needs to have access to the worker first. Basically it's a problem just for the shared hostings but most users shoudl not be impacted. Still security issue though.

"There's not that much rush though as we classify those as a low security impact because one needs to have access to the worker first. Basically it's a problem just for the shared hostings but most users shoudl not be impacted."

I disagree on both points.

I understand PHP's stance on "sandbox escape" exploits: if you can run PHP code, you should be able to run machine code, and mitigation such as disable_functions and safe mode and here to protect against remote exploits. In other words, the logic is that PHP does not act as a sandbox when you can run arbitrary (PHP) code. However, in this case, the presence of the PHP-FPM application poses a new, *otherwise-nonexistent*, security risk to the server.

Furthermore, local root exploits are never referred to as "low security impact". CVE-2019-0211, targeting software relative to the same use (Apache HTTPd), scores a 7.8 CVSS (high).
Saying it only affects shared hosting is a huge understatement.

My 2 cents,
Charles

Yeah it's probably more medium so it should get CVE. Think high is reserved just for exploit without any access but not 100% sure. It doesn't really matter that much anyway as it doesn't get it fixed faster. I will try to find some time to put together a patch and a test but it will probably take few weeks as my time is pretty limitted.

So I had a bit closer look what needs to be changed and it's actually worse than I thought. The thing is that scoreboard->nprocs cannot be trusted as well so we will have to pass a worker pool instead of scoreboard where it's used by the master. The whole thing is touching almost every part of the scoreboard usage (process idle timeout, pool creation / clean up / scaling, full status and possibly some other things). Unfortunately we don't have any test coverage for most of those parts. So we need to improve the test coverage first before getting this fixed to minimise risk that the actual fix breaks anything. It might take a bit of time though.

Yes, as I stated in my first report, you have to get rid of nprocs or keep it out of the SHM. Also, two other problems I saw (although less impactful): a worker can cause a DOS by setting all scoreboard_proc_s.used to 1 (or even -1 to avoid races) or scoreboard(_proc)_s.lock to 1.

I agree that's there's going to be work, sadly. Good luck !

Hello PHP team,

Any update on this ? Can we be of any help ?

Best regards,

I have been quite busy but just pushed some progress on the process idle test that I want to do first. Once it's done, I will take a look into the scoreboard refactoring. Might take me some time though.

Just an update about progress on this. I have just created a PR for process idle timeout that should improve the test coverage of the parts that will need to be changed: https://github.com/php/php-src/pull/7464 . I will start looking on those changes as the next thing when I got time for FPM.

Also I decided to target only 7.4+ as 7.3 will be soon out of security support and the changes will be relatively invasive and don't want to cause any regressions that won't be possible to fix once it gets out of support.

Hello bukka,

Thanks for the update. Here's an update on our side: we'll be revealing the bug on a french infosec conference on October 15th, 2021. A blogpost will come out afterwards, and the exploit (a bit later) as well.

Not sure if it's going to be fixed by then. It would be nice to get a heads up sooner as I have got just weekends and prioritise some other work as well. If I knew that date sooner, it could be potentially fixed sooner. Also our releases take longer so there might be even less time to get it out. 

I will be hopefully looking into it next week so will see what I can do.

Hello, just attached a new patch fpm_scoreboard_proc_oob_fix_v4.patch . It changes the scoreboard structure to eleminate access through the pointer and changes the way how the scoreboard is retrieved in the master process (so it doesn't use the nprocs from the scoreboard but instead uses the configured value for the max children). I run all the tests and it seems to work but not 100% sure if I covered all edge cases. So review and testing would be highly appreciated.

Hello,

First of, sorry for the late warning, I told you as soon as I knew.
I still can't access the patch file ("You have no access to bug #81026").

Charles

Submitter view does not allow access to patches? That's weird, must be a bug. Anyway, in this case I recommend using secret gists, that should be secure enough for this case. See: https://gist.github.com/smalyshev/ee7779f098cbfe2fab3799ada2a2f0f7

If the patch works, we could have it in the next PHP release which is planned for Oct 21.

Hello,

Thanks for the GIST. The patch gets heavily rejected when I apply it with "git apply", when working on commit "35adc4f7f613a036264272bbd9e0629b9b91bfb8", which is the last commit of the master branch.
Can you give me either the commit ID I need to apply the patch on, or the full PHP core source with patch applied ?

Charles

Please try to apply against PHP-7.4 which is the targeted version for this patch.

OK I managed to have the patch work OK-ish.

As far as I understand, the only potentially unsafe usage of "->nprocs" is in fpm_scoreboard_proc_get(), but it should not matter because the main process won't use fpm_scoreboard_proc_get().

Regarding the mutation of procs from an array of pointers to a "simple" array, I think this is the correct solution, and it should work well.

So in my point of view, the patch is good.

On another note, I'd like to put your attention on Sec Bug #81513, which is the second bug I used to exploit the privilege escalation. This one is easy to patch, and kinda complement this one in regards to the final impact: escalating privileges from www-data to root.

In any case, I apologize again for the short delay. We won't release the blogpost until after this gets patched (hopefully on October 21st)

Best regards,
Charles

Thanks for the review. I just emailed Nikita if he could also take a look so hopefully he will find some time. I will also try to do a bit more manual testing.

@Stas What's the latest to get it ready for October 21st release? I mean when does it need to get merged to get it to that release? Thanks

I usually merge stuff on Sunday/Monday prior, so that'd be Oct 18th.

I'm not super familiar with this area, but the patch looks reasonable to me. It's a bit unfortunate that nprocs still remains, but I guess avoiding it would require threading things through more functions.

Just out of interest, I assume the general issue here does not affect opcache SHM because it is not initialized in the root process? Opcache SHM is not (and will definitely never be) safe against malicious modification.

Technically there's not much need to not use nprocs if it's accessed only in the worker context. I think that's kind of the same as opcache shm which should be also only used by workers. It means that we can't protect crashing / impacting of other precesses even in different pool most likely. But what we can do is to at least protect the master process which means prevent possibility of privilege escalation as it often runs as a root.

Hi Stas, so I have done a bit more testing and haven't found any issue so think it's probably good to go.

I'm not exactly sure about handling of security fixex as I think it's usually handled by RMs / you. This one is just for 7.4 and up as it's too risky for 7.3 so I could technically merge it myself. If you want me to do it, please let me know and I will do it.

Otherwise if you want to apply it yourself, please apply the patch to PHP-7.4 like

git am --signoff < fpm_scoreboard_proc_oob_fix_v4.patch

It should work fine with PHP-7.4 (I tested that). I also checked the merges and there will be one conflict in fpm_scoreboard.h when you merge to PHP-8.0 which should look like this

diff --cc sapi/fpm/fpm/fpm_scoreboard.h
index 060eddea98,9d5981e1c7..0000000000
--- a/sapi/fpm/fpm/fpm_scoreboard.h
+++ b/sapi/fpm/fpm/fpm_scoreboard.h
@@@ -63,8 -63,7 +63,12 @@@ struct fpm_scoreboard_s 
        unsigned int nprocs;
        int free_proc;
        unsigned long int slow_rq;
++<<<<<<< HEAD
 +      struct fpm_scoreboard_s *shared;
 +      struct fpm_scoreboard_proc_s *procs[];
++=======
+       struct fpm_scoreboard_proc_s procs[];
++>>>>>>> PHP-7.4
  };
  
  int fpm_scoreboard_init_main();


That needs a manual resolution to look like

struct fpm_scoreboard_s *shared;
struct fpm_scoreboard_proc_s procs[];

It means keeping the shared pointer but changing the procs. So after fixing the git diff should look like this:

diff --cc sapi/fpm/fpm/fpm_scoreboard.h
index 060eddea98,9d5981e1c7..0000000000
--- a/sapi/fpm/fpm/fpm_scoreboard.h
+++ b/sapi/fpm/fpm/fpm_scoreboard.h
@@@ -63,8 -63,7 +63,8 @@@ struct fpm_scoreboard_s 
        unsigned int nprocs;
        int free_proc;
        unsigned long int slow_rq;
 +      struct fpm_scoreboard_s *shared;
-       struct fpm_scoreboard_proc_s *procs[];
+       struct fpm_scoreboard_proc_s procs[];
  };

Once committed, further merges to PHP-8.1 and master should be fine.

I can merge 7.4 and up, but would be nice if we also could do 7.3 too since it's still supported for security fixes.

The patch seems to apply cleanly to 7.3 too, so I think we can keep it there, unless I hear any objections. I don't see much changes that happened in the affected area between 7.3 and 7.4, even though I obviously could miss something as I don't know that code very well. I have the patches ready and will push them on Monday morning (Pacific time).

On the second thought, I'll push 7,4+ and will wait for a word from Jakub on 7.3.

I think it's too risky for PHP 7.3 if there's any issue. It goes out of support soon so I don't think it's worth it. It's relatively big patch touching scoreboard which is the main shared piece in FPM so if something goes wrong, then it's quite a big problem. 

Considering the attack surface that requires someone to have access to the environment or at most to the code (if exec and like allowed), then the number of users where this might be really problem should be quite small - personally I have never seen such setuo but possibly some shared hostings could be impacted. The thing is that they most likely use distro package or might just apply the patch themself on their own risk. Also distros can apply the patch on their supported versions too if they wish - it's less problem for them as they have got longer support and might potential apply further fixes in case something goes wrong here.

Btw I see that Nikita caused us another conflict by merging this https://github.com/php/php-src/commit/f71810fb6f98251ace18ba49bc269d19ab27579a ... :)

You can fix manauly by applying changes from both so the params in both calls look like

wp->config->name, (int) pid, buf, (long) tv2.tv_sec, (int) tv2.tv_usec

That conflict is for merging to PHP-8.1...

"""
Considering the attack surface that requires someone to have access to the environment or at most to the code (if exec and like allowed), then the number of users where this might be really problem should be quite small - personally I have never seen such setuo but possibly some shared hostings could be impacted.
"""

Once again, I believe you're underestimating the impact of this bug. Most distros make the PHP-FPM service as root straight up when you install it through package managers. This means that in most cases, remote code execution vulnerabilities on PHP-FPM (NGINX, IIS) will now yield a root shell instead of the standard www-data. I've been a pentester for a long time, and I can tell you this greatly improves the attack surface for an attacker.

I know I'm insisting a lot -- this is the last time I interject, but this bug is scary, and damage will be done if people cannot patch their PHP-FPM easily.

Therefore, I really think this needs a proper fix for all supported PHP versions.

Best regards,
Charles

Well yeah in combination with another execution vulnerability it will be more problematic and it's true that there are still legacy setups with world exposed web server and other services running in the same box. However most of such old setups are often behind LB and running PHP with Web server in private network and probably even more setups nowadays are running PHP in container and communicating over the network with web server in another container. What I'm saying is that it's usually quite hard to get to the PHP server that would run PHP 7.3 (there are probably still plenty if such services running older versions but those that did the update and using something like this will be minority IMO). 

As I said even if there are such PHP 7.3 users, those will most likely use distro packages. Distro can easily apply the patch and possibly follow up. But what I don't want to do is patch version that has got maybe one or max two other releases before going to complete freeze with such a big patch to the critical part of FPM and after some time find out that there some issues that can impact more users that actually run 7.3 and this issue is not problem for them. Hope that makes sense.

Will the patch land to 7.3 ?

Hello,

I'm not too much into PHP internals (just reading the changelog with this release) and to me from what I read this seems like a massive security impact for us. We have hundreds of servers (DirectAdmin servers and other shared hosting servers) where the PHP-FPM master runs as root and we create worker pools with reduced privileges.

As far as I can see once the exploit for this is released this is an easy way to get root on all those servers by any user that can upload PHP files and run them.

For PHP 7.3 (and older) that won't be patched, is there any workaround available? A setting in the config that when set prevents the required conditions for exploiting this?

The patch for 7.4 applies cleanly to 7.3, so you could just use that patch. Specifically, it's this one: https://github.com/php/php-src/commit/cb2021e5f69da5e2868130a05bb53db0f9f89e4b

As for older versions, since they're out of support, your only options would be either to try and port the patch by yourself, or have somebody - like a distro if any support older versions, or a commercial company offering long-term old versions support - port it for you. It's not feasible for the PHP project to support EOLed versions, we just don't have the resources for it.

It might even apply to the older versions as well as there haven't been too many changes so if you are running your compiled version of PHP, it shouldn't be that difficult.

If you are on a distro package, then I think that every sane distro should apply it to the their supported lower versions so best to check with your distro packager.

Also the impact might be reduced but restricting shell access and prohibiting all Program execution Functions (exec, system and so on). Although not 100% if that's enough. Maybe Charles can shed a bit more light if that could help.

IMO the argument that it is quite invasive is valid...

However, I think we should merge it into PHP 7.3, and also make the guarantee to continue providing support in the form of bug and security fixes to the *PHP-FPM* part for a little extended end-of-live (beyond Dec 6th).

In the interest of building a consensus ...

I'm in favor of merging into 7.3, and endorse the strategy that it is better to be prepared to make further releases in the unlikely event that a problem is found.

I hear the arguments against doing this but remain unconvinced that they justify effectively shortening security support for this branch without notice; To me it makes more sense to be ready to extend that support period, if we must.

I also think this fix should be applied in 7.3 branch

FYI this is already applied on various distribution packages repo (Remi's RPM, Ondrej's DEB, ...) and after thousands of downloads, nobody have report any issue.

Hello,

"""
Also the impact might be reduced but restricting shell access and prohibiting all Program execution Functions (exec, system and so on). Although not 100% if that's enough. Maybe Charles can shed a bit more light if that could help.
"""

It does not. To exploit you need to escape PHP's sandbox anyway, so limitations such as disable_functions or open_basedir are no use, sadly.

Hope this helps,
Charles

Ok it makes sense to back port to 7.3 in that case.

Hi Charles

> It does not. To exploit you need to escape PHP's sandbox anyway, so limitations such as disable_functions or open_basedir are no use, sadly.

It's just for my interest but can you explain how can you escape PHP's sandbox without any of the program execution function and without any shell access (e.g. ssh) to the machine where the PHP is running?

Hello,

First, to trigger this bug, you need to be able to execute PHP code. For instance, as an attacker, you can reach something such as eval($_POST['stuff']). Evidently, this is more convoluted in practice: maybe you can overwrite part of a PHP file, maybe you can reach unserialize($controlled_data), etc. So, this is the starting point: you control some PHP code on the server.

Then, you need to use a binary bug in the PHP interpreter to "escape". This could be a use after free, a buffer overflow, a type confusion...

Imagine you have an internal PHP function (thus in C) which takes a zval as argument. The sole goal of this (imaginary) function is to add an element into the zval, which is supposed to be an array.

The code would look like this:

PHP_FUNCTION(add_some_value_into_array)
{
    ZEND_PARSE_PARAMETERS_START(1, 1)
		Z_PARAM_ZVAL(my_zval)
	ZEND_PARSE_PARAMETERS_END();

    // Add element at index 0 in the array
    add_index_string(HASH_OF(my_zval), 0, "hello !");

    RETURN_TRUE;
}

Unluckily, the programmer forgot to add the check if(Z_TYPE_P(my_zval) == IS_ARRAY) before using the zval as an array.

Therefore, a local attacker can call: add_some_value_into_array(0x1234).

When PHP tries to use my_zval (which contains a zend_long) as an array, it will dereference my_zval.val.arr, which is in fact my_zval.val.long.

So the C pointer it tries to dereference is 0x1234...

Therefore, as an attacker, I can make PHP use an arbitrary pointer as an array. This gives me total control over the zend_array contents, and most notably its zend_array.pDestructor element, which is a function pointer.

Now, let's say I built a fake array which contains a single element, at index 0. When add_index_string gets called, $arr[0] will get deleted before "hello !" is added. Therefore, zval.value.arr->pDestructor(zval.value.arr->arData[0]) (or something like that) gets called. Since I control both these values, I can now make PHP call an arbitrary C function with an arbitrary argument. That's the "escape" of PHP's sandbox. You're not executing arbitrary PHP anymore, you're executing machine instructions. Protections such as disable_functions and open_basedir have no effect here.

This gives the attacker complete control over the program, even though s/he hasn't used any "code execution" PHP function such as system, exec, etc. It's even better: s/he can now access the whole memory of the current process, which s/he wouldn't be able to do if I just executed another program with PHP's system().

This is the starting point of the exploit for PHP-FPM, where you need to access a worker's SHM.

The sandbox escape bug I used in reality is https://github.com/cfreal/exploits/blob/master/php-SplDoublyLinkedList-offsetUnset/exploit.php

You can read the header comments to understand the bug.


Hope this makes sense,
Charles

Ah ok that makes sense now. I didn't realised that are already such triggers like SplDoublyLinkedList. Damn C, we should probably rewrite everything in Rust... :)

This patch works for 5.6:

https://github.com/remicollet/php-src-security/commit/0f2a7ebf53b3787651157f1509c0cd6fc1292a1a.patch