PHP-FPM Buffer Underflow Vulnerability Allowing Remote Code Execution

A buffer underflow vulnerability has been identified in the PHP FastCGI Process Manager (FPM) component, specifically in PHP versions 7.1.x prior to 7.1.33, 7.2.x prior to 7.2.24, and 7.3.x prior to 7.3.11. In certain FPM configurations, the vulnerability allows for writing past allocated buffers into the space reserved for FastCGI protocol data, creating an opportunity for remote code execution.

Impact

Exploitation of this vulnerability could lead to arbitrary code execution on the server.

Reproduction

The vulnerability can be reproduced by sending a request to a PHP script with a crafted 'PATH_INFO' variable that exploits the buffer underflow. This can be done using the Metasploit module 'PHP-FPM Underflow RCE', which automates the exploitation process. The module first detects the appropriate query string length and custom header length needed to trigger the vulnerability, then uploads a backdoor by creating a PHP file that is executed via the web server.

Remediation

Users can upgrade to PHP versions 7.1.33, 7.2.24, or 7.3.11. Instructions for upgrading can be found in the respective PHP release notes.