DISCLAIMER: THIS SECURITY ADVISORY IS PROVIDED AS-IS, AND WITHOUT ANY GUARANTEE OF ANY KIND THAT THE INFORMATION IS ACCURATE, OR THAT THE WORKAROUND, SOLUTIONS, OR PATCHES PROVIDED WILL PROTECT SYSTEMS, OR THAT THEY WILL NOT CREATE NEW PROBLEMS. THE AUTHOR ACCEPTS NO LIABILITY OF ANY FORM FOR THE INFORMATION CONTAINED WITHIN OR THE CONSEQUENCES OF ITS USE OR MISUSE.
Most current installations of PHP set up to run via FastCGI with suexec are vulnerable to a local exploit, where anyone with the ability to run code as the user the webserver runs as can gain access as any user with an account set up to run PHP. It is anticipated that this issue will especially affect shared web hosts who use FastCGI + suexec thinking it will give them additional security.
Conditions for exploitation:
=> PHP needs to be used via CGI or FastCGI.
=> The system must be set up to use suexec (rather than, say, having PHP run as an external FastCGI server).
=> The attacker must be able to run code as the same user that the webserver runs as. This is unlikely to be a problem for many local attackers, because there are a multitude of possible attack vectors, such as SSI, non-suexec CGI scripts, non-suexec PHP (if mod_php is also installed), and likely numerous other options.
=> Depending on the configuration, setting an open_basedir might protect an installation. However, this only applies if open_basedir is set, php-cgi is not installed directly into the web space, but is instead called from a script which doesn't pass any parameters from the script command line.
Affected PHP versions:
=> All versions of PHP (including PHP 5.2.8 and latest CVS) in existence at the date of this advisory are believed to be affected.
firstname.lastname@example.org has been informed of this issue. Antony Dovegal replied to say:
"It's been agreed that we won't implement any more security hacks in PHP itself since such things should be done by the OS, so no more magic INI settings."
As such, it appears that the PHP developers do not intend to add any technical measures against this vulnerability. It should be noted that while this is a vulnerability in a way of installing PHP, it appears that there is no way to securely set up a suexec + FastCGI + PHP installation using an unpatched version of PHP and so it is hoped that the PHP developers will reconsider in time.
A proposed patch is provided later which can be applied to PHP to protect against this vulnerability (when coupled with an appropriate configuration). This patch has been briefly tested to ensure it works, but requires more testing and review before it should be used in production. No guarantees are made about it.
Using a permanently running external FastCGI process per user is an alternative solution if the cost of these extra processes is tolerable.
Setting open_basedir from within php.ini may be a possible workaround (but only if nowhere in open_basedir is writable to the attacker), but only if PHP is called from a script which also sets SERVER_SOFTWARE and doesn't pass through the command line arguments. For example:
/usr/bin/php-cgi -c /home/myuser/php.ini
Technical details of attack:
PHP does not place any restrictions on what it will run, even when called from suexec. This means that by manipulating the environment variables passed in to php-cgi when calling via suexec, an attacker can execute arbitrary PHP scripts with the user of the owner of the PHP script (and if SERVER_SOFTWARE is not set, can also pass in PHP code to be executed via stdin).
The filtering of environment variables by suexec does not protect against this attack, because the environment variables needed to perform the attack are passed through suexec. Likewise, setting doc_root and user_dir in php.ini (as recommended in the security section of the PHP manual) provides no protection, as the attacker has full control of environments indicating the base directory.
Example of exploitation:
Suppose that suexec php is set up as follows:
In /home/wwjargon/public_html/php.fcgi we have:
/usr/bin/php-cgi -c /home/wwjargon/php.ini
In .htaccess we have:
Action php-fcgi /php.fcgi
AddHandler php-fcgi .php
This is a fairly common set up. It can be exploited as follows (www-data is the username the webserver runs as):
$ cat >/tmp/exploit.php