A critical vulnerability CVE-2021-21703 has been identified in PHP-FPM, the FastCGI process manager included in the main PHP distribution since branch 5.3 , which allows an unprivileged hosting user to execute code as root. The problem manifests itself on servers that use PHP-FPM, usually used in conjunction with Nginx, to organize the launch of PHP scripts. The researchers who identified the problem were able to prepare a working prototype of the exploit.
The vulnerability is caused by storing pointers to a shared memory area (scoreboard) used to communicate between the child and parent PHP-FPM process. The main PHP-FPM process that coordinates the work is started as root and spawns several child processes that run under an unprivileged user (usually www-data or nobody) and are directly involved in executing PHP scripts. The essence of the problem is that a child process controlled by the user can access the shared memory of the controlling process and change the pointers used in the main process (pointers to the nested structure fpm_scoreboard_proc_s are stored in the scoreboard structure).
This feature allows an attacker who can run their PHP code on the server to bypass the sandbox isolation of the interpreter and, through the substitution of pointers in the fpm_scoreboard_s structure, clear the memory area of the main process or change the value of 32-bit integers from zero to one. To change the value, the attacker writes a pointer to an integer variable in the scoreboard-> procs array and sends the SIGKILL signal to the handler associated with this pointer.
Such manipulations make it possible, through the manifestation of another error, to achieve the execution of your code in the main process. In particular, in memory, you can set the catch_workers_output setting to 1, which by default has a value of 0. This setting enables stderr output from php-fpm worker processes to be saved to the log. Incoming information is buffered, and a buffer is created in the heap of the main process, which allows an attacker to place up to 1024 bytes of random data in the heap. Further, by manipulating the ability to change 0 to 1 and clean up memory, an attacker can change the block size and achieve a controlled heap overflow.
The vulnerability has been manifested since PHP 5.3.7, into which PHP-FPM was integrated. It is noteworthy that the PHP developers were notified of the problem back in May, but were in no hurry to prepare a fix. As a result, the vulnerability was fixed in the PHP 7.3.32, 8.0.12 and 7.4.25 updates after the information about the problem was disclosed. For PHP branches that are no longer supported, you can try using a patch . Major distributions have released package updates with fixing the vulnerability: Debian , RHEL , SUSE , Ubuntu , Fedora , Arch . FreeBSD ports still have problem…
In 2019, a similar vulnerability , also related to the storage of pointers in the scoreboard shared memory, was fixed in the Apache httpd child process control mechanism. The vulnerability allowed a local attacker (for example, a hosting user), who was able to execute his script under the control of a web server, to get the code to execute as a control process, usually run with root privileges.