Bugzilla – Bug 933928
VUL-1: CVE-2015-3211: php5: php-fpm package vulnerable to symlink attack
Last modified: 2016-09-08 10:20:45 UTC
from redhat bug rh#1228721 It was reported that php-fpm package is vulnerable to symlink attack: # ls -lad /var/log/php-fpm drwxrwx--- 2 apache root 4096 May 28 18:53 /var/log/php-fpm https://git.centos.org/blob/rpms!php/4b401fd4915cda3a1a336902afad4e5321859c32/SPECS!php.spec#L1409 %attr(770,apache,root) %dir %{_localstatedir}/log/php-fpm After installing php-fpm package, any software running under apache user can create symlink /var/log/php-fpm/error.log pointing to any file. After starting php-fpm service - file pointed by symlink will be appended by php-fpm log output. If a file did not exist before - it will be created. This issue only exist for a short time - after php-fpm package install and before php-fpm process is started for the first time. Exiting working configurations are not affected by this issue. Steps to reproduce: - make sure you don't have php-fpm leftovers: # rm -rf /var/log/php-fpm - install php-fpm: # dnf install php-fpm - as an 'apache' user create an evil symlink: # su -s /bin/bash - apache $ ln -s /root/.bashrc /var/log/php-fpm/error.log - start php-fpm process: # systemctl start php-fpm - look at the contents of /root/.bashrc file (php-fpm error log output will be appended there) # cat /root/.bashrc References: https://bugzilla.redhat.com/show_bug.cgi?id=1228721 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3211 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3211
php5-fpm is only on SLES 12 and opensuse. and its buggy: after copying the default config systemctl status php-fpm.service php-fpm.service - The PHP FastCGI Process Manager Loaded: loaded (/usr/lib/systemd/system/php-fpm.service; disabled) Active: failed (Result: exit-code) since Mon 2015-06-08 13:43:35 CEST; 40s ago Process: 16538 ExecStop=/bin/kill -QUIT $MAINPID (code=exited, status=1/FAILURE) Process: 16536 ExecStart=/usr/sbin/php-fpm --nodaemonize --fpm-config /etc/php5/fpm/php-fpm.conf (code=exited, status=78) Main PID: 16536 (code=exited, status=78) Jun 08 13:43:35 g168 php-fpm[16536]: [08-Jun-2015 13:43:35] ERROR: failed to open error_log (/usr/var/log/php-fpm.log): No such file or directory (2) Jun 08 13:43:35 g168 php-fpm[16536]: [08-Jun-2015 13:43:35] ERROR: failed to post process the configuration Jun 08 13:43:35 g168 php-fpm[16536]: [08-Jun-2015 13:43:35] ERROR: FPM initialization failed Jun 08 13:43:35 g168 kill[16538]: kill: not enough arguments Jun 08 13:43:35 g168 systemd[1]: Failed to start The PHP FastCGI Process Manager. 1. /usr/var/log ... doh 2. kill: not enough parameters ... probalby buggy shellcode
(In reply to Marcus Meissner from comment #1) > php5-fpm is only on SLES 12 and opensuse. > > > and its buggy: It's not on factory, but still vulnerable.
Following should suffice to point php-fpm to /var/log/php-fpm.log Index: php5.spec =================================================================== --- php5.spec (revision 1d2089d980b1ff2e22876a29c711a1be) +++ php5.spec (working copy) @@ -1527,6 +1527,7 @@ --bindir=%{_bindir} \ --disable-cli \ --disable-all\ + --localstatedir=/var\ # cli sapi with all shared modules # Hack the built configure to also link ncurses together with libedit.
(bug 927147)
Actually, we are not vulnerable with /var/log/php-fpm.log, because drwxr-xr-x 1 root root 764 Jun 8 15:46 /var/log Sorry for confusion. Submitted fix for bug 927147 to 12 (mr#59558).