php5-fpm: Possible privilege escalation due to insecure default permissions of sockets

Bug #1307027 reported by Christian Hoffmann on 2014-04-12
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
php
Unknown
Unknown
php5 (Ubuntu)
Undecided
Unassigned

Bug Description

Installing php5-fpm results in a default worker being defined in /etc/php5/fpm/pool.d/www.conf
This worker is started automatically.

Current results:
php-fpm's default config / compiled-in config results in a world-writable socket:

$ ls -la /var/run/php5-fpm.sock
srw-rw-rw- 1 root root 0 Apr 12 11:29 /var/run/php5-fpm.sock

In other words: arbitrary (PHP) code execution as the www-data user is possible for any local user or other any user with the ability to connect to a UNIX socket.

Expected results:
/var/run/php5-fpm.conf should have 0660 permissions.
Only the default web server user (www-data) should be able to run arbitrary PHP code this way.
Also, the default config should advise against using such permissions.

Please also note that more sophisticated setups may be affected as well (and with even worse implications). Any shared-hosting environment is affected, except any non-default listen.mode value has been set.

I have filed an upstream bug [1] for this issue. It contains further information along with relevant sources & reproduce examples.
The bug is marked private, which is why I am attaching a PDF dump for now.

I am planning to inform <email address hidden> once I have heard back from the PHP security team, so I guess it would be best if no fixes would be commited to public repositories yet.

$ lsb_release -rd
Description: Ubuntu 14.04 LTS
Release: 14.04

$ apt-cache policy php5-fpm
php5-fpm:
  Installed: 5.5.9+dfsg-1ubuntu4
  Candidate: 5.5.9+dfsg-1ubuntu4
  Version table:
 *** 5.5.9+dfsg-1ubuntu4 0
        500 ftp://mirror.hetzner.de/ubuntu/packages/ trusty/universe amd64 Packages
        100 /var/lib/dpkg/status

[1] https://bugs.php.net/bug.php?id=67060

Upstream has provided a fix meanwhile (patch attached). As Ubuntu's default config differs, this part will probably have to be applied manually.

Information has been sent to the distros@ list.

Suggested embargo lift date is 2014-04-29, php-5.4.28, which includes the fix, will be released shortly after (~May 1st).

Seth Arnold (seth-arnold) wrote :

It seems unlikely to me that this won't be independently discovered before April 29. That's a long way away to hope no one else does an ls -l /var/run/.

Why so far into the future?

Thanks

I was just going by the distros@ embargo limits, also considering Easter holidays from Thursday to Tuesday.

What date would you suggest?

I would have no problem with changing the date to something earlier, but I guess the PHP release plan is more or less fixed, so a fixed upstream PHP will probably not be available any earlier.
Although I acknowledge that for upstream this is probably only a hypothetical issue while for Ubuntu it is something concrete.

Changed in php5 (Ubuntu):
status: New → Triaged
information type: Private Security → Public Security

The attachment "Official upstream patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php5 - 5.5.3+dfsg-1ubuntu2.4

---------------
php5 (5.5.3+dfsg-1ubuntu2.4) saucy-security; urgency=medium

  * SECURITY UPDATE: incorrect FastCGI socket permissions (LP: #1307027)
    - debian/patches/CVE-2014-0185.patch: default to 0660 in
      sapi/fpm/fpm/fpm_unix.c, sapi/fpm/php-fpm.conf.in.
    - CVE-2014-0185
  * SECURITY UPDATE: denial of service in FileInfo cdf_unpack_summary_info
    - debian/patches/CVE-2014-0237.patch: remove file_printf calls in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0237
  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
    - debian/patches/CVE-2014-0238.patch: fix infinite loop in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0238
  * SECURITY UPDATE: code execution via buffer overflow in DNS TXT record
    parsing
    - debian/patches/CVE-2014-4049.patch: check length in
      ext/standard/dns.c.
    - CVE-2014-4049
 -- Marc Deslauriers <email address hidden> Thu, 19 Jun 2014 13:33:33 -0400

Changed in php5 (Ubuntu):
status: Triaged → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php5 - 5.3.10-1ubuntu3.12

---------------
php5 (5.3.10-1ubuntu3.12) precise-security; urgency=medium

  * SECURITY UPDATE: incorrect FastCGI socket permissions (LP: #1307027)
    - debian/patches/CVE-2014-0185.patch: default to 0660 in
      sapi/fpm/fpm/fpm_unix.c, sapi/fpm/php-fpm.conf.in.
    - CVE-2014-0185
  * SECURITY UPDATE: denial of service in FileInfo cdf_unpack_summary_info
    - debian/patches/CVE-2014-0237.patch: remove file_printf calls in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0237
  * SECURITY UPDATE: denial of service in FileInfo cdf_read_property_info
    - debian/patches/CVE-2014-0238.patch: fix infinite loop in
      ext/fileinfo/libmagic/cdf.c.
    - CVE-2014-0238
  * SECURITY UPDATE: code execution via buffer overflow in DNS TXT record
    parsing
    - debian/patches/CVE-2014-4049.patch: check length in
      ext/standard/dns.c.
    - CVE-2014-4049
 -- Marc Deslauriers <email address hidden> Thu, 19 Jun 2014 13:44:17 -0400

Changed in php5 (Ubuntu):
status: Triaged → Fix Released
Jeff Waugh (jdub) wrote :

I'm worried this fix might be broken: I upgraded php5-fpm on my 14.04 system, and the socket was changed to root:root rather than root:www-data, so nginx could no longer connect to it.

Jeff Waugh (jdub) wrote :

Yep, reproduced it on another system.

Temporary fix: sudo chown :www-data /var/run/php5-fpm.sock

Configuration fix: Uncomment "listen.group = www-data" in /etc/php5/fpm/pool.d/www.conf

Marc Deslauriers (mdeslaur) wrote :

A fix for the socket permissions is being handled in bug 1334337

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.