FPM vulnerability: Exfiltrating data with Facebooks HHVM
Servers for the so-called FastCGI Process Manager (FPM) can give unauthorized access to files on a system if they can be reached via the Internet. This is especially true for HHVM on Facebook, but PHP is less risky.
By default, the use of Facebooks HHVM can cause attackers to exfiltrate files on a server. This is due to the so-called FastCGI Process Manager (FPM), a method originally developed by PHP to execute CGI scripts faster. PHP itself is theoretically also affected, but some protection mechanisms ensure that the risk there is significantly lower.
HHVM or Hiphop Virtual Machine was originally an implementation of the PHP programming language developed by Facebook. However, HHVM has evolved in a different direction, Facebook has changed parts of the syntax and current versions now implement their own programming language called HACK. The current version 4 of HHVM no longer supports PHP.
FPM works in such a way that a PHP or HHVM process runs permanently on a server. A web server can forward requests for corresponding scripts to the FPM daemon, where they are processed. FPM can be addressed either via a local socket or a network port. If FPM is accessible via a network port and from the outside, there is a security risk which, in the worst case, can lead to the exfiltration of arbitrary files.
Almost all files are valid PHP scripts
Relevant for this is the syntax of PHP scripts. PHP files are first of all HTML files, the main part of which is simply output unchanged. A PHP script part is introduced by a "<?php" and a "?>" is terminated. Anything not included in these PHP tags remains unchanged. In concrete terms, this means that even any file that does not contain such tags is a valid PHP script that does nothing more than output its content.
In the case of an externally accessible FPM daemon, this means that you can request any file there, such as /etc/passwd/, and the FPM daemon will output the contents of the file. To do this, the user running the FPM daemon must have access to the corresponding file, so it usually doesn't work with files that only the root user can read. With HHVM in the older, still PHP-compatible version 3, data exfiltration works directly in the default setting.
You can test such an attack relatively trivially with the command line tool cgi-fcgi, which is part of the FastCGI library:
SCRIPT_NAME=/etc/passwd SCRIPT_FILENAME=/etc/passwd REQUEST_METHOD=GET cgi-fcgi -bind -connect [host]:9000
Low risk in PHP itself
In PHP itself, the risk is much lower. The PHP FPM daemon does not listen on an open network port in the default configuration. FPM also has an option in PHP called "security.limit_extensions" which specifies that FPM should only execute files with certain file extensions. By default, only the PHP extensions .php and .phar are allowed. As long as this setting is not changed, a data exfiltration of arbitrary files is not possible.
However, it is not recommended to listen to the PHP FPM daemon on the net, because an attacker can still execute arbitrary PHP scripts on the system if he knows their paths. These can also include scripts that should not be accessible from the outside.
A special case is the newer version 4 of HHVM. There the classic PHP syntax is no longer supported. In our tests it was nevertheless the case that some files could be exfiltrated, but not all.
Facebook has meanwhile reacted to the problem, newer versions of HHVM are no longer accessible via the network by default and only listen locally on the FPM port.