Security researchers at F5 Networks constantly monitor web traffic at various locations all over the world. This allows us to detect “in the wild” malware and get insights into the current threat landscape.

In November 2019, new malicious campaign activity was down 40 percent compared to October 2019. While this seems like a large decline, there was a spike in new campaign activity in October 2019, and the new malicious activity is in line with what we detected in September 2019. Here’s an overview of the new threat activity we saw in November 2019:

• Two campaigns targeting Atlassian Confluence servers vulnerable to Widget Connector RCE vulnerability (CVE-2019-3396)
• One campaign targeting Nginx servers vulnerable to PHP-FPM RCE vulnerability (CVE-2019-11043)
• In addition, the following notable campaigns were also detected:
  • MACCMS vod-search RCE (CVE-2017-17733): This campaign aims to exploit servers running MACCMS that are vulnerable to an RCE vulnerability. The threat actor tries to upload a web shell on a vulnerable server.
  • Rejetto HTTP File Server RCE (CVE-2014-6287): This campaign aims to identify Rejetto HTTP File Servers vulnerable to Rejetto HTTP File Server RCE vulnerability. The threat actor instructs the server to download and execute a DDoS malware.
  • rConfig ajaxServerSettingsChk unauthenticated RCE (CVE-2019-16662): This campaign aims to identify rConfig servers that are vulnerable to rConfig ajaxServerSettingsChk RCE vulnerability. The threat actor instructs the server to calculate the MD5 checksum of the string ‘HelloConfig’ and send it back to the threat actor.

Nginx PHP-FPM Remote Code Execution (CVE-2019-11043)

Following the trend of malicious activity seen in November 2019, threat actors are exploiting new vulnerabilities. On October 22, a security researcher tweeted about a vulnerability found during a Capture the Flag (CTF) competition. The vulnerability affects servers running Nginx with PHP-FPM under certain conditions. The researcher posted a working POC exploit showing how the vulnerability leads to remote code execution (RCE).

There are multiple ways to configure Nginx. The FastCGI Process Manager (FPM) is an alternative PHP FastCGI implementation with some additional features mostly useful for heavy-loaded sites. Although PHP-FPM is not a core component of Nginx, several web hosting providers, such as Nextcloud, provide it for use. The vulnerability arises due to an improper configuration of PHP-FPM.

Vulnerability Analysis

As mentioned, the vulnerability arises due to misconfiguration when certain preconditions are met:

• The Nginx location directive must forward requests to PHP-FPM.
• The assignment of variable PATH_INFO and SCRIPT_FILENAME must be done using a fastcgi_param directive.
• A fastcgi_split_path_info directive exists and contains a RegExp starting with ^ and ending with $.
• Nginx does not drop requests to non-existing scripts before forwarding to FPM.

Various installations of Nginx contain the following RegEx lines in the configuration file. This is not a problem within Nginx, but a problem with the PHP-FPM configuration, one that developers often copy and paste from other resources and the internet. While it is not in the standard configuration, it is a common configuration for developers to use.

   location ~ [^/].php(/|$)
  {
        fastcgi_split_path_info ^(.+?.php)(/.*)$;
        fastcgi_param PATH_INFO       $fastcgi_path_info;
        fastcgi_pass   php:9000;
        …
  }

The RegExp in the fastcgi_split_path_info directive splits the URI into two groups: the first contains the PHP script name, and the second contains the path within the PHP script. For example, a string like “F5Labs.php/PHP-FPM” will be split into two different strings: “F5Labs.php” and “/PHP-FPM.” The second capturing group of the RegExp (/.*), however, does not catch for newline (%0a) characters. For example, a string like “F5Labs.php/%0aPHP-FPM” results in an empty path string. This path string is assigned to the PATH_INFO variable in the configuration file.

The length of PATH_INFO (pilen) variable is later used to calculate the pointer address for variable PATH_INFO. Since the length of PATH_INFO is 0 (due to %0a), the result of PATH_INFO points to a location before the actual location of PATH_INFO.