php-fpm master process restarts child process in an endless loop when using Program execution Function (CVE-2015-9253)
Abstract
php-fpm master process restarts child process in an endless loop when using Program execution Functions (passthru(), exec(), shell_exec(), system(), ...) with non-blocking STDIN stream causing php-fpm master eating up 100% CPU and rapidly eating up available Storage Space with extremly fast (CPU Speed dependent) growing Error Logs.
Credit
Andreas Schnederle-Wagner, 16.02.2018 and others (see linked PHP Bug Reports)
Contact
For feedback or questions about this advisory mail me at schnederle@futureweb.at
Affected Software
PHP
Tested versions
5.4 - 7.2.2 (earlier Versions most likely also affected)
CVE ID
CWE ID
Attack Type, Impact
'Uncontrolled Recursion' (child restart loop) resulting in 'Uncontrolled Resource Consumption' - 100% CPU usage & Storage Space exhaustion
Access Complexity, Authentication
very low, access to shared hosting Server
Fix
Fixed in:
7.2.8
7.1.20
7.3.0alpha3
Introduction
PHP is a server-side scripting language designed for web development but also used as a general-purpose programming language.
Details
This Bug can be used to DOS Shared Hosting Services with php-fpm master process eating up 100% CPU and rapidly eating up all available Diskspace.
Proof of concept
Source
https://bugs.php.net/bug.php?id=75968
https://bugs.php.net/bug.php?id=70185
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9253
https://nvd.nist.gov/vuln/detail/CVE-2015-9253
https://vuldb.com//?id.113566
https://access.redhat.com/security/cve/cve-2015-9253