One can force the root FPM process to read/write at arbitrary locations using pointers located in the SHM, leading to a privilege escalation from www-data to root.
Created php tracking bugs for this issue:
Affects: fedora-all [bug 2017129]
Upstream patch for this issue:
Currently PHP has a flaw on FPM scoreboard mechanism, which when leveraged by an attacker can lead to local privilege escalation. Currently PHP maintains several per-workers scoreboard related structures accessed indirectly by pointers to a shared memory mapping, if an attacker manage to escape FPM sandbox and overwrite those values it may gain control over these structures leading to a possible privilege escalation.
Such attack is high in complexity as, to be successful, the attacker needs to chain it with a sandbox escape exploit firstly or have access to the PHP host.
Hi, any info on when an errata will be published for this flaw? TIA!