Source: cve-assign@fb.com
Multipart-file uploads call variables to be improperly registered in the global scope. In cases where variables are not declared explicitly before being used this can lead to unexpected behavior. This affects all supported versions of HHVM prior to the patch (3.25.1, 3.24.5, and 3.21.9 and below).
HHVM (HipHop Virtual Machine), a PHP runtime environment, is vulnerable to a global variable scope pollution issue during multipart-file uploads. This allows attackers to inject malicious code by manipulating the upload process, potentially leading to remote code execution (RCE) and complete system compromise. This vulnerability impacts all supported versions of HHVM prior to the patched versions, posing a significant security risk.
Step 1: Craft Malicious Request: The attacker crafts a multipart/form-data POST request. This request includes a file upload section designed to exploit the vulnerability.
Step 2: Payload Injection: Within the file upload data, the attacker includes PHP code designed to be interpreted by HHVM. This code is crafted to manipulate global variables.
Step 3: HHVM Processing: HHVM processes the multipart request, including the malicious file upload. Due to the scoping issue, the variables defined within the uploaded file are improperly registered in the global scope.
Step 4: Code Execution: The attacker's injected code, now residing in the global scope, can be triggered by subsequent code execution within the application. This could involve calling a function that uses the injected variable, leading to remote code execution (RCE) and system compromise.
The vulnerability stems from an improper handling of variables during multipart-file uploads in HHVM. Specifically, when processing uploaded files, the code fails to properly scope variables, leading to their registration in the global scope. This occurs when variables are used without being explicitly declared before use. An attacker can craft a malicious multipart-file upload request containing specially crafted data. This data, when processed by HHVM, can overwrite existing global variables or create new ones, potentially leading to the execution of arbitrary code. The root cause is a lack of proper variable scoping within the multipart-file upload handling logic, allowing for variable injection and code execution. The flaw allows for arbitrary code execution due to the ability to control the values of variables within the global scope, which can then be used to influence the program's behavior.
While no specific APTs are definitively linked, this vulnerability is attractive to a wide range of attackers due to its potential for RCE. It's likely used by both opportunistic attackers and more sophisticated actors. This vulnerability is not currently listed on the CISA KEV list, but it is a high-severity vulnerability that could be added.
Monitor web server logs for suspicious multipart/form-data POST requests, especially those with unusual file names or content types.
Analyze HHVM error logs for unexpected behavior or errors related to variable scope.
Implement intrusion detection system (IDS) rules to detect malicious payloads within multipart file uploads.
Monitor file system changes for unexpected file creations or modifications, particularly within web server directories.
Network traffic analysis to identify unusual HTTP POST requests with multipart/form-data content, especially if the content-type is not a standard image or document type.
Upgrade to a patched version of HHVM (3.25.1, 3.24.5, or 3.21.9 or above).
Implement input validation and sanitization for all file uploads to prevent the injection of malicious code.
Configure the web server to restrict file upload sizes and types.
Review and harden the application code to ensure proper variable scoping and prevent the use of undeclared variables.
Regularly scan the system for vulnerabilities and apply security patches promptly.
Implement a Web Application Firewall (WAF) to filter malicious requests.