• 목록
• 글쓰기
• 게시판 리스트 옵션
  • 수정
  • 삭제

We have now discovered two use-after-free vulnerabilities in PHP’s garbage collection algorithm. Those vulnerabilities had been remotely exploitable over PHP’s unserialize function. We have been also awarded with $2,000 by the Internet Bug Bounty committee (c.f. Many thanks go out to cutz for co-authoring this text. Pornhub’s bug bounty program and its comparatively excessive rewards on Hackerone caught our attention. That’s why now we have taken the angle of an advanced attacker with the total intent to get as deep as possible into the system, specializing in one major objective: gaining remote code execution capabilities. Thus, we left no stone unturned and attacked what Pornhub is constructed upon: PHP. After analyzing the platform we shortly detected the utilization of unserialize on the web site. In all instances a parameter named "cookie" got unserialized from Post information and afterwards reflected via Set-Cookie headers. Standard exploitation techniques require so called Property-Oriented-Programming (POP) that contain abusing already current classes with particularly defined "magic methods" in an effort to trigger undesirable and malicious code paths.

Unfortunately, it was difficult for us to collect any information about Pornhub’s used frameworks and PHP objects in general. Multiple courses from frequent frameworks have been examined - all with out success. The core unserializer alone is comparatively complex as it includes greater than 1200 strains of code in PHP 5.6. Further, many inside PHP classes have their very own unserialize methods. By supporting buildings like objects, arrays, integers, strings and even references it is not any shock that PHP’s track record reveals a tendency for bugs and xhamster reminiscence corruption vulnerabilities. Sadly, there were no known vulnerabilities of such kind for newer PHP versions like PHP 5.6 or PHP 7, especially as a result of unserialize already acquired a lot of attention previously (e.g. phpcodz). Hence, auditing it can be compared to squeezing an already tightly squeezed lemon. Finally, after a lot consideration and so many security fixes its vulnerability potential should have been drained out and it needs to be safe, shouldn’t it? To search out a solution Dario implemented a fuzzer crafted particularly for fuzzing serialized strings which have been passed to unserialize.

Running the fuzzer with PHP 7 instantly lead to unexpected behavior. This behavior was not reproducible when examined towards Pornhub’s server although. Thus, we assumed a PHP 5 model. However, running the fuzzer towards a newer version of PHP 5 simply generated more than 1 TB of logs with none success. Eventually, after putting increasingly more effort into fuzzing we’ve stumbled upon unexpected conduct once more. Several questions had to be answered: is the difficulty safety associated? If that's the case can we solely exploit it domestically or additionally remotely? To further complicate this case the fuzzer did generate non-printable knowledge blobs with sizes of more than 200 KB. An amazing period of time was needed to research potential points. After all, we could extract a concise proof of concept of a working memory corruption bug - a so called use-after-free vulnerability! Upon additional investigation we found that the basis cause may very well be present in PHP’s rubbish collection algorithm, a component of PHP that is completely unrelated to unserialize.

However, the interaction of both parts occurred only after unserialize had finished its job. Consequently, it was not properly suited for distant exploitation. After further analysis, gaining a deeper understanding for the problem’s root causes and a number of laborious work a similar use-after-free vulnerability was discovered that appeared to be promising for distant exploitation. The excessive sophistication of the found PHP bugs and their discovery made it vital to put in writing separate articles. You possibly can read extra particulars in Dario’s fuzzing unserialize write-up. In addition, we've got written an article about Breaking PHP’s Garbage Collection and Unserialize. Even this promising use-after-free vulnerability was considerably troublesome to exploit. In particular, it concerned multiple exploitation levels. 1. The stack and heap (which additionally embrace any potential consumer-input) as well as another writable segments are flagged non-executable (c.f. 2. Even if you're ready to regulate the instruction pointer it's essential to know what you want to execute i.e. you want to have a sound address of an executable reminiscence phase.