• 글쓰기
• 목록

We have now discovered two use-after-free vulnerabilities in PHP’s garbage assortment algorithm. Those vulnerabilities have been remotely exploitable over PHP’s unserialize perform. We were additionally awarded with $2,000 by the Internet Bug Bounty committee (c.f. Many thanks go out to cutz for co-authoring this text. Pornhub’s bug bounty program and its relatively excessive rewards on Hackerone caught our attention. That’s why now we have taken the attitude of a complicated attacker with the complete intent to get as deep as possible into the system, specializing in one important purpose: gaining distant code execution capabilities. Thus, we left no stone unturned and attacked what Pornhub is constructed upon: PHP. After analyzing the platform we rapidly detected the usage of unserialize on the website. In all instances a parameter named "cookie" bought unserialized from Post information and afterwards reflected through Set-Cookie headers. Standard exploitation techniques require so referred to as Property-Oriented-Programming (POP) that involve abusing already current classes with specifically defined "magic methods" as a way to set off unwanted and malicious code paths.

Unfortunately, it was difficult for us to collect any details about Pornhub’s used frameworks and PHP objects in general. Multiple classes from common frameworks have been examined - all with out success. The core unserializer alone is relatively complicated as it entails greater than 1200 lines of code in PHP 5.6. Further, many inner PHP courses have their own unserialize methods. By supporting constructions like objects, arrays, integers, strings or even references it is no surprise that PHP’s observe record reveals a tendency for bugs and memory corruption vulnerabilities. Sadly, there were no identified vulnerabilities of such type for newer PHP versions like PHP 5.6 or PHP 7, particularly as a result of unserialize already obtained numerous consideration previously (e.g. phpcodz). Hence, auditing it can be in comparison with squeezing an already tightly squeezed lemon. Finally, after a lot consideration and so many security fixes its vulnerability potential ought to have been drained out and it ought to be secure, shouldn’t it? To seek out a solution Dario applied a fuzzer crafted specifically for fuzzing serialized strings which have been passed to unserialize.

Running the fuzzer with PHP 7 instantly lead to unexpected behavior. This habits was not reproducible when examined in opposition to Pornhub’s server though. Thus, we assumed a PHP 5 version. However, working the fuzzer against a newer version of PHP 5 simply generated more than 1 TB of logs with none success. Eventually, after placing an increasing number of effort into fuzzing we’ve stumbled upon unexpected conduct again. Several questions had to be answered: is the issue safety associated? If that's the case can we solely exploit it locally or additionally remotely? To additional complicate this case the fuzzer did generate non-printable data blobs with sizes of more than 200 KB. An incredible amount of time was necessary to research potential issues. In any case, we could extract a concise proof of concept of a working reminiscence corruption bug - a so known as use-after-free vulnerability! Upon additional investigation we discovered that the basis cause may very well be found in PHP’s rubbish assortment algorithm, a element of PHP that is completely unrelated to unserialize.

However, the interaction of each elements occurred solely after unserialize had completed its job. Consequently, it was not well suited to distant exploitation. After additional analysis, gaining a deeper understanding for the problem’s root causes and numerous arduous work an identical use-after-free vulnerability was discovered that seemed to be promising for distant exploitation. The high sophistication of the discovered PHP bugs and their discovery made it obligatory to write down separate articles. You can read extra details in Dario’s fuzzing unserialize write-up. As well as, now we have written an article about Breaking PHP’s Garbage Collection and Unserialize. Even this promising use-after-free vulnerability was considerably tough to exploit. Specifically, it involved a number of exploitation phases. 1. The stack and heap (which additionally embody any potential person-input) as well as every other writable segments are flagged non-executable (c.f. 2. Even if you're ready to control the instruction pointer you want to know what you need to execute i.e. that you must have a legitimate tackle of an executable memory phase.