How we Broke PHP, Hacked Pornhub and Earned $20,000 > 자유게시판

We've got discovered two use-after-free vulnerabilities in PHP’s garbage assortment algorithm. Those vulnerabilities were remotely exploitable over PHP’s unserialize perform. We have been also awarded with $2,000 by the Internet Bug Bounty committee (c.f. Many thanks exit to cutz for co-authoring this text. Pornhub’s bug bounty program and its relatively excessive rewards on Hackerone caught our consideration. That’s why we have now taken the attitude of a complicated attacker with the full intent to get as deep as potential into the system, focusing on one principal objective: gaining remote code execution capabilities. Thus, we left no stone unturned and attacked what Pornhub is constructed upon: PHP. After analyzing the platform we quickly detected the usage of unserialize on the web site. In all cases a parameter named "cookie" received unserialized from Post data and afterwards mirrored through Set-Cookie headers. Standard exploitation methods require so referred to as Property-Oriented-Programming (POP) that involve abusing already present classes with specifically defined "magic methods" so as to set off unwanted and malicious code paths.

Unfortunately, it was tough for us to gather any information about Pornhub’s used frameworks and xhamster PHP objects in general. Multiple classes from widespread frameworks have been tested - all without success. The core unserializer alone is relatively complicated as it involves more than 1200 traces of code in PHP 5.6. Further, many inner PHP courses have their very own unserialize strategies. By supporting structures like objects, arrays, integers, strings or even references it isn't any shock that PHP’s observe file exhibits a tendency for bugs and reminiscence corruption vulnerabilities. Sadly, there were no recognized vulnerabilities of such kind for newer PHP versions like PHP 5.6 or PHP 7, particularly because unserialize already got a lot of attention up to now (e.g. phpcodz). Hence, auditing it can be compared to squeezing an already tightly squeezed lemon. Finally, after a lot attention and so many security fixes its vulnerability potential should have been drained out and it ought to be safe, shouldn’t it? To seek out a solution Dario applied a fuzzer crafted specifically for fuzzing serialized strings which were passed to unserialize.

Running the fuzzer with PHP 7 immediately lead to unexpected habits. This behavior was not reproducible when tested against Pornhub’s server though. Thus, we assumed a PHP 5 version. However, running the fuzzer against a newer version of PHP 5 just generated more than 1 TB of logs without any success. Eventually, after putting an increasing number of effort into fuzzing we’ve stumbled upon unexpected conduct once more. Several questions had to be answered: is the issue security related? In that case can we solely exploit it regionally or also remotely? To additional complicate this situation the fuzzer did generate non-printable knowledge blobs with sizes of more than 200 KB. An amazing amount of time was obligatory to research potential issues. In spite of everything, we could extract a concise proof of idea of a working memory corruption bug - a so referred to as use-after-free vulnerability! Upon additional investigation we found that the basis trigger could possibly be found in PHP’s rubbish collection algorithm, a element of PHP that is completely unrelated to unserialize.

However, the interplay of both components occurred solely after unserialize had finished its job. Consequently, it was not effectively suited for distant exploitation. After additional evaluation, gaining a deeper understanding for the problem’s root causes and quite a lot of hard work an analogous use-after-free vulnerability was discovered that gave the impression to be promising for distant exploitation. The excessive sophistication of the found PHP bugs and their discovery made it needed to write down separate articles. You can read more details in Dario’s fuzzing unserialize write-up. In addition, we've got written an article about Breaking PHP’s Garbage Collection and Unserialize. Even this promising use-after-free vulnerability was considerably tough to use. Specifically, it involved a number of exploitation phases. 1. The stack and heap (which also embody any potential consumer-enter) as well as another writable segments are flagged non-executable (c.f. 2. Even if you are in a position to manage the instruction pointer it is advisable know what you wish to execute i.e. it's good to have a sound tackle of an executable reminiscence segment.