How we Broke PHP, Hacked Pornhub and Earned $20,000 > 자유게시판

We've got found two use-after-free vulnerabilities in PHP’s garbage collection algorithm. Those vulnerabilities were remotely exploitable over PHP’s unserialize perform. We were also awarded with $2,000 by the Internet Bug Bounty committee (c.f. Many thanks go out to cutz for co-authoring this text. Pornhub’s bug bounty program and its comparatively excessive rewards on Hackerone caught our attention. That’s why we've got taken the angle of a complicated attacker with the total intent to get as deep as doable into the system, specializing in one fundamental purpose: gaining distant code execution capabilities. Thus, we left no stone unturned and attacked what Pornhub is constructed upon: PHP. After analyzing the platform we rapidly detected the utilization of unserialize on the web site. In all instances a parameter named "cookie" received unserialized from Post knowledge and afterwards reflected through Set-Cookie headers. Standard exploitation methods require so called Property-Oriented-Programming (POP) that involve abusing already present lessons with particularly defined "magic methods" in order to set off unwanted and malicious code paths.

Unfortunately, it was difficult for us to gather any information about Pornhub’s used frameworks and PHP objects normally. Multiple courses from frequent frameworks have been examined - all with out success. The core unserializer alone is comparatively complex as it involves more than 1200 strains of code in PHP 5.6. Further, many inner PHP courses have their own unserialize strategies. By supporting constructions like objects, arrays, integers, strings or even references it is no surprise that PHP’s observe report exhibits a tendency for bugs and reminiscence corruption vulnerabilities. Sadly, there have been no known vulnerabilities of such kind for newer PHP variations like PHP 5.6 or PHP 7, particularly because unserialize already bought quite a lot of attention up to now (e.g. phpcodz). Hence, auditing it can be in comparison with squeezing an already tightly squeezed lemon. Finally, after so much consideration and so many security fixes its vulnerability potential ought to have been drained out and it ought to be safe, shouldn’t it? To search out an answer Dario applied a fuzzer crafted specifically for fuzzing serialized strings which had been handed to unserialize.

Running the fuzzer with PHP 7 instantly result in unexpected behavior. This conduct was not reproducible when tested against Pornhub’s server though. Thus, we assumed a PHP 5 version. However, running the fuzzer against a newer model of PHP 5 simply generated more than 1 TB of logs with none success. Eventually, after placing an increasing number of effort into fuzzing we’ve stumbled upon unexpected habits again. Several questions needed to be answered: is the issue security associated? If that's the case can we solely exploit it regionally or also remotely? To further complicate this case the fuzzer did generate non-printable knowledge blobs with sizes of greater than 200 KB. A tremendous period of time was mandatory to analyze potential points. After all, xnxx we could extract a concise proof of concept of a working reminiscence corruption bug - a so known as use-after-free vulnerability! Upon additional investigation we found that the basis cause may very well be present in PHP’s rubbish assortment algorithm, a element of PHP that is completely unrelated to unserialize.

However, the interaction of both parts occurred solely after unserialize had completed its job. Consequently, it was not properly suited to distant exploitation. After further analysis, gaining a deeper understanding for the problem’s root causes and numerous exhausting work an identical use-after-free vulnerability was discovered that gave the impression to be promising for distant exploitation. The excessive sophistication of the discovered PHP bugs and their discovery made it necessary to write separate articles. You may learn more details in Dario’s fuzzing unserialize write-up. In addition, we now have written an article about Breaking PHP’s Garbage Collection and Unserialize. Even this promising use-after-free vulnerability was considerably difficult to exploit. Specifically, it concerned a number of exploitation levels. 1. The stack and heap (which also embrace any potential person-enter) in addition to every other writable segments are flagged non-executable (c.f. 2. Even if you are ready to manage the instruction pointer you must know what you want to execute i.e. you must have a valid handle of an executable reminiscence phase.