How we Broke PHP, Hacked Pornhub and Earned $20,000 > 자유게시판

• 목록
• 게시판 리스트 옵션
  • 수정
  • 삭제

Now we have discovered two use-after-free vulnerabilities in PHP’s garbage collection algorithm. Those vulnerabilities were remotely exploitable over PHP’s unserialize perform. We have been also awarded with $2,000 by the Internet Bug Bounty committee (c.f. Many thanks exit to cutz for co-authoring this text. Pornhub’s bug bounty program and its relatively high rewards on Hackerone caught our consideration. That’s why we now have taken the perspective of an advanced attacker with the total intent to get as deep as attainable into the system, specializing in one most important aim: gaining distant code execution capabilities. Thus, we left no stone unturned and attacked what Pornhub is constructed upon: PHP. After analyzing the platform we shortly detected the utilization of unserialize on the website. In all cases a parameter named "cookie" received unserialized from Post knowledge and afterwards mirrored through Set-Cookie headers. Standard exploitation techniques require so referred to as Property-Oriented-Programming (POP) that involve abusing already existing classes with specifically defined "magic methods" with the intention to set off unwanted and malicious code paths.

Unfortunately, it was troublesome for us to assemble any details about Pornhub’s used frameworks and PHP objects normally. Multiple classes from widespread frameworks have been examined - all with out success. The core unserializer alone is relatively advanced as it entails greater than 1200 lines of code in PHP 5.6. Further, mia melano porn many inner PHP lessons have their own unserialize strategies. By supporting constructions like objects, arrays, integers, strings and even references it isn't any surprise that PHP’s monitor record exhibits a tendency for bugs and reminiscence corruption vulnerabilities. Sadly, there have been no recognized vulnerabilities of such type for newer PHP versions like PHP 5.6 or PHP 7, particularly as a result of unserialize already got loads of attention prior to now (e.g. phpcodz). Hence, auditing it may be compared to squeezing an already tightly squeezed lemon. Finally, after a lot attention and so many security fixes its vulnerability potential should have been drained out and it should be safe, shouldn’t it? To search out a solution Dario applied a fuzzer crafted particularly for fuzzing serialized strings which were handed to unserialize.

Running the fuzzer with PHP 7 immediately lead to unexpected conduct. This behavior was not reproducible when tested against Pornhub’s server although. Thus, we assumed a PHP 5 model. However, operating the fuzzer in opposition to a newer version of PHP 5 simply generated greater than 1 TB of logs with none success. Eventually, after placing an increasing number of effort into fuzzing we’ve stumbled upon unexpected habits once more. Several questions had to be answered: is the issue security associated? In that case can we solely exploit it locally or also remotely? To additional complicate this situation the fuzzer did generate non-printable data blobs with sizes of more than 200 KB. An incredible period of time was needed to investigate potential points. After all, we could extract a concise proof of concept of a working reminiscence corruption bug - a so called use-after-free vulnerability! Upon further investigation we discovered that the basis trigger could possibly be present in PHP’s garbage collection algorithm, a element of PHP that is totally unrelated to unserialize.

However, the interplay of both components occurred only after unserialize had finished its job. Consequently, it was not effectively suited for remote exploitation. After additional analysis, gaining a deeper understanding for the problem’s root causes and a whole lot of onerous work an analogous use-after-free vulnerability was found that seemed to be promising for distant exploitation. The excessive sophistication of the discovered PHP bugs and their discovery made it mandatory to put in writing separate articles. You may read more particulars in Dario’s fuzzing unserialize write-up. In addition, we've written an article about Breaking PHP’s Garbage Collection and Unserialize. Even this promising use-after-free vulnerability was significantly tough to take advantage of. Particularly, it involved a number of exploitation phases. 1. The stack and heap (which additionally embrace any potential user-input) in addition to another writable segments are flagged non-executable (c.f. 2. Even if you're able to manage the instruction pointer you must know what you need to execute i.e. you must have a sound address of an executable reminiscence phase.