How we Broke PHP, Hacked Pornhub and Earned $20,000

We have now found two use-after-free vulnerabilities in PHP’s rubbish assortment algorithm. Those vulnerabilities had been remotely exploitable over PHP’s unserialize perform. We have been also awarded with $2,000 by the Internet Bug Bounty committee (c.f. Many thanks exit to cutz for co-authoring this text. Pornhub’s bug bounty program and its relatively excessive rewards on Hackerone caught our consideration. That’s why we have taken the angle of a complicated attacker with the total intent to get as deep as attainable into the system, specializing in one principal purpose: gaining remote code execution capabilities. Thus, we left no stone unturned and attacked what Pornhub is built upon: PHP. After analyzing the platform we rapidly detected the utilization of unserialize on the web site. In all circumstances a parameter named "cookie" bought unserialized from Post data and afterwards reflected via Set-Cookie headers. Standard exploitation techniques require so called Property-Oriented-Programming (POP) that contain abusing already present classes with particularly defined "magic methods" so as to set off unwanted and malicious code paths.

Unfortunately, it was difficult for us to gather any details about Pornhub’s used frameworks and PHP objects typically. Multiple classes from widespread frameworks have been examined - all with out success. The core unserializer alone is comparatively advanced as it involves greater than 1200 traces of code in PHP 5.6. Further, many internal PHP courses have their very own unserialize strategies. By supporting buildings like objects, arrays, integers, strings and even references it is no surprise that PHP’s monitor file reveals a tendency for bugs and reminiscence corruption vulnerabilities. Sadly, there have been no known vulnerabilities of such kind for newer PHP versions like PHP 5.6 or PHP 7, particularly as a result of unserialize already received a whole lot of attention up to now (e.g. phpcodz). Hence, auditing it may be compared to squeezing an already tightly squeezed lemon. Finally, after a lot consideration and so many safety fixes its vulnerability potential ought to have been drained out and it needs to be secure, shouldn’t it? To find a solution Dario implemented a fuzzer crafted specifically for fuzzing serialized strings which have been passed to unserialize.

Running the fuzzer with PHP 7 immediately lead to unexpected conduct. This behavior was not reproducible when tested against Pornhub’s server although. Thus, we assumed a PHP 5 model. However, running the fuzzer in opposition to a newer version of PHP 5 just generated greater than 1 TB of logs with none success. Eventually, after putting more and more effort into fuzzing we’ve stumbled upon unexpected behavior once more. Several questions had to be answered: is the difficulty security related? In that case can we only exploit it domestically or also remotely? To further complicate this situation the fuzzer did generate non-printable information blobs with sizes of greater than 200 KB. An amazing period of time was mandatory to investigate potential points. In spite of everything, we might extract a concise proof of concept of a working reminiscence corruption bug - a so called use-after-free vulnerability! Upon further investigation we discovered that the foundation cause may very well be present in PHP’s garbage assortment algorithm, a part of PHP that is completely unrelated to unserialize.

However, the interaction of both elements occurred solely after unserialize had completed its job. Consequently, it was not well fitted to distant exploitation. After additional analysis, gaining a deeper understanding for the problem’s root causes and numerous laborious work an analogous use-after-free vulnerability was discovered that seemed to be promising for remote exploitation. The high sophistication of the discovered PHP bugs and their discovery made it vital to put in writing separate articles. You may learn extra details in Dario’s fuzzing unserialize write-up. As well as, now we have written an article about Breaking PHP’s Garbage Collection and Unserialize. Even this promising use-after-free vulnerability was considerably troublesome to exploit. Specifically, it concerned multiple exploitation phases. 1. The stack and heap (which additionally include any potential user-input) as well as every other writable segments are flagged non-executable (c.f. 2. Even in case you are able to control the instruction pointer that you must know what you want to execute i.e. you must have a sound tackle of an executable reminiscence phase.