We've found two use-after-free vulnerabilities in PHP’s rubbish collection algorithm. Those vulnerabilities were remotely exploitable over PHP’s unserialize operate. We have been additionally awarded with $2,000 by the Internet Bug Bounty committee (c.f. Many thanks go out to cutz for co-authoring this article. Pornhub’s bug bounty program and its relatively excessive rewards on Hackerone caught our consideration. That’s why we have taken the angle of a complicated attacker with the full intent to get as deep as attainable into the system, specializing in one fundamental purpose: gaining remote code execution capabilities. Thus, we left no stone unturned and attacked what Pornhub is constructed upon: PHP. After analyzing the platform we rapidly detected the utilization of unserialize on the web site. In all circumstances a parameter named "cookie" obtained unserialized from Post information and afterwards mirrored via Set-Cookie headers. Standard exploitation strategies require so referred to as Property-Oriented-Programming (POP) that involve abusing already existing classes with particularly outlined "magic methods" to be able to trigger undesirable and malicious code paths.

Unfortunately, it was difficult for us to collect any information about Pornhub’s used frameworks and PHP objects on the whole. Multiple lessons from widespread frameworks have been tested - all with out success. The core unserializer alone is comparatively complex as it involves more than 1200 lines of code in PHP 5.6. Further, many internal PHP courses have their own unserialize strategies. By supporting constructions like objects, arrays, integers, strings or even references it isn't any shock that PHP’s observe record exhibits a tendency for bugs and reminiscence corruption vulnerabilities. Sadly, there were no recognized vulnerabilities of such type for newer PHP variations like PHP 5.6 or PHP 7, porn especially as a result of unserialize already acquired numerous consideration up to now (e.g. phpcodz). Hence, auditing it may be in comparison with squeezing an already tightly squeezed lemon. Finally, after a lot consideration and so many security fixes its vulnerability potential ought to have been drained out and it must be safe, shouldn’t it? To seek out a solution Dario carried out a fuzzer crafted particularly for fuzzing serialized strings which were passed to unserialize.

Running the fuzzer with PHP 7 instantly result in unexpected conduct. This behavior was not reproducible when examined against Pornhub’s server though. Thus, we assumed a PHP 5 version. However, running the fuzzer against a newer model of PHP 5 simply generated greater than 1 TB of logs with none success. Eventually, after putting more and more effort into fuzzing we’ve stumbled upon unexpected habits again. Several questions needed to be answered: is the difficulty security related? If so can we solely exploit it locally or also remotely? To further complicate this situation the fuzzer did generate non-printable data blobs with sizes of greater than 200 KB. An incredible period of time was vital to investigate potential points. In spite of everything, we could extract a concise proof of idea of a working reminiscence corruption bug - a so known as use-after-free vulnerability! Upon further investigation we found that the basis trigger might be found in PHP’s garbage collection algorithm, a part of PHP that is totally unrelated to unserialize.

However, the interplay of each parts occurred only after unserialize had completed its job. Consequently, it was not properly fitted to distant exploitation. After additional analysis, gaining a deeper understanding for the problem’s root causes and quite a lot of laborious work a similar use-after-free vulnerability was found that gave the impression to be promising for distant exploitation. The high sophistication of the discovered PHP bugs and their discovery made it needed to write separate articles. You possibly can read more details in Dario’s fuzzing unserialize write-up. As well as, now we have written an article about Breaking PHP’s Garbage Collection and Unserialize. Even this promising use-after-free vulnerability was considerably tough to exploit. In particular, it involved a number of exploitation levels. 1. The stack and heap (which additionally include any potential consumer-enter) in addition to every other writable segments are flagged non-executable (c.f. 2. Even if you are able to control the instruction pointer you want to know what you want to execute i.e. it's good to have a valid address of an executable memory phase.