We have found two use-after-free vulnerabilities in PHP’s rubbish collection algorithm. Those vulnerabilities had been remotely exploitable over PHP’s unserialize perform. We have been also awarded with $2,000 by the Internet Bug Bounty committee (c.f. Many thanks go out to cutz for co-authoring this article. Pornhub’s bug bounty program and its relatively excessive rewards on Hackerone caught our consideration. That’s why we've taken the attitude of a sophisticated attacker with the complete intent to get as deep as doable into the system, specializing in one predominant purpose: gaining remote code execution capabilities. Thus, we left no stone unturned and attacked what Pornhub is built upon: PHP. After analyzing the platform we quickly detected the utilization of unserialize on the website. In all instances a parameter named "cookie" obtained unserialized from Post data and afterwards reflected via Set-Cookie headers. Standard exploitation methods require so known as Property-Oriented-Programming (POP) that contain abusing already present classes with particularly defined "magic methods" so as to trigger unwanted and malicious code paths.

Unfortunately, it was difficult for us to collect any information about Pornhub’s used frameworks and PHP objects in general. Multiple lessons from widespread frameworks have been tested - all without success. The core unserializer alone is comparatively advanced as it involves more than 1200 traces of code in PHP 5.6. Further, many internal PHP courses have their own unserialize strategies. By supporting structures like objects, arrays, integers, strings or even references it is not any shock that PHP’s track report reveals a tendency for bugs and reminiscence corruption vulnerabilities. Sadly, there have been no known vulnerabilities of such kind for newer PHP versions like PHP 5.6 or PHP 7, especially because unserialize already got a variety of attention previously (e.g. phpcodz). Hence, auditing it can be compared to squeezing an already tightly squeezed lemon. Finally, after a lot attention and so many safety fixes its vulnerability potential should have been drained out and it ought to be safe, shouldn’t it? To find a solution Dario implemented a fuzzer crafted particularly for fuzzing serialized strings which have been handed to unserialize.

Running the fuzzer with PHP 7 instantly result in unexpected habits. This habits was not reproducible when examined towards Pornhub’s server though. Thus, porn we assumed a PHP 5 version. However, working the fuzzer in opposition to a newer version of PHP 5 simply generated more than 1 TB of logs without any success. Eventually, after placing increasingly more effort into fuzzing we’ve stumbled upon unexpected habits again. Several questions needed to be answered: is the difficulty security associated? If so can we solely exploit it domestically or also remotely? To additional complicate this case the fuzzer did generate non-printable information blobs with sizes of more than 200 KB. A tremendous period of time was obligatory to research potential issues. In spite of everything, we might extract a concise proof of concept of a working memory corruption bug - a so known as use-after-free vulnerability! Upon further investigation we discovered that the foundation trigger could be present in PHP’s garbage assortment algorithm, a element of PHP that is totally unrelated to unserialize.

However, the interaction of both components occurred solely after unserialize had finished its job. Consequently, it was not nicely suited to distant exploitation. After further evaluation, gaining a deeper understanding for the problem’s root causes and a whole lot of exhausting work a similar use-after-free vulnerability was found that seemed to be promising for distant exploitation. The high sophistication of the found PHP bugs and their discovery made it vital to jot down separate articles. You can learn more details in Dario’s fuzzing unserialize write-up. As well as, we have written an article about Breaking PHP’s Garbage Collection and Unserialize. Even this promising use-after-free vulnerability was considerably troublesome to exploit. Specifically, it concerned a number of exploitation levels. 1. The stack and heap (which also embody any potential user-enter) in addition to another writable segments are flagged non-executable (c.f. 2. Even if you're able to regulate the instruction pointer it is advisable know what you need to execute i.e. that you must have a legitimate handle of an executable reminiscence section.