We've discovered two use-after-free vulnerabilities in PHP’s garbage collection algorithm. Those vulnerabilities have been remotely exploitable over PHP’s unserialize operate. We have been additionally awarded with $2,000 by the Internet Bug Bounty committee (c.f. Many thanks go out to cutz for co-authoring this text. Pornhub’s bug bounty program and its comparatively excessive rewards on Hackerone caught our consideration. That’s why we have now taken the angle of an advanced attacker with the total intent to get as deep as attainable into the system, specializing in one principal purpose: gaining distant code execution capabilities. Thus, we left no stone unturned and attacked what Pornhub is constructed upon: PHP. After analyzing the platform we shortly detected the usage of unserialize on the website. In all cases a parameter named "cookie" got unserialized from Post knowledge and afterwards mirrored by way of Set-Cookie headers. Standard exploitation techniques require so called Property-Oriented-Programming (POP) that involve abusing already present classes with specifically outlined "magic methods" in an effort to trigger unwanted and malicious code paths.

Unfortunately, it was tough for us to gather any details about Pornhub’s used frameworks and PHP objects in general. Multiple lessons from common frameworks have been tested - all with out success. The core unserializer alone is relatively advanced because it involves more than 1200 strains of code in PHP 5.6. Further, many inner PHP courses have their very own unserialize methods. By supporting buildings like objects, arrays, integers, xhamster strings or even references it is no surprise that PHP’s observe report reveals a tendency for bugs and memory corruption vulnerabilities. Sadly, there have been no identified vulnerabilities of such type for newer PHP versions like PHP 5.6 or PHP 7, especially because unserialize already bought a lot of consideration previously (e.g. phpcodz). Hence, auditing it can be compared to squeezing an already tightly squeezed lemon. Finally, after a lot consideration and so many safety fixes its vulnerability potential should have been drained out and it must be safe, shouldn’t it? To seek out a solution Dario carried out a fuzzer crafted particularly for fuzzing serialized strings which were handed to unserialize.

Running the fuzzer with PHP 7 immediately result in unexpected habits. This conduct was not reproducible when examined against Pornhub’s server though. Thus, we assumed a PHP 5 model. However, operating the fuzzer against a newer version of PHP 5 just generated greater than 1 TB of logs with none success. Eventually, after placing more and more effort into fuzzing we’ve stumbled upon unexpected habits once more. Several questions needed to be answered: is the difficulty safety associated? If that's the case can we only exploit it regionally or additionally remotely? To additional complicate this example the fuzzer did generate non-printable data blobs with sizes of more than 200 KB. An amazing period of time was crucial to investigate potential issues. In any case, we could extract a concise proof of idea of a working reminiscence corruption bug - a so known as use-after-free vulnerability! Upon additional investigation we discovered that the root trigger could possibly be present in PHP’s rubbish collection algorithm, a element of PHP that is totally unrelated to unserialize.

However, the interaction of both components occurred solely after unserialize had completed its job. Consequently, it was not well suited for distant exploitation. After further analysis, gaining a deeper understanding for the problem’s root causes and a variety of onerous work an analogous use-after-free vulnerability was discovered that gave the impression to be promising for distant exploitation. The excessive sophistication of the found PHP bugs and their discovery made it crucial to write down separate articles. You'll be able to read extra particulars in Dario’s fuzzing unserialize write-up. In addition, we have now written an article about Breaking PHP’s Garbage Collection and Unserialize. Even this promising use-after-free vulnerability was considerably troublesome to take advantage of. Particularly, it involved multiple exploitation levels. 1. The stack and heap (which also embrace any potential user-enter) as well as every other writable segments are flagged non-executable (c.f. 2. Even in case you are in a position to manage the instruction pointer you want to know what you need to execute i.e. it is advisable have a valid handle of an executable memory phase.