How we Broke PHP, Hacked Pornhub and Earned $20,000

We've got discovered two use-after-free vulnerabilities in PHP’s rubbish collection algorithm. Those vulnerabilities have been remotely exploitable over PHP’s unserialize operate. We were additionally awarded with $2,000 by the Internet Bug Bounty committee (c.f. Many thanks exit to cutz for co-authoring this text. Pornhub’s bug bounty program and its comparatively high rewards on Hackerone caught our consideration. That’s why we've got taken the perspective of an advanced attacker with the complete intent to get as deep as doable into the system, focusing on one most important purpose: gaining remote code execution capabilities. Thus, we left no stone unturned and attacked what Pornhub is built upon: PHP. After analyzing the platform we rapidly detected the usage of unserialize on the web site. In all cases a parameter named "cookie" obtained unserialized from Post data and afterwards reflected through Set-Cookie headers. Standard exploitation strategies require so referred to as Property-Oriented-Programming (POP) that contain abusing already present courses with particularly outlined "magic methods" as a way to trigger undesirable and malicious code paths.

Unfortunately, it was difficult for us to collect any information about Pornhub’s used frameworks and PHP objects usually. Multiple classes from common frameworks have been tested - all without success. The core unserializer alone is comparatively complicated as it entails more than 1200 strains of code in PHP 5.6. Further, many internal PHP lessons have their very own unserialize strategies. By supporting constructions like objects, arrays, integers, strings and even references it is no surprise that PHP’s observe record reveals a tendency for bugs and reminiscence corruption vulnerabilities. Sadly, there were no identified vulnerabilities of such type for newer PHP variations like PHP 5.6 or PHP 7, especially as a result of unserialize already received lots of attention previously (e.g. phpcodz). Hence, auditing it can be compared to squeezing an already tightly squeezed lemon. Finally, after a lot consideration and so many safety fixes its vulnerability potential ought to have been drained out and it should be safe, shouldn’t it? To find a solution Dario applied a fuzzer crafted specifically for fuzzing serialized strings which had been handed to unserialize.

Running the fuzzer with PHP 7 immediately lead to unexpected conduct. This habits was not reproducible when examined against Pornhub’s server though. Thus, porn we assumed a PHP 5 version. However, working the fuzzer in opposition to a newer model of PHP 5 simply generated greater than 1 TB of logs without any success. Eventually, after placing more and more effort into fuzzing we’ve stumbled upon unexpected behavior again. Several questions had to be answered: is the difficulty safety related? If that's the case can we only exploit it locally or additionally remotely? To further complicate this situation the fuzzer did generate non-printable information blobs with sizes of greater than 200 KB. An amazing period of time was crucial to analyze potential points. In any case, we could extract a concise proof of concept of a working memory corruption bug - a so referred to as use-after-free vulnerability! Upon further investigation we found that the basis cause could be present in PHP’s garbage collection algorithm, a part of PHP that is completely unrelated to unserialize.

However, the interaction of each parts occurred solely after unserialize had completed its job. Consequently, it was not properly suited to remote exploitation. After further analysis, gaining a deeper understanding for the problem’s root causes and a whole lot of laborious work an identical use-after-free vulnerability was found that gave the impression to be promising for remote exploitation. The high sophistication of the found PHP bugs and their discovery made it necessary to write down separate articles. You possibly can learn more details in Dario’s fuzzing unserialize write-up. In addition, we now have written an article about Breaking PHP’s Garbage Collection and Unserialize. Even this promising use-after-free vulnerability was considerably troublesome to take advantage of. Specifically, it concerned multiple exploitation phases. 1. The stack and heap (which additionally include any potential user-enter) as well as some other writable segments are flagged non-executable (c.f. 2. Even in case you are in a position to manage the instruction pointer you must know what you want to execute i.e. you want to have a legitimate deal with of an executable reminiscence phase.