How we Broke PHP, Hacked Pornhub and Earned $20,000

We've discovered two use-after-free vulnerabilities in PHP’s rubbish assortment algorithm. Those vulnerabilities were remotely exploitable over PHP’s unserialize operate. We have been additionally awarded with $2,000 by the Internet Bug Bounty committee (c.f. Many thanks exit to cutz for co-authoring this text. Pornhub’s bug bounty program and its relatively high rewards on Hackerone caught our consideration. That’s why we've got taken the perspective of a complicated attacker with the full intent to get as deep as possible into the system, specializing in one major aim: gaining distant code execution capabilities. Thus, we left no stone unturned and attacked what Pornhub is constructed upon: PHP. After analyzing the platform we shortly detected the utilization of unserialize on the website. In all cases a parameter named "cookie" received unserialized from Post information and afterwards reflected through Set-Cookie headers. Standard exploitation techniques require so known as Property-Oriented-Programming (POP) that contain abusing already existing classes with particularly defined "magic methods" in an effort to trigger undesirable and malicious code paths.

Unfortunately, it was troublesome for us to collect any details about Pornhub’s used frameworks and PHP objects usually. Multiple courses from widespread frameworks have been tested - all without success. The core unserializer alone is comparatively complex as it includes more than 1200 strains of code in PHP 5.6. Further, xhamster many inner PHP courses have their own unserialize strategies. By supporting buildings like objects, arrays, integers, strings or even references it isn't any surprise that PHP’s observe record shows a tendency for bugs and memory corruption vulnerabilities. Sadly, there have been no known vulnerabilities of such type for newer PHP variations like PHP 5.6 or PHP 7, particularly as a result of unserialize already received lots of consideration prior to now (e.g. phpcodz). Hence, auditing it may be compared to squeezing an already tightly squeezed lemon. Finally, after so much consideration and so many security fixes its vulnerability potential ought to have been drained out and it needs to be secure, shouldn’t it? To seek out a solution Dario implemented a fuzzer crafted particularly for fuzzing serialized strings which have been handed to unserialize.

Running the fuzzer with PHP 7 instantly result in unexpected behavior. This behavior was not reproducible when examined against Pornhub’s server although. Thus, we assumed a PHP 5 model. However, working the fuzzer against a newer model of PHP 5 simply generated more than 1 TB of logs with none success. Eventually, after putting increasingly more effort into fuzzing we’ve stumbled upon unexpected conduct once more. Several questions had to be answered: is the difficulty safety associated? If so can we solely exploit it regionally or also remotely? To additional complicate this example the fuzzer did generate non-printable information blobs with sizes of greater than 200 KB. An amazing period of time was mandatory to investigate potential issues. In any case, we might extract a concise proof of idea of a working reminiscence corruption bug - a so called use-after-free vulnerability! Upon further investigation we discovered that the basis cause may very well be found in PHP’s rubbish collection algorithm, a part of PHP that is totally unrelated to unserialize.

However, the interaction of each parts occurred solely after unserialize had finished its job. Consequently, it was not well suited for distant exploitation. After additional analysis, gaining a deeper understanding for the problem’s root causes and numerous onerous work an identical use-after-free vulnerability was found that appeared to be promising for distant exploitation. The excessive sophistication of the discovered PHP bugs and their discovery made it necessary to write down separate articles. You can learn extra details in Dario’s fuzzing unserialize write-up. As well as, we've written an article about Breaking PHP’s Garbage Collection and Unserialize. Even this promising use-after-free vulnerability was considerably troublesome to exploit. In particular, it involved multiple exploitation phases. 1. The stack and heap (which also embody any potential user-input) in addition to another writable segments are flagged non-executable (c.f. 2. Even if you're ready to control the instruction pointer that you must know what you need to execute i.e. you should have a sound deal with of an executable reminiscence segment.