How we Broke PHP, Hacked Pornhub and Earned $20,000

We've found two use-after-free vulnerabilities in PHP’s garbage collection algorithm. Those vulnerabilities had been remotely exploitable over PHP’s unserialize perform. We were also awarded with $2,000 by the Internet Bug Bounty committee (c.f. Many thanks go out to cutz for co-authoring this text. Pornhub’s bug bounty program and its comparatively high rewards on Hackerone caught our attention. That’s why now we have taken the perspective of a sophisticated attacker with the full intent to get as deep as doable into the system, focusing on one principal purpose: gaining remote code execution capabilities. Thus, we left no stone unturned and attacked what Pornhub is constructed upon: PHP. After analyzing the platform we quickly detected the utilization of unserialize on the web site. In all cases a parameter named "cookie" bought unserialized from Post data and afterwards mirrored by way of Set-Cookie headers. Standard exploitation methods require so referred to as Property-Oriented-Programming (POP) that involve abusing already existing courses with specifically outlined "magic methods" to be able to trigger unwanted and malicious code paths.

Unfortunately, it was tough for us to assemble any details about Pornhub’s used frameworks and PHP objects typically. Multiple classes from frequent frameworks have been tested - all with out success. The core unserializer alone is comparatively complex as it involves more than 1200 lines of code in PHP 5.6. Further, many inside PHP classes have their very own unserialize methods. By supporting structures like objects, arrays, integers, strings and even references it isn't any surprise that PHP’s observe document shows a tendency for bugs and reminiscence corruption vulnerabilities. Sadly, there have been no identified vulnerabilities of such kind for newer PHP variations like PHP 5.6 or xhamster PHP 7, particularly because unserialize already got a variety of consideration prior to now (e.g. phpcodz). Hence, auditing it can be in comparison with squeezing an already tightly squeezed lemon. Finally, after a lot attention and so many safety fixes its vulnerability potential ought to have been drained out and it needs to be safe, shouldn’t it? To find an answer Dario applied a fuzzer crafted specifically for fuzzing serialized strings which have been passed to unserialize.

Running the fuzzer with PHP 7 instantly result in unexpected conduct. This habits was not reproducible when examined against Pornhub’s server although. Thus, we assumed a PHP 5 version. However, running the fuzzer against a newer version of PHP 5 simply generated more than 1 TB of logs without any success. Eventually, after putting increasingly effort into fuzzing we’ve stumbled upon unexpected conduct again. Several questions needed to be answered: is the difficulty security associated? In that case can we solely exploit it locally or additionally remotely? To further complicate this case the fuzzer did generate non-printable information blobs with sizes of more than 200 KB. A tremendous amount of time was vital to analyze potential points. In any case, we could extract a concise proof of concept of a working reminiscence corruption bug - a so known as use-after-free vulnerability! Upon further investigation we discovered that the basis trigger might be found in PHP’s rubbish collection algorithm, a part of PHP that is completely unrelated to unserialize.

However, the interplay of both components occurred solely after unserialize had finished its job. Consequently, it was not effectively suited to distant exploitation. After further evaluation, gaining a deeper understanding for the problem’s root causes and numerous onerous work an identical use-after-free vulnerability was discovered that appeared to be promising for remote exploitation. The excessive sophistication of the discovered PHP bugs and their discovery made it necessary to put in writing separate articles. You may learn extra details in Dario’s fuzzing unserialize write-up. As well as, we have now written an article about Breaking PHP’s Garbage Collection and Unserialize. Even this promising use-after-free vulnerability was significantly troublesome to use. Particularly, it concerned multiple exploitation stages. 1. The stack and heap (which additionally embrace any potential user-enter) as well as some other writable segments are flagged non-executable (c.f. 2. Even in case you are able to control the instruction pointer it's essential to know what you want to execute i.e. you could have a sound tackle of an executable memory section.