We've got discovered two use-after-free vulnerabilities in PHP’s garbage assortment algorithm. Those vulnerabilities were remotely exploitable over PHP’s unserialize operate. We had been also awarded with $2,000 by the Internet Bug Bounty committee (c.f. Many thanks go out to cutz for co-authoring this article. Pornhub’s bug bounty program and its comparatively high rewards on Hackerone caught our attention. That’s why we have now taken the angle of a sophisticated attacker with the complete intent to get as deep as attainable into the system, focusing on one major purpose: gaining distant code execution capabilities. Thus, we left no stone unturned and attacked what Pornhub is built upon: PHP. After analyzing the platform we shortly detected the utilization of unserialize on the website. In all cases a parameter named "cookie" acquired unserialized from Post information and afterwards reflected via Set-Cookie headers. Standard exploitation strategies require so called Property-Oriented-Programming (POP) that contain abusing already existing courses with specifically defined "magic methods" as a way to trigger undesirable and malicious code paths.

Unfortunately, it was tough for us to collect any details about Pornhub’s used frameworks and PHP objects in general. Multiple classes from common frameworks have been tested - all without success. The core unserializer alone is comparatively advanced because it includes more than 1200 strains of code in PHP 5.6. Further, many internal PHP classes have their own unserialize methods. By supporting structures like objects, arrays, integers, strings or even references it is no surprise that PHP’s monitor report exhibits a tendency for bugs and memory corruption vulnerabilities. Sadly, there were no identified vulnerabilities of such type for newer PHP versions like PHP 5.6 or PHP 7, particularly as a result of unserialize already got numerous consideration prior to now (e.g. phpcodz). Hence, auditing it can be in comparison with squeezing an already tightly squeezed lemon. Finally, after a lot attention and so many security fixes its vulnerability potential should have been drained out and it ought to be secure, shouldn’t it? To find an answer Dario implemented a fuzzer crafted particularly for xnxx fuzzing serialized strings which had been passed to unserialize.

Running the fuzzer with PHP 7 immediately lead to unexpected habits. This conduct was not reproducible when tested towards Pornhub’s server although. Thus, we assumed a PHP 5 version. However, running the fuzzer towards a newer model of PHP 5 just generated greater than 1 TB of logs with none success. Eventually, after putting increasingly effort into fuzzing we’ve stumbled upon unexpected conduct again. Several questions had to be answered: is the problem security related? In that case can we solely exploit it regionally or also remotely? To further complicate this example the fuzzer did generate non-printable data blobs with sizes of more than 200 KB. An incredible amount of time was essential to investigate potential issues. In spite of everything, we may extract a concise proof of idea of a working reminiscence corruption bug - a so called use-after-free vulnerability! Upon further investigation we discovered that the foundation trigger might be present in PHP’s garbage collection algorithm, a element of PHP that is totally unrelated to unserialize.

However, the interaction of both elements occurred only after unserialize had finished its job. Consequently, it was not properly fitted to remote exploitation. After additional analysis, gaining a deeper understanding for the problem’s root causes and a lot of laborious work an identical use-after-free vulnerability was found that seemed to be promising for distant exploitation. The excessive sophistication of the found PHP bugs and their discovery made it essential to put in writing separate articles. You'll be able to learn extra particulars in Dario’s fuzzing unserialize write-up. As well as, now we have written an article about Breaking PHP’s Garbage Collection and Unserialize. Even this promising use-after-free vulnerability was considerably tough to exploit. In particular, it involved a number of exploitation levels. 1. The stack and heap (which also embody any potential person-input) as well as some other writable segments are flagged non-executable (c.f. 2. Even if you're able to control the instruction pointer it's good to know what you need to execute i.e. you should have a valid deal with of an executable memory section.