We've found two use-after-free vulnerabilities in PHP’s rubbish collection algorithm. Those vulnerabilities were remotely exploitable over PHP’s unserialize perform. We had been also awarded with $2,000 by the Internet Bug Bounty committee (c.f. Many thanks go out to cutz for co-authoring this article. Pornhub’s bug bounty program and its relatively excessive rewards on Hackerone caught our attention. That’s why we now have taken the perspective of a complicated attacker with the total intent to get as deep as attainable into the system, focusing on one important objective: gaining remote code execution capabilities. Thus, we left no stone unturned and attacked what Pornhub is built upon: PHP. After analyzing the platform we shortly detected the utilization of unserialize on the website. In all cases a parameter named "cookie" acquired unserialized from Post information and afterwards mirrored via Set-Cookie headers. Standard exploitation techniques require so called Property-Oriented-Programming (POP) that involve abusing already present courses with specifically outlined "magic methods" with the intention to trigger undesirable and malicious code paths.

Unfortunately, it was difficult for us to gather any information about Pornhub’s used frameworks and PHP objects generally. Multiple classes from frequent frameworks have been tested - all with out success. The core unserializer alone is relatively complicated because it entails more than 1200 strains of code in PHP 5.6. Further, many inside PHP lessons have their own unserialize methods. By supporting constructions like objects, arrays, integers, strings and even references it is no surprise that PHP’s observe report exhibits a tendency for bugs and memory corruption vulnerabilities. Sadly, there were no identified vulnerabilities of such kind for newer PHP versions like PHP 5.6 or PHP 7, particularly because unserialize already acquired numerous consideration prior to now (e.g. phpcodz). Hence, auditing it can be in comparison with squeezing an already tightly squeezed lemon. Finally, xhamster after a lot attention and so many safety fixes its vulnerability potential should have been drained out and it must be secure, shouldn’t it? To seek out a solution Dario carried out a fuzzer crafted specifically for fuzzing serialized strings which have been passed to unserialize.

Running the fuzzer with PHP 7 instantly result in unexpected conduct. This conduct was not reproducible when examined in opposition to Pornhub’s server though. Thus, we assumed a PHP 5 model. However, working the fuzzer in opposition to a newer version of PHP 5 simply generated more than 1 TB of logs with none success. Eventually, after placing more and more effort into fuzzing we’ve stumbled upon unexpected conduct once more. Several questions had to be answered: is the problem security associated? If that's the case can we solely exploit it domestically or also remotely? To additional complicate this situation the fuzzer did generate non-printable data blobs with sizes of greater than 200 KB. A tremendous amount of time was obligatory to analyze potential issues. After all, we might extract a concise proof of idea of a working memory corruption bug - a so known as use-after-free vulnerability! Upon further investigation we found that the foundation trigger might be present in PHP’s rubbish collection algorithm, a element of PHP that is completely unrelated to unserialize.

However, the interplay of both components occurred solely after unserialize had finished its job. Consequently, it was not well suited for remote exploitation. After additional analysis, gaining a deeper understanding for the problem’s root causes and numerous onerous work an analogous use-after-free vulnerability was discovered that appeared to be promising for remote exploitation. The high sophistication of the found PHP bugs and their discovery made it vital to write separate articles. You'll be able to learn extra particulars in Dario’s fuzzing unserialize write-up. As well as, we have written an article about Breaking PHP’s Garbage Collection and Unserialize. Even this promising use-after-free vulnerability was significantly tough to use. In particular, it concerned a number of exploitation stages. 1. The stack and heap (which additionally embody any potential person-enter) in addition to another writable segments are flagged non-executable (c.f. 2. Even in case you are in a position to regulate the instruction pointer it's worthwhile to know what you need to execute i.e. you should have a valid address of an executable memory section.