How we Broke PHP, Hacked Pornhub and Earned $20,000

We have found two use-after-free vulnerabilities in PHP’s rubbish collection algorithm. Those vulnerabilities have been remotely exploitable over PHP’s unserialize function. We have been additionally awarded with $2,000 by the Internet Bug Bounty committee (c.f. Many thanks go out to cutz for co-authoring this article. Pornhub’s bug bounty program and its relatively excessive rewards on Hackerone caught our consideration. That’s why we have taken the angle of a sophisticated attacker with the complete intent to get as deep as doable into the system, specializing in one primary purpose: gaining remote code execution capabilities. Thus, we left no stone unturned and attacked what Pornhub is built upon: PHP. After analyzing the platform we shortly detected the usage of unserialize on the website. In all instances a parameter named "cookie" bought unserialized from Post knowledge and afterwards mirrored via Set-Cookie headers. Standard exploitation techniques require so called Property-Oriented-Programming (POP) that contain abusing already present courses with specifically outlined "magic methods" with the intention to trigger undesirable and malicious code paths.

Unfortunately, it was troublesome for us to gather any details about Pornhub’s used frameworks and PHP objects on the whole. Multiple lessons from frequent frameworks have been tested - all without success. The core unserializer alone is comparatively complicated because it includes greater than 1200 lines of code in PHP 5.6. Further, many internal PHP lessons have their very own unserialize methods. By supporting constructions like objects, arrays, integers, strings and even references it is not any shock that PHP’s observe file reveals a tendency for bugs and memory corruption vulnerabilities. Sadly, there have been no recognized vulnerabilities of such kind for newer PHP variations like PHP 5.6 or PHP 7, particularly because unserialize already received plenty of consideration up to now (e.g. phpcodz). Hence, auditing it can be in comparison with squeezing an already tightly squeezed lemon. Finally, after so much consideration and so many safety fixes its vulnerability potential should have been drained out and it should be safe, shouldn’t it? To find a solution Dario carried out a fuzzer crafted specifically for fuzzing serialized strings which had been handed to unserialize.

Running the fuzzer with PHP 7 instantly lead to unexpected behavior. This habits was not reproducible when tested in opposition to Pornhub’s server although. Thus, we assumed a PHP 5 model. However, operating the fuzzer towards a newer model of PHP 5 just generated more than 1 TB of logs with none success. Eventually, after placing increasingly more effort into fuzzing we’ve stumbled upon unexpected conduct once more. Several questions needed to be answered: is the difficulty safety related? If that's the case can we solely exploit it locally or additionally remotely? To further complicate this case the fuzzer did generate non-printable data blobs with sizes of greater than 200 KB. An incredible period of time was necessary to analyze potential issues. After all, we might extract a concise proof of concept of a working memory corruption bug - a so called use-after-free vulnerability! Upon additional investigation we found that the root trigger could possibly be present in PHP’s garbage assortment algorithm, a part of PHP that is completely unrelated to unserialize.

However, the interplay of both elements occurred solely after unserialize had finished its job. Consequently, it was not well suited for distant exploitation. After additional evaluation, gaining a deeper understanding for the problem’s root causes and a number of onerous work the same use-after-free vulnerability was discovered that seemed to be promising for remote exploitation. The high sophistication of the discovered PHP bugs and their discovery made it vital to write down separate articles. You can read extra particulars in Dario’s fuzzing unserialize write-up. As well as, we have written an article about Breaking PHP’s Garbage Collection and Unserialize. Even this promising use-after-free vulnerability was significantly tough to exploit. Specifically, it concerned multiple exploitation levels. 1. The stack and heap (which additionally embody any potential person-input) in addition to any other writable segments are flagged non-executable (c.f. 2. Even in case you are able to control the instruction pointer you could know what you want to execute i.e. it is advisable have a sound deal with of an executable reminiscence section.