Security
Exploiting PHP7 unserialize
teaching a new dog old tricks
PHP-7 is a new version of the most prevalent server-side language in use today. Like previous version, this version is also vulnerable to memory corruptions.
However, the language has gone through extensive changes and none of previous exploitation techniques are relevant.
In this talk, we explore the new memory internals of the language from exploiters and vulnerability researchers point of view. We will explain newly found vulnerabilities in the 'unserialize' mechanism of the language and present re-usable primitives for remote exploitation of these vulnerabilities.
PHP is the most prominent web server-side language used today. Although secure coding practices are used when developing in PHP, they can’t mitigate vulnerabilities in the language itself. Since PHP is written in C, it is exposed to vulnerabilities found in projects written in a low-level language, such as memory-corruption vulnerabilities, which are common when manipulating data formats. PHP-7 is a new implementation of the language, and while memory corruption bugs exist in this version as well, none of the exploitation primitives from the previous version are working (e.g. @i0n1c presentation from BH2010).
In this talk, I will discuss the memory internals of PHP7 from exploiter and vulnerability researcher's perspective, explain newly found vulnerabilities in the unserialize mechanism and demonstrate how to exploit this class of bugs in PHP-7 presenting re-usable primitives.
The internals of the language implementation changed quite dramatically, and now it’s harder to find and exploit memory corruption bugs. The new zval system prefers embedding over pointing to members and the allocation mechanism has gone through a complete re-write, removing metadata. The overall result is less primitives and less control over crafted data. unserialize is a data manipulation and object instantiation mechanism in PHP which is prone to memory corruption vulnerabilities. For the first time, we have managed to implement a remote exploit of a real world bug in PHP-7unserialize mechanism.
Additional information
| Type | lecture |
|---|---|
| Language | English |
More sessions
| 12/27/16 |
Certificate transparency - what is it, and what can be done with it?
|
| 12/27/16 |
Hardware is often considered as an abstract layer that behaves correctly, just executing instructions and outputting a result. However, the internal state of the hardware leaks information about the programs that are executing. In this talk, we focus on how to extract information from the execution of simple x86 instructions that do not require any privileges. Beyond classical cache-based side-channel attacks, we demonstrate how to perform cache attacks without a single memory access, as well as ...
|
| 12/27/16 |
Follow the steps taken to crack a conditional access and scrambling system used in millions of TV set-top-boxes across North America. From circuit board to chemical decapsulation, optical ROM extraction, glitching, and reverse engineering custom hardware cryptographic features. This talk describes the techniques used to breach the security of satellite and cable TV systems that have remained secure after 15+ years in use.
|
| 12/27/16 |
Heads is an open source custom firmware and OS configuration for laptops and servers that aims to provide slightly better physical security and protection for data on the system. Unlike Tails, which aims to be a stateless OS that leaves no trace on the computer of its presence, Heads is intended for the case where you need to store data and state on the computer. It targets specific models of commodity hardware and takes advantage of lessons learned from several years of vulnerability research. ...
|
| 12/27/16 |
We analyze the generation and management of WPA2 group keys. These keys protect broadcast and multicast Wi-Fi traffic. We discovered several issues and illustrate their importance by decrypting all group (and unicast) traffic of a typical Wi-Fi network.
|
| 12/27/16 |
We present DROWN, a novel cross-protocol attack on TLS that uses a server supporting SSLv2 as an oracle to decrypt modern TLS connections. Using Internet-wide scans, we find that 33% of all HTTPS servers are vulnerable to this protocol-level attack.
|
| 12/27/16 |
FinTechs increasingly cut the ground from under long-established banks’ feet. With a "Mobile First" strategy, many set their sights on bringing all financial tasks—checking the account balance, making transactions, arranging investments, and ordering an overdraft—on your smartphone. In a business area that was once entirely committed to security, Fintechs make a hip design and outstanding user experience their one and only priority. Even though this strategy is rewarded by rapidly ...
|
