How we broke PHP, hacked Pornhub and earned $20k

[+] krapp|9 years ago|reply

The takeway:

    You should never use user input on unserialize. Assuming that 
    using an up-to-date PHP version is enough to protect 
    unserialize in such scenarios is a bad idea. Avoid it or use 
    less complex serialization methods like JSON.

[+] segmondy|9 years ago|reply

Actually, the takeaway is not that "you should never use user input on unserialize." It is, that you should NEVER TRUST USER INPUT. This rule is as old as computing itself and trust of user input has always been the beginning of a security vulnerability. You need user input, you will use user input, but you must understand how it's used and filter, strip everything that is not needed away.

[+] CiPHPerCoder|9 years ago|reply

Even JSON isn't great. It's still a hash-collision DoS attack vector.

https://paragonie.com/blog/2016/04/securely-implementing-de-...

[+] babyrainbow|9 years ago|reply

Reminds me of a post that mocked how Php 7 "improves" security of unserialize function and people at reddit, at /r/php defending it....

[1] https://www.reddit.com/r/PHP/comments/3j88v4/something_about...

[+] tom_devref|9 years ago|reply

An actionable takeaway is to disable eval in php.ini. Not always practical but i doubt everyone needs it.

[+] danso|9 years ago|reply

OT: Is there a site that curates these kinds of interestingly detailed hacks? Like Dan Luu does for debugging stories? (https://github.com/danluu/debugging-stories)

[+] ssclafani|9 years ago|reply

The r/netsec subreddit: https://www.reddit.com/r/netsec/top/?sort=top&t=all

[+] __david__|9 years ago|reply

Some sort of "hack news", maybe. :-)

[+] ckdarby|9 years ago|reply

That moment when the company you work at is on the front page of Hacker News xD

[+] khoury|9 years ago|reply

Seriously, please do an AMA. As a developer, I am very curious about how it feels like working for a company like that :)

[+] nitrix|9 years ago|reply

I feel you and I know each others ;)

[+] watbe|9 years ago|reply

This is an elaborate hack and a very detailed writeup. Thanks for sharing.

[+] ndesaulniers|9 years ago|reply

> Using a locally compiled version of PHP we scanned for good candidates for stack pivoting gadgets

Surprised that worked. Guess they got lucky and either got the comiler+optization flags the same as the PHP binary used, or the release process can create higly similar builds.

[+] chatmasta|9 years ago|reply

They mention that PH had a custom compiled PHP and that's why they couldn't get the address of the function they wanted to call for evaluating code.

My understanding is that ROP gadgets are a separate issue. Basically you want to find a function that compiles to assembly instructions resembling the ones you need to move the stack pointer to your desired location. Testing this locally shouldn't be a problem, because functions across builds will compile to the same assembly instructions (even if their headers have different load addresses).

Again, that's my understanding - I have a very vague grasp of this stuff.

[+] aprdm|9 years ago|reply

Really good write up. Some people are really smart, I wouldn't ever be able to do that kind of stuff even after being programming for years.

[+] i_am_cam|9 years ago|reply

As well as being good, they'll also be very experienced. What you're seeing in that post is specialised knowledge, likely built up over many years. We can't all know everything, as much as we'd like to!

[+] tjallingt|9 years ago|reply

I have some questions about two things in the exploit code that puzzled me:

  my $php_code = 'eval(\'
     header("X-Accel-Buffering: no");
     header("Content-Encoding: none");
     header("Connection: close");
     error_reporting(0);
     echo file_get_contents("/etc/passwd");
     ob_end_flush();
     ob_flush();
     flush();
  \');';

1. they seem to be using php to code the exploit (solely based on the $ before the variable name) but i've never seen the 'my' keyword before, what exactly is this language?

2. if i understand the exploit correctly they got remote code execution by finding the pointer to 'zend_eval_string' and then feeding the above code into it. doesn't that mean the use of 'eval' in the code that is being executed is unnecessary?

[+] anglebracket|9 years ago|reply

>i've never seen the 'my' keyword before, what exactly is this language?

It's Perl: http://perldoc.perl.org/functions/my.html

[+] Xeago|9 years ago|reply

Looks like perl, seeing the `my`.

[+] Phithagoras|9 years ago|reply

Appears to be experiencing the hug of death. May be quite slow

[+] aw3c2|9 years ago|reply

http://web.archive.org/web/20160723130827/https://www.evonid...

[+] KngFant|9 years ago|reply

Yes, thats sad. There is more discussion about this here: https://www.reddit.com/r/netsec/comments/4u86a4/how_we_broke...

[+] expression|9 years ago|reply

I guess the site is served using PHP.

[+] cloudjacker|9 years ago|reply

wow

From a legal perspective how do companies and hackerone create a binding exemption from laws used to prosecute hackers?

[+] celticninja|9 years ago|reply

Pornhub have active bug bounties. In general you have to sign up to abide by the rules, which generally say how far you can take an exploit, ie prove it works but don't fuck with the actual data just to show you can. Your exploit would show that you could and that's what they want you to do.

[+] Buge|9 years ago|reply

In the US the law is against unauthorized access. If a company agrees to let people try to hack their stuff, then the access is authorized and legal.

[+] ihsw|9 years ago|reply

> binding exception

Two words -- honor code. Rock the boat and you will find yourself in an unpleasant situation, so instead everybody does good work and nobody asks too many questions.

[+] corobo|9 years ago|reply

If they prosecute a white hat there will only be black hats left. It's not a legal perspective but it keeps the honour code working.

[+] unknown|9 years ago|reply

[deleted]

[+] joeldg|9 years ago|reply

[deleted]

[+] fencepost|9 years ago|reply

So does Pornhub's bug bounty program include some number of years of free paid membership along with financial bounties? Kind of a "treat us right and we'll let you treat yourself right" kind of thing?

[+] seanp2k2|9 years ago|reply

If you know enough to be able to pull off hacks like this, you surely know enough to get more of this kind of thing than you'd have time to watch in 10 lifetimes. I doubt that such a "reward" would be very appealing to those who participate in the bug bounty program, and it'd honestly be a sleazy business proposition, which would harm the professionalism of operating a successful bug bounty program. And yes, I'm completely serious.

[+] given|9 years ago|reply

Too bad they didn't just go ahead and:

> Dump the complete database of pornhub.com including all sensitive user information.

And of course leak the data to expose everyone that participates in this nasty business. It is such a sad thing that people are even proud to work at companies like this where humans are not worth more than a big dick or boobs.

And then you get around and say that child porn is so horrible. No, all porn is horrible and destroys our families and integrity. How can there be any dignity left if these things are held to be something good?

[+] Annatar|9 years ago|reply

Righteous much? The most insidious prison one could ever be put into is the arbitrary restriction in one's own mind. Luckily for the rest of us, we are in the 21st century and most people are educated enough to not believe in nonsense like witches any more. Pornography is heading in the same direction, people are finally starting to realize that sexuality is part of one's natural self. When you consider that each of us was born with a dick or tits, there is nothing wrong by accepting that and getting turned on by appreciating the aesthetics of it. It has been done since antiquity and even before that, and then we regressed into the dark ages of morality. At the very least, it is biology. Science? Yes please!

104 comments