PHP flaws allowed God mode access to top smut site

Twin zero days could have seen pr0n users personal stuff sprayed all over the web

A trio of hackers have gained remote code execution powers on servers used by adult entertainment outlet Pornhub, using a complex hack that revealed twin zero-day flaws in PHP.

Google sofware intern and security boffin Ruslan Habalov (@evonide) detailed the Return Orientated Programming hack in detailed debriefing explaining how he and fellow hackers @_cutz and Dario Weißer @haxonaut gained access to the entire Pornhub database including sensitive user information.

Pornhub paid US$20,000 (£15235, A$26,814) for the effort, and the Internet Bug Bounty threw in an additional US$2000 (£1523, A$2681) for the PHP zero-days.

The research team says exploitation was complex, requiring multiple stages, which granted a "nice view of Pornhub’s /etc/passwd file, the ability to execute other commands, and to break out of PHP to run arbitrary syscalls. We were able to find two zero day vulnerabilities in PHP’s garbage collection algorithm," the team says.

"Those vulnerabilities, although being in a very different PHP context, could be reliably and remotely exploited in an unserialize context, too.

"You should never use user input on unserialize. Assuming that an up-to-date PHP version is enough to protect unserialize in such scenarios is a bad idea [so] avoid it or use less complex serialization methods like JSON."

The team could have dropped all Pornhub data including user information, track users and observe behaviour, leak all source code of co-hosted sites, gain root privileges, and pivot deeper into the network.

The research team says Pornhub was "very polite", competent, and generous.

The identified flaws are patched in PHP versions five and seven released last month. ®

Other stories you might like

Biting the hand that feeds IT © 1998–2022