A PHP vulnerability that exposed adult website PornHub’s user data to hackers and allowed for code execution on servers hosting the site, earned a trio of German researchers $22,000 as part of a bug bounty program.
PHP patched the vulnerability in June. The flaw is tied to a use-after-free memory corruption bug that takes place when PHP’s garbage collection algorithm interacts with other PHP objects. That allows a third party to track user interaction with PornHub.
But the far more serious aspect of the bug allowed hackers to execute code on the servers which would allow intruders to do anything from download to delete the entire PornHub website, according to Ruslan Habalov, a computer science student at RWTH-Aachen University in Germany and one of three researchers to discover the bug.
The stakes were extremely high for PornHub, which claims to receive 60 million visitors a day. Given the volume of traffic and the high numbers of registered users, this could have led to a very embarrassing breach.
The three researchers earned a $20,000 bounty from PornHub and an additional $2,000 from the Internet Bug Bounty committee. Both bounties were paid through the HackerOne bug bounty program. The bug was reported on May 30, just weeks after PornHub kicked off its bug bounty program.
What made the bug unique, Habalov said, was that it tied two seemingly disparate aspects of PHP together to create the vulnerability. He said PornHub was sending data through PHP’s unserialize function coupled with PHP’s garbage collection algorithm.
Technically the unserialize function PHP bug (CVE-2016-5771) and the use-after-free PHP bug (CVE-2016-5773) were separate earning researchers $1,000 for both. Both vulnerabilities needed to be present for code execution to be possible on PornHub servers.
“We discovered that the root cause could be found in PHP’s garbage collection algorithm, a component of PHP that is completely unrelated to unserialize. However, the interaction of both components occurred only after unserialize had finished its job. Consequently, it was not well suited for remote exploitation,” wrote Ruslan in a technical description of the bug.
After further analysis, researchers found a similar use-after-free vulnerability related to the garbage collection algorithm that allowed for remote exploitation. “This bug was extremely hard to find. After exploring the root causes of the data leakage we found the use-after-free vulnerability that was ripe for remote exploitation,” Ruslan said.
The use-after-free vulnerability opened the door for researchers to execute arbitrary code via a particular CPU instruction. “As soon as you’re able to fill freed memory that later on gets reused as an internal PHP variable — so called zvals — you can generate vectors that allow reading from arbitrary memory as well as triggering code execution,” wrote Ruslan.
The flaw allowed for a hacker to track user online behavior, download website source code for all sites hosted on PornHub’s servers and access the backend network and achieve root access to the system, according the researchers.
“It is well-known that using user input on unserialize is a bad idea. In particular, about 10 years have passed since its first weaknesses have become apparent. Unfortunately, even today, many developers seem to believe that unserialize is only dangerous in old PHP versions or when combined with unsafe classes. We sincerely hope to have destroyed this misbelief,” he said.
Once alerted to the bug, PornHub removed the unserialize function with PHP within hours and implemented a patch in June. Researchers never actually compromised PornHub’s servers and instead planted a text document on PornHub servers stating “Greetings from HackerOne” and then alerted the site’s administrators to their find.