Exploiting PHP7 unserialize
PHP is the most prominent web server-side language used today. Although secure coding practices are used when developing in PHP, they can’t mitigate vulnerabilities in the language itself. Since PHP is written in C, it is exposed to vulnerabilities found in projects written in a low-level language, such as memory-corruption vulnerabilities, which are common when manipulating data formats. PHP-7 is a new implementation of the language, and while memory corruption bugs exist in this version as well, none of the exploitation primitives from the previous version are working (e.g. @i0n1c presentation from BH2010). In this talk, I will discuss the memory internals of PHP7 from exploiter and vulnerability researcher's perspective, explain newly found vulnerabilities in the unserialize mechanism and demonstrate how to exploit this class of bugs in PHP-7 presenting re-usable primitives. The internals of the language implementation changed quite dramatically, and now it’s harder to find and exploit memory corruption bugs. The new zval system prefers embedding over pointing to members and the allocation mechanism has gone through a complete re-write, removing metadata. The overall result is less primitives and less control over crafted data. unserialize is a data manipulation and object instantiation mechanism in PHP which is prone to memory corruption vulnerabilities. For the first time, we have managed to implement a remote exploit of a real world bug in PHP-7unserialize mechanism.