PHPWN: Generic remote exploit techniques for the PHP allocator, and 0days

Presentation topic:

Presentation description:

Although PHP has always been deemed insecure, finding and remotely exploiting binary bugs in its core is not a well documented subject.

Through this talk, I will aim to (partially, at least) solve this problem, by describing the internals of the PHP allocator and unraveling reusable, generic exploitation techniques for PHP’s heap. I’ll illustrate these techniques through the exploitation of two remote code execution 0-days targeting PHP.

The viewer will learn :

– The internal allocation mechanisms of PHP

– Completely new, generic exploit techniques for this allocator

Furthermore, two zero-days on database-relative PHP functions will be revealed, one of which allows for pre-auth RCE on utils such as Adminer or PhpMyAdmin (under certain configurations).

Describing PHP’s heap

Charles will describe, in details, the behavior of PHP’s heap, and the internal representation of PHP variables.

– Charles will describe the pros and cons a remote attacker faces when exploiting PHP, including the standard mitigations (ASLR, PIE), but also PHP-specific limitations.

About the speaker

Charles Fol, also known as cfreal, is a security researcher at LEXFO / AMBIONICS. He has discovered remote code execution vulnerabilities targeting renowned CMS and frameworks such as Drupal, Magento, Symfony or Laravel, but also enjoys binary exploitation, to escalate privileges (Apache, PHP-FPM) or compromise security solutions (DataDog’s Sqreen). He is the creator for PHPGGC, the go-to tool to exploit PHP deserialization.