On 18th of June 2010 Stefan Esser will present his PHP memory corruption exploitation talk at SyScan Singapore ‘10. The talk is about returning into the PHP interpreter from a remotely triggered memory corruption vulnerability in PHP. The vulnerability discussed will not be disclosed to the public during the Month of PHP Security.
Returning into the PHP Interpreter
Remote Exploitation of Memory Corruptions in PHP is not over, yet.
Among web application security experts there is the popular believe that low level vulnerabilities like buffer overflows and other kinds of memory corruption vulnerabilities do not matter for web application security. In addition to that the increasing use of exploit mitigation techniques on modern web servers make many believe that exploiting remote memory corruptions in webserver software is over. But is it really?
This talk will introduce the idea of returning into the PHP interpreter from memory corruption vulnerabilities and discuss the requirements and feasibility of different ways to do that. This idea will then be applied to a yet undisclosed PHP vulnerability, which is exposed to remote attackers in several widespread PHP applications. Different aspects of this vulnerability will be analyzed and it will be explained how they can be abused in remote information leak and memory corruption exploits. The creation of such a remote code execution exploit will then be detailed step by step.