State Of The Art Post Exploitation In Hardened Php Environments presented at SyScan 2009

by Stefan Esser,

Tags: Security Exploitation

Summary : When an attacker manages to execute arbitrary PHP code in a web application he nowadays often ends
up in hardened PHP environments that not only make use of PHP's internal protections like safemode,
openbasedir or disable_functions but also make use of Suhosin and operating system, filesystem or
libc level security mechanisms like ASLR, NX, hardened memory managers or unix file permissions.
In such a situation taking over the server becomes a challenge and requires PHP shellcode that is
able to use local PHP exploits to get around these protections. This talk will show the problems
arising from the different protection mechanisms for PHP shellcode, will give an insight into the
internal memory structures of PHP that are required to write stable local exploits and will
demonstrate how a special class of vulnerabilities in PHP that also exists in standard functions
enables PHP shellcode to get around most of these protections.