Presented at
DEF CON 32 (2024),
Aug. 10, 2024, 5:30 p.m.
(45 minutes).
Upon its discovery, CVE-2024-2961, a very old buffer overflow in the glibc, seemed like a terrible bug. Within the prism of the PHP engine, however, the vulnerability shone, and provided both a new remote code execution vector and a few 0-days.
This talk will first walk you through the discovery of the bug and its limitations, before describing the conception of remote binary PHP exploits using this bug, and through them offer unique insight in the internal of the engine of the web language, and the difficulties one faces when exploiting it.
After this, it will reveal the impact on PHP's ecosystem, from well-known functions to unsuspected sinks, by showcasing the vulnerability on several popular libraries and applications.
Presenters:
-
Charles "cfreal" Fol
- Security Researcher at LEXFO / AMBIONICS
Charles Fol, also known as cfreal, is a security researcher at LEXFO / AMBIONICS. He has discovered remote code execution vulnerabilities targeting renowned CMS and frameworks such as Drupal, Magento, Symfony or Laravel, but also enjoys binary exploitation, to escalate privileges (Apache, PHP-FPM) or compromise security solutions (DataDog’s Sqreen, Fortinet SSL VPN, Watchguard). He is the creator for PHPGGC, the go-to tool to exploit PHP deserialization, and an expert in PHP internals.
Similar Presentations: