Charles Fol

Iconv, Set the Charset to RCE: Exploiting the Glibc To Hack the PHP Engine

Abstract

A few months ago, I stumbled upon a 24 years old buffer overflow in the glibc. Despite being reachable in multiple well-known libraries or programs, it proved rarely exploitable. Indeed, this was not a foos bug: with hard-to-achieve preconditions, it did not even provide a nice primitive. On PHP however, it lead to amazing results: a new exploitation technique that affects the whole PHP ecosystem, and the compromission of several applications.

This talk will first walk you through the discovery of the bug and its limitations, before describing the conception of several remote binary PHP exploits, and through them offer unique insight in the internal of the engine of the web language, and the difficulties one faces when exploiting it.

BIO

Charles Fol, also known as cfreal, is a security researcher at LEXFO / AMBIONICS. He has discovered remote code execution vulnerabilities targeting renowned CMS and frameworks such as Drupal, Magento, Symfony or Laravel, but also enjoys binary exploitation, to escalate privileges (Apache, PHP-FPM) or compromise security solutions (DataDog’s Sqreen, Fortinet SSL VPN, Watchguard). He is the creator for PHPGGC, the go-to tool to exploit PHP deserialization, and an expert in PHP internals.