We have now found two use-after-free vulnerabilities in PHP’s rubbish assortment algorithm.
Those vulnerabilities have been remotely exploitable over PHP’s unserialize perform. We were also awarded with $2,000 by the Internet Bug Bounty committee (c.f. Many thanks go out to cutz for co-authoring this article. #@*%!hub’s bug bounty program and its relatively excessive rewards on Hackerone caught our consideration. That’s why we have now taken the perspective of a sophisticated attacker with the full intent to get as deep as potential into the system, focusing on one principal objective: gaining remote code execution capabilities.

Thus, we left no stone unturned and attacked what #@*%!hub is built upon: PHP. After analyzing the platform we shortly detected the utilization of unserialize on the website. In all circumstances a parameter named "cookie" received unserialized from Post data and afterwards reflected through Set-Cookie headers.
Standard exploitation strategies require so called Property-Oriented-Programming (POP) that involve abusing already existing classes with specifically defined "magic methods" in order to trigger unwanted and malicious code paths.