FUGIO: Automatic Exploit Generation for PHP Object Injection Vulnerabilities


Sunnyeo Park and Daejun Kim, KAIST; Suman Jana, Columbia University; Sooel Son, KAIST


A PHP object injection (POI) vulnerability is a security-critical bug that allows the remote code execution of class methods existing in a vulnerable PHP application. Exploiting this vulnerability often requires sophisticated property-oriented programming to shape an injection object. Existing off-the-shelf tools focus only on identifying potential POI vulnerabilities without confirming the presence of any exploit objects. To this end, we propose FUGIO, the first automatic exploit generation (AEG) tool for POI vulnerabilities. FUGIO conducts coarse-grained static and dynamic program analyses to generate a list of gadget chains that serve as blueprints for exploit objects. FUGIO then runs fuzzing campaigns using these identified chains and produces exploit objects. FUGIO generated 68 exploit objects from 30 applications containing known POI vulnerabilities with zero false positives. FUGIO also found two previously unreported POI vulnerabilities with five exploits, demonstrating its efficacy in generating functional exploits.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {277214,
author = {Sunnyeo Park and Daejun Kim and Suman Jana and Sooel Son},
title = {{FUGIO}: Automatic Exploit Generation for {PHP} Object Injection Vulnerabilities},
booktitle = {31st USENIX Security Symposium (USENIX Security 22)},
year = {2022},
isbn = {978-1-939133-31-1},
address = {Boston, MA},
pages = {197--214},
url = {https://www.usenix.org/conference/usenixsecurity22/presentation/park-sunnyeo},
publisher = {USENIX Association},
month = aug

Presentation Video