C3Subtitles: 31c3: The Perl Jam: Exploiting a 20 Year-old Vulnerability
back

The Perl Jam: Exploiting a 20 Year-old Vulnerability

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
00:29:00
Language
English
Abstract
tl;dr EXPLOIT ALL THE PERL.
We chained several of Perl’s ridiculous syntax quirks in order to create a surprisingly powerful attack, bringing down some of the most popular Perl-based projects in the world to their knees. Brace yourselves, RCE exploits are coming.

Deemed ‘the write-only programming language’ by many, Perl has well-served its purpose as a successful subject for less successful programmer jokes. It’s self-obfuscating ‘TMTOWTDI’ syntax is one of the top reasons for sysadmin PTSD, nervous breakdowns, and marriage problems.

Sadly, it is 2014 and Perl still maintains a top-10 position in programming language popularity indexes – sometimes higher than JavaScript. This can be attributed to the fact it is the underlying platform running many applications still widespread today such as ‘cPanel’ or ‘Bugzilla’, as well as high-profile web sites such as Craigslist, IMDb, Slashdot, DuckDuckGo and TicketMaster, among others.

This talk will spawn a wormhole 20 years into the past, and dive into some of the more hazardous and fundamental language quirks (WAT-style), walking the audience through the discovery of vulnerable core modules and the implementation of a new exploitation technique (branding and logo included!). Using this technique, we unleash a Pandora’s box of exploits to vulnerabilities hidden under the surface for years, in some of the most popular Perl-based projects in the world. Hilarity ensuance guaranteed.

Talk ID
6243
Event:
31c3
Day
3
Room
Saal 1
Start
10 p.m.
Duration
00:30:00
Track
Security & Hacking
Type of
lecture
Speaker
Netanel Rubin