back

The Perl Jam 2

The Camel Strikes Back

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
00:40:23
Language
English
Abstract
tl;dr EXPLOIT ALL THE PERL. AGAIN.
After last year’s Perl crackdown, I decided I have to take the Perl abuse to the next level. This time I focused on Perl’s core, or more specifically, the referencing mechanism, and shattered the security of most Perl CGI projects in the world.

With more WATs, more broken concepts, and more wildly popular 0-days, we will finally prove the Perl language is a broken concept, one that stood tall for way too many years.

Presenting „The Perl Jam: Exploiting a 20 Year-old Vulnerability“ at 31c3 opened a Pandora’s Box full of Perl debates and controversies. Many of these debates originated from the Perl community itself, with unforgiving arguments such as „vulnerabilities are the developer’s fault“, „RTFM“ and „I really hate the Camel abuse in the presentation“ that were mostly directed at me.

This is why I’m proud to say that this year I finally got the message: Finding vulnerabilities in core modules is not enough. I need to prove there are problems in the most fundamental aspects of the Perl language, or the Perl community will keep ignoring the language many issues.
So I did, and we are going to analyze it in a presentation filled with lolz, WATs, and 0-days, so maybe this time something will change.

Join me for a journey in which we will delve into more 0-days in Bugzilla, an RCE on everyone who follows CGI.pm documentation, and precious WTF moments with basically any other CGI module in the world, including (but not limited to) Mojolicious, Catalyst and PSGI, affecting almost every Perl based CGI application in existence.

I hope this talk will finally prove that developers are NOT the fault here, it’s the LANGUAGE, and its anti-intuitive, fail-prone ‚TMTOWTDI‘ syntax.
btw, maybe it’s time to check your $$references ;)

Talk ID
7130
Event:
32c3
Day
2
Room
Hall 1
Start
8:30 p.m.
Duration
01:00:00
Track
Security
Type of
lecture
Speaker
Netanel Rubin
Talk Slug & media link
32c3-7130-the_perl_jam_2

Talk & Speaker speed statistics

Very rough underestimation:
114.7 wpm
649.8 spm
109.3 wpm
640.0 spm
100.0% Checking done100.0%
0.0% Syncing done0.0%
0.0% Transcribing done0.0%
0.0% Nothing done yet0.0%
  

Work on this video on Amara!

Talk & Speaker speed statistics with word clouds

Whole talk:
114.7 wpm
649.8 spm
perlfilelaughterdatacodetypeslanguageinputhashesapplausescalarparameterfunctionusercgisecuretalknetaneltypearrayslistwatrequestuploadedregularhashdangerousdeveloperscgi.pmdescriptorvaluesexpectingsendargumentsignalcoursemodulescommunitycontentcreatesqlcompletelystringworkcreatedfalsenon-scalarargumentsyear6
Netanel Rubin:
109.3 wpm
640.0 spm
fileperldatacodetypeslaughterparameterinputscalarhashesapplausefunctioncgisecureusertyperegularrequestuploadedhashlistlanguagewatarraysvaluessenddescriptorargumentexpectingdangerousdeveloperscontentcreatenon-scalarcreatedsqlfalsesendingstringcgi.pmreturnscompletelytalkaudienceargumentsbuiltbugzillacasesecuritycommunity