The Perl Jam 2: The Camel Strikes Back

Presented at Black Hat Asia 2016, Unknown date/time (Unknown duration).

Presenting "The Perl Jam: Exploiting a 20 Year-old Vulnerability" at 31c3 opened a Pandora's Box full of Perl debates and controversies. Many of these debates originated from the Perl community itself, with unforgiving arguments such as "vulnerabilities are the developer's fault", "RTFM" and "I really hate the Camel abuse in the presentation" that were mostly directed at me. This is why I'm proud to say that this year I finally got the message - finding vulnerabilities in core modules is not enough. I need to prove there are problems in the most fundamental aspects of the Perl language, or the Perl community will keep ignoring the many language issues. So I did, and we are going to analyze it in a presentation filled with lolz, WATs, and 0-days, so maybe this time something will change. Join me for a journey in which we will delve into more 0-days in Bugzilla, an RCE on everyone who follows CGI.pm documentation, and precious WTF moments with basically any other CGI module in the world, including (but not limited to) Mojolicious, Catalyst and PSGI, affecting almost every Perl based CGI application in existence. I hope this talk will finally prove that developers are NOT the fault here, it's the LANGUAGE, and its anti-intuitive, fail-prone 'TMTOWTDI' syntax. Btw, maybe it's time to check your $$references ;)


Presenters:

  • Netanel Rubin
    Netanel Ruben is a senior vulnerability researcher that has several significant findings under his belt. Starting his security career at the age of 16, Netanel performed security assessments for many international companies and organizations, including banks and government offices. Following a meaningful military service in the IDF elite intelligence unit 8200, he joined PerimeterX. In the past few years, his work was presented at several international conferences such as DEF CON and CCC.

Links:

Similar Presentations: