The Perl Jam: Exploiting a 20 Year-old Vulnerability

Presented at 31C3 (2014), Dec. 29, 2014, 10 p.m. (30 minutes).

tl;dr EXPLOIT ALL THE PERL. We chained several of Perl’s ridiculous syntax quirks in order to create a surprisingly powerful attack, bringing down some of the most popular Perl-based projects in the world to their knees. Brace yourselves, RCE exploits are coming. Deemed ‘the write-only programming language’ by many, Perl has well-served its purpose as a successful subject for less successful programmer jokes. It’s self-obfuscating ‘TMTOWTDI’ syntax is one of the top reasons for sysadmin PTSD, nervous breakdowns, and marriage problems. Sadly, it is 2014 and Perl still maintains a top-10 position in programming language popularity indexes – sometimes higher than JavaScript. This can be attributed to the fact it is the underlying platform running many applications still widespread today such as ‘cPanel’ or ‘Bugzilla’, as well as high-profile web sites such as Craigslist, IMDb, Slashdot, DuckDuckGo and TicketMaster, among others. This talk will spawn a wormhole 20 years into the past, and dive into some of the more hazardous and fundamental language quirks (WAT-style), walking the audience through the discovery of vulnerable core modules and the implementation of a new exploitation technique (branding and logo included!). Using this technique, we unleash a Pandora’s box of exploits to vulnerabilities hidden under the surface for years, in some of the most popular Perl-based projects in the world. Hilarity ensuance guaranteed.

Presenters:

  • Netanel Rubin
    A security researcher with a passion for vulnerabilities and gummy bears. Currently works at Checkpoint Software Technologies as a professional slacker.

Links:

Similar Presentations: