<i>preroll music</i>

Herald: And I'm gonna introduce Netanel Rubin.

He has been here last year with a talk 
that he got some bashing for.

This year he's gonna ensure,
it's not the programmer's fault,

it's the language itself. No?

Well, here we go, well here we go.

Netanel, he is working for 
PerimeterX in Tel Aviv,

welcome on stage, your talk!

Netanel: Thank you very much, <i>applause</i>

thank you, thank you!

Last year I stood right on this very stage
and I talked about several of Perl's

less thought out "features".

Now, I got some bashing from the Perl community, 
but mainly what happened was,

that the Perl community completely rejected my talk 
claiming that the language

is completely fine and great 
and all of this stuff are just improvements.

It was clear I had to give another talk.

This is why I'm very proud to present 
"Perl Jam 2 – The Camel strikes back"!

<i>applause</i>

Thank you

At the last talk, I showed that "lists" are expressions, 
used in… many confusing ways.

I also showed how CGI parameters can create lists, 
directly from user input.

But most importantly, I showed 
that when these two things combine, shit happens.

Great

But the really interesting part 
was the PerlMonks response.

The Perl community…
<i>laughter</i>

The Perl community had a long discussion 
at the PerlMonks forum

that started with the words 
"Sad news from Germany".

A bit dramatic, but who am I to judge?

So, after a long, long discussion, 
they came to the unavoidable conclusion

that my talk was, in fact, a "polemic shit", 
and they should all just "piss on it". Wink.

They also realized I'm just a 
"script kiddie preaching to other script kiddies",

and not just any script kiddies, the CCC audience is a

"heterogeneous group of chaotic punks 
who love to see themselves in the hacker

image of Hollywood media". 
<i>applause and whistling from audience</i>

What hacker image? 
What are they talking about?

We have no hacker image.

Anyway, it got quite surreal, as in some point 
they even critized

the "crude use of propaganda 
in the camel images". WAT?

<i>laughing</i>
<i>applause</i>

Propaganda in the camel images. Alright.

Anyway, they completely rejected the entire talk, 
even though the technical points were valid.

They rejected it because of 
some jokes and camel images.

But still, they got so offended they just threw 
lame excuses as to why their language sucks.

Two of these lame excuses were 
repeated over and over again.

The first was that I should 
read the fucking manual, which is funny

because I thought I was the only one who did…

<i>laughter</i>

…and the second is that

I'm using the old, ancient Perl, 
and not the new, modern Perl.

<i>more laughter</i>

Remember these two points carefully 
as I'll later break them in the presentation.

But, enough with the intro, 
let's start with the new madness.

So, Perl allows declaring variables 
without specifying their data type.

Of course, this functionality exists 
in many dynamic languages,

and is completely fine and very convenient.

But, as usual, Perl took it 
to a whole different level.

Perl went as far as removing 
data type declarations from function arguments.

You can see that in this example,

I'm just receiving two different arguments 
without knowing what type they are.

Let me be clear about that,

you don't get to choose whether you want 
to specify argument data types or not,

you can't specify 
what data types you're expecting to get.

So even if I built a function 
that only works with strings,

I have no way of forcing that 
at the function declaration.

Now that's annoying.

But, the real kicker 
is how this feature is used.

Apparently, it is very common to write 
two completely different blocks of code,

one that handles scalar types, 
like strings or ints,

and one that handles non-scalar types, 
like arrays or hashes.

Let me repeat that:

Writing multiple code, for multiple data-types, 
in one function, is a Perl standard.

And that's sad. You shouldn't write redundant code 
because the language lacks the capability

of letting you decide 
which cases you don't want to handle.

By the way, Python doesn't let you 
declare your function argument data types too,

but unlike Perl, writing redundant code 
to cover that up

is definitely not the standard.

Anyway, sad as this may be, 
this Perl convention is not dangerous.

The dangerous part begins

when hashes and arrays 
are considered as "secure" data types,

mainly because they can't be created 
by user input.

This results in this kind of code,

where if the function argument 
is a hash, for example,

it is used un-escaped in dangerous functions.

Hashes, specifically, are considered so secure, 
that even if you use "taint mode",

which is some kind of safe mode for Perl,

hash keys are not tainted, meaning 
that, even if you use safe mode,

they can be still used in dangerous functions

without any validation, 
as opposed to other data types.

Now this kind of code appears a lot 
in Perl applications,

and apart from the many bugs 
this method can cause,

it also makes your code exploitable.

So we know function arguments are of unknown data type.

And we know developers treat hashes and arrays 
as "secure" data types,

inserting their values into dangerous functions.

But this practices isn't something

that was created a long time ago, 
and found only on redundant code.

Because of how the language is built, 
its supposedly restriction-less type of developing,

even now it is the natural way to code 
when you're using Perl.

And that's the real problem: 
Perl is like a shotgun,

with one trigger you know about 
and a dozen that you don't.

So for now, we know 
that if we'll somehow manage

to create these "secure" data types, 
with our user input,

we could exploit the code.

So the only question remaining really 
is what are we gonna exploit?

And the answer, again, 
is Bugzilla.

<i>laughter</i>

Like every other Perl project, 
Bugzilla is heavily using functions

that treat scalar and non-scalar 
argument types very differently.

This is one of them: the load_from_DB function is responsible

for extracting object specific data 
out of the database.

Like I just said, it treats scalars, 
and in this case hashes, very differently.

If the function argument is a hash, 
it takes one of its values

and inserts it as is, un-escaped, 
into an SQL statement.

Again, because hashes 
are considered secure,

so there's no point of escaping them.

On the other hand, 
if the argument is a scalar,

it converts it into an integer 
and only then use it in an SQL statement.

Because scalar values are not secure.

hashes: secure

scalar: not secure

This means that if we could control 
the function argument entirely,

including its data type, 
we could control the SQL query,

effectively exploiting an SQL injection attack,

by inserting a hash 
containing that specific value.

But…

CGI input doesn't allow hashes, right?

The whole Perl security module 
is built on that assumption.

The problem is that, like us, 
developers are assuming

CGI input is the only input method available.

CGI.

But CGI isn't the only way to go.

Bugzilla developers missed the fact 
that their own system

is also featuring an XMLRPC and a JSONRPC,

both supporting input of non-scalar data types 
like arrays and hashes!

But I'm not blaming them.

Yes, they forgot that there are more ways 
for a user to input than CGI,

but still, they're just the product 
of how Perl programming is taught,

filled with false assumptions and inconsistencies.

Expecting anything but this kind 
of security problems is just naive.

But back to the vulnerability.

If we'll use one of these RPCs,

sending our input parameter with a malicious hash,

instead of just a regular numeric parameter,

we will be able to exploit the SQL injection!

So, if we'll send this regular request, 
using the JSONRPC interface,

the number 1 will be used 
as the ID of a bug to extract,

but if we'll send this request,

where instead of an integer we'll supply a hash,

then suddenly we will be able 
to inject any SQL we'd like

into that statement, effectively 
compromising the entire database.

Now when you look at this request, you realize

that this is not a sophisticated vulnerability.

All I did was just change the input data type 
from scalar in this case to a hash,

and that's it, the system is compromised.

It was so heavily built on the assumption

that hashes are secure, that it offered me

almost unlimited access security wise.

The funny thing about that is, that 
although it's so simple,

the attack has existed for over 5 years.

That's the year I was born in.

So, we now proved this "unknown-argument-type" feature

is a huge source for problems.

We also know writing different code 
to handle different data types

just causes a lot of false assumptions.

But most importantly, treating non-scalar 
data types such as hashes as "secure",

just because they supposedly can't be created by the user,

is very, very, BAD. Just ask Bugzilla.

But the shocking part really, is that, again, 
this is the Perl Standard!

You're not expected to use it, you have to

as you don't have any other choice.

This security mess 
is a fundamental part of the language.

The problem is that creating non-scalar data types 
is impossible in some cases.

We can't rely that some kind of RPC

will exist in the code 
and support different data types,

and we can't create data types 
using regular user input… Right?

Well, let's have a look at

how different CGI modules 
handle different kind of input.

First, we'll take the most trivial scenario.

A single valued parameter, 
something that looks like this request,

where the "foo" parameter 
is assigned the string "bar".

In this case, a scalar is created on all three CGI modules,

which doesn't really help us, 
but is pretty much what we've expected.

It is secure.

But what happens if instead of 
sending a single-valued parameter,

we'll send a multi-valued parameter, 
like in this request?

Now things are starting to get complicated.

On CGI.PM, as we already know, 
a list is created,

which is very useful for us, 
but not what we're after.

Let's have a look at 
what the "new" Perl modules are creating.

We'll see that both of them are returning 
arrays containing our values.

Arrays! WAT?

I thought you can't create 
these kind of data types with regular input,

after all, they're considered safe.

But let's continue.

What happens if instead of sending a regular value,

we'll try and upload a file in that parameter?

Now things are really getting out of hand,

because CGI.PM now returns a file descriptor, 
and Catalyst and Mojolicious returns a hash.

WAT?

We just exploited 
the most popular Perl project in the world

because they assumed hashes can't be created by the user,

and now we're finding out 
that not only we can create hashes,

it is a god-damned feature?!

That's insane!

The whole Perl security standard is built on that assumption

that users can't create non-scalar data-types

and now suddenly these are features?

But let's send a multi-file upload request 
as in several files in the same parameter.

Watch closely, because this is where it gets ridiculous.

Now, CGI.PM returns a list of File Descriptors,

Catalyst returns a list of Hashes

and Mojolicious returns an Array of Objects! WAT?!

<i>laughter and applause</i>

Almost any Perl project in the world

uses one of these modules 
for parsing CGI input.

Just think how many developers assumed 
the exact same thing Bugzilla assumed

and treated hashes and arrays as secure data types.

So if you're using CGI.PM,

instead of the expected scalar value you could be getting

a list, a file descriptor or a list of file descriptors

and if you're using Catalyst

you could receive a scalar, an array, a hash or a list,

which is basically any data type.

So expecting your function… yeah

<i>audience chuckling</i>

So expecting your function arguments 
to be of a specific data type is false.

Expecting hashes and arrays to be secure is also false.

Expecting scalar only user input

is a major false.

And to be honest, it seems that in Perl expecting is false!

<i>laughter and applause</i>

You just can't expect anything

even the most basic of things 
such as what data type your variable is made of.

You just don't know.

But I felt all of these points will 
go un-noticed

without an extreme example of Perl's absurdity.

So I found an extreme example.

One that will clearly show

the ridiculous nature of the language.

And this is it:

All this code does is print an uploaded file's content.

And to show you how basic and simple that code is, 
I'll explain each line.

The first line just creates a new CGI instance, 
so we could get the file from the user.

The second line checks if a file 
has been uploaded in the "file" parameter.

The third line gets the file descriptor from the CGI module,

while the fourth line loops through the file 
and the fifth prints it.

That's it. Again: all this code does 
is get a file and print it.

<i>clapping</i>
That's it.

A user has uploaded a file to the server 
and the server is just returning its content.

It's not saving it anywhere, 
it's not moving it anywhere,

it just prints its content.

There should be absolutely 
nothing dangerous in this code,

it contains literally five lines.

Yet, it's demo time.

<i>laughter</i>

So trust me, you don't need to see the text,

all you need to see is that 
when I'm sending a regular request nothing happens.

When I send it now, nothing happens,
I'm just getting the file content.

We're having fun, you don't see the burp…

Now, nice. Okay.

So…
…L't me just…

…I have no idea where my mouse is, okay.

So…

I'm sending a regular request, 
nothing happens, just getting the content.

I know, you can't see the text…
…and…

when I'm sending my malicious request,

something interesting will pop up.

Watch closely! It's gonna be quick.

Ready?

Oh, you haven't seen it, it's on the different screen.

Just a second… oh… duplicate…

(from audience): … magnify it!

Netanel: I'll magnify you!

<i>laughter</i>

Alright, so… watch closely.

Ohh, uuh? What was that?

Let's see it again.

<i>mocking</i> Uuuuuh?!

<i>laughter and applause</i>

Yupp, <i>clearing throat</i>

… just a second.

Nice.

So you're probably asking yourself right now

"What the fuck did I just see?"
<i>laughter</i>

"Was that a terminal screen?"

And the answer is … "Yes"
Yes, it was,

specifically the "ipconfig" command output.

Or in other words: What you just saw

was me exploiting that five lines 
with a remote code execution attack.

So now that you saw the magic happens, 
I think it's time for some explanations.

The first line, responsible for checking

if a file has been uploaded in the "file" parameter,

doesn't exactly do as it says.

Instead of checking if the "file" 
parameter is an uploaded file,

it checks if one of its values is a file descriptor.

Let me clarify that, instead of checking 
if the parameter is only a file,

it checks if the parameter is also a file.

<i>laughter</i>

Meaning that uploading a file

and assigning another scalar value to the same parameter

will still work and bypass the check!

WAT?

<i>more laughter and applause</i>

Creative fellows those guys are.

So now we can assign the "file" parameter 
both a regular file and a scalar value.

But what happens when we try to get 
the "file" parameter value?

In a regular request, it should return 
the uploaded file descriptor,

but now that we're adding another value to that parameter,

param() returns a list containing all the values we sent:

the file we've uploaded and our scalar value.

But the "file" variable 
can't contain two values, right?

So instead of converting 
the returned list into an array

Perl only uses the first element of that list.

So if we'll send our scalar value 
before we send our file,

the $file variable will be assigned 
our scalar value

instead of the uploaded file descriptor.

Which means, that $file 
is now a regular string!

<i>in high pitched voice:</i> WAT?

But what happens to this operator 
when we use a string

instead of a file descriptor?

Well, the brackets operator 
doesn't work with strings, right?

It works with file descriptors, 
why should it work with strings?

Well, that appears true

unless that string is "ARGV".

<i>laughter and applause</i>

That's not a crazy part.

<i>more laughter</i>

In that case the brackets operator, listen closely,

loops through the script arguments,

which in CGI comes directly from the 
query string instead the command line,

and it treats them as file paths, 
inserting each one into an open() call!

<i>again laughter</i>

WAT?

Yeah, that made sense in some point, I guess.

All of this basically means that now,

instead of displaying 
our own uploaded file content,

we can display the content 
of any file on the server.

But that's not the end, 
as we haven't executed code yet.

To execute code, we have 
to look at the open() function.

Again, this is the function being called 
with the ARGV values as file paths.

open() is responsible for opening 
a file descriptor to a given file.

Unless a "pipe" character is added

to the end of the string,
<i>laughter</i>

and in that case instead of opening the file,

it executes it…
<i>applause rising</i>

…acting as an exec() call!
<i>more applause</i>

So … when we send our exploit,

containing our uploaded file, 
the "ARGV" malicious scalar value,

and the ipconfig command followed by a pipe

this is what we get.
WAT?

WAT?
<i>applause</i>

I know, I'm shocked too, but I'm not done yet. 
<i>laughter</i>

Truth be told, I didn't write that code.

Remember that PerlMonks told me 
that I should read their fucking manual?

<i>more laughter</i>
Guess where that code came from:

the official CGI documentation!
<i>big applause and audience whistling</i>

But, I'm not blaming CGI.PM developers.

Nor am I blaming developers 
who copied from CGI.PM examples.

After all, who could have known 
that this is what this code will do?

This is how it could be exploited?

There's no exec calls, 
the file is not saved anywhere,

and we're only using a "print".

The sole responsible for this mess, 
is the Perl language.

Perl is the one silently expanding lists,

Perl is the one mixing up your data types,

Perl is the one executing user input 
with no exec calls,

Perl is the problem,

not its developers.
<i>applause rising</i>

And until this god-damned, bizarre, 
dangerous language is fixed,

you could only 
stop

using

Perl!

Thank you!
<i>more applause</i>

Herald: So I guess 
we have some time for questions now.

<i>laughter</i>
Netanel: Maybe

Herald: And I have the funny feeling, 
we will have some questions now.

Ok, so we have some microphones here. 
Please queue up.

Please do not shout in, because we need 
to record it on the stream.

Well, here we go.

And we also have some questions 
from the internet, don't we?

Signal Angel: Oh yes, we do!
<i>laughter</i>

Signal: But before we come 
to the technical questions,

the IRC wants you to know, 
what you did to it:

it felt like there were explosions 
and camels everywhere.

Netanel <i>laughing</i>: That's the point

Signal: And incidently they want to know, 
if you have a list of those camel pics somewhere?

Netanel: I think Google has it? 
<i>more laughter</i>

Just there search camels.

Signal: So for the first question. 
Opello(?) wants to know,

if the take-away is, that Perl project authors 
so shouldn't trust input

and instead verify types with REF 
and always use prepared SQL statements?

Netanel: That's a good question. The take-away should be… 
<i>laughter</i>

well, how will I phrase it …

I think I have a slide … somewhere … 
<i>more laughter</i>

Oh wait, where's my slide?

Don't worry, have it right here.

But really, trusting user input 
is always a bad idea

and most developers know it.

The problem is, that…

well, at least from the code 
I saw written in Perl,

and that's a lot of code, trust me

…is that hashes and arrays 
are almost always considered secured

as they supposedly can't be 
created by user input, as I said.

But, when you're expecting your user input 
to be a scalar, a string or even a list

and instead you get a hash from unexpected 
directions, you get confused.

And you can't always 
live in the fear of not knowing

what data type you're trying to handle.

Well, not trusting scalar data types 
is a wise decision, because it's dangerous.

But not trusting your hashes, 
as well not trusting your arrays?

What's next? Not trusting your own code?

You just can't expect anything 
to really work as it should.

When you're writing Perl,

you are constantly attacked 
by all these different directions.

And even the data type direction is a problem now.

I hope that answered the question 
beside the slide.

Herald: Well, then we're gonna go over 
and start with number one.

Questioner: So thank you for opening our eyes.

Even I use Perl, I would say, 
for cooking and yes …

Netanel: I remember you
Q: Sorry?

N: I remember you from the last talk! 
Q: No no

N: Oh, you're new? Oh… <i>smirking</i>
Q: I'm new, I'm new…

Q: So… I can't say, I'm not guilty of that, 
but I still would say yes,

Perl is a bit like cooking with my mum.

Sometimes I put something into…
the… with the boiling thing…

and sometimes she, sometimes I go away, 
sometimes she go away

and the only thing you can do is always taste.

And yes, you're maybe right, Perl is a language

where you never know what comes out, 
but it's real cool!

If you get the right response you can use it,

if you use it to write web applications 
I would agree.

Web applications, the professional ones 
at least, are not for cooking,

but for doing funny things and 
have some fun, I think it's a perfect language.

N: I think Perl is a lot of fun. 
<i>laughter</i>

I completely agree on that. <i>laughing</i>

Herald: Then we're gonna go over to two.

Question: Was your life ever threatened 
while interacting with the Perl community?

<i>laughter</i>
N: Could you please repeat that? I …

Q: Was your life ever threatened 
while interacting with the Perl community?

N: Definitely. Definitely,

I'm getting hate mail every day, 
living in fear …

H: And over to the three, please.

Q: I think I speak for all of us, 
when I thank you for this wonderful talk,

N: Uh, thank you. Thank you really! Thank you.
<i>applause</i>

Q: Brilliantly executed, but… ehm… 
you spoke about Perl 5 I think.

N: Yes, you are absolutely right.
Q: As some of you might know, this christmas…

<i>laughter</i>
Q: …so tomorrow Ingo Blechschmidt

is going to give a talk about how Perl 6 
will make everything better

and how everyone should start 
using Perl 6 and…

N: It also craps rainbows
Q: Yeah, of course…

Q: My personal comment is: 
wouldn't it have happened

with a statically typed language?

So I think some nice folks at Haskell 
in IRC are waiting for you Perl developers

to please come, join us … Thank you!
N: <i>smirking</i>

<i>Herald and Netanel start speaking simultaneously</i>

H: …sorry, to answer first, where am I… sorry
N: Ah, no..., I am not answering, just...

just a quick note about Perl 6. 
This talk is all about Perl 5, alright?

I … Perl 6 came out a couple of days ago and …

...from …at least from what I saw, 
Perl 6 is to Perl as…

C++ is to C. It's the same name, 
but it's a whole different language.

So yes, this is Perl 5. 
Maybe I'll come back next year about Perl 6?

<i>laughter</i>
Who knows?

Herald: I'm looking forward to that already.
<i>applause</i>

<i>Herald pointing to Signal Angel</i>

Signal: Yeah… Joerd(?) wants to know: 
of course you talked a lot about CGI.PM

which you know was removed from repository from Perl 
even before your talk last year.

So what about it's replacements 
from CPAN like CGI::Simple.

Netanel: I don't know, I haven't checked it. 
When I decided on which modules to check,

I took CGI.PM because even though it is old, 
it is the most popular in the world as of today

and I took Mojolicious and Catalyst because 
they were really popular, too.

So I didn't take the newest modules, 
I take the most popular modules.

And I think, that's the important 
aspect of … deciding.

Herald: And over to one, please.

Questioner: Hi… I'm… part of the Perl community, and…
<i>laughter</i>

N: Hi!
Q: But I just start with Perl – 5

N: Uhh… ehm… uhh… didn't you… nhaa…
<i>laughter</i>

Q: We use Perl for almost every module 
that we have at work

and this worked really fine. 
N: …yeah…

Q: And I don't know why you're picking Perl as language to attack.

It's a really old language, it's also every language 
that we can pick, that has problems.

But it doesn't mean this has to die or 
stop using it. So I don't know why…

N: …you're right, you're right. 
First of all, you're completely right,

because a language shouldn't die, it should improve.

C got critized and it improved. 
PHP got critized and it improved.

Why can't Perl be critized, too?

Why is it like a code, when you say 
something bad about Perl, then,

I don't know, a horde of PerlMonks jumps on you?

Why don't improve the language? 
Don't use it in your work though,

it's dangerous. 
<i>laughter and applause</i>

H: Then we're gonna jump over to five, please.

Q: Hi. I'm not a Perl developer, 
but I use a lot of Ruby and Python.

Is this really limited to Perl or

does this apply to more or less 
any dynamic language?

N: As I said in one of the first few slides,

some of it also applies to Python. 
Specifically the thing

when you can't specify what data types 
your function arguments can get.

But, what's unique to Perl is that 
writing different code

for different data types in one function 
is very, very common.

You can do it in every language, of course!

But it is very common only in Perl! 
And that is unique about it,

of course besides the thing 
that hashes and arrays are secure.

That's of course Perls only fault.

H: Good, then we're gonna go over to six, please.

Q: Hey! Did you say WAT more 
while preparing this talk or while holding it?

N: Uhm. Both. <i>Laughing</i>. 
Did I rant? That was the … right?

Q: Did you say it more 
while preparing it or while holding it?

N: I'm missing your word, man, can you...

Ahh, wat… WAT! Ohh… Yeah, both!
<i>laughter</i>

H: Ok, do we have another from the internet?

Signal: Does your exploit 
also work in tainted mode?

N: No, I believe not. No, it doesn't.

H: And another one...

S: Is there any Perl obfuscated code exploits 
like this for Catalyst or Mojolicious?

<i>someone chuckling in audience</i>

N: I've no idea, man, maybe. 
I didn't check it of course.

I didn't check every module 
for every exploit, I ever want to create, but

on CGI.PM, which is again 
the most popular CGI library, it did.

So, maybe the internet 
can find more exploits. I know it can.

H: Bring it on. That's it?
N: That's it?

Thank you!

<i>applause</i>

Herald: Thank you very much!
Netanel: Thank you!

<i>postroll music</i>

subtitles created by c3subtitles.de
in the year 2016. Join, and help us!