Exploiting CI / CD Pipelines for fun and profit
A severe exploit chain can occur from publicly exposed .git directories, allowing unauthorized server access. Regular audits and secure configurations are essential to prevent such vulnerabilities in deployment pipelines.
Read original article
The Razz Security Blog discusses a severe exploit chain that can occur due to the public exposure of a .git directory, which can lead to a complete server takeover. The author discovered that many websites still expose their .git directories, which contain sensitive information, including credentials. By accessing the .git/config file, the author was able to clone the repository and found that the code owners used Bitbucket Pipelines for deployment. The pipeline was configured to log into the production server and execute a git pull command, which allowed the author to modify the pipeline configuration to add their SSH key to the server's authorized_keys file. After pushing these changes, the author gained shell access to the server, effectively compromising it. The blog emphasizes the importance of monitoring SSH keys, not exposing .git directories publicly, and regularly auditing code repositories and deployment pipelines to prevent such vulnerabilities.
- Public exposure of .git directories poses significant security risks.
- Bitbucket Pipelines can be exploited if not properly secured.
- Modifying pipeline configurations can lead to unauthorized access.
- Regular audits of SSH keys and server configurations are essential for security.
- Developers and sysadmins should take proactive measures to secure their CI/CD processes.
Related
Leaked admin access token to Python, PyPI, and PSF GitHub repos
The JFrog Security Research team discovered a leaked admin access token for Python repositories on GitHub. PyPI promptly revoked the token, preventing a supply chain attack. Emphasizes the importance of scanning binaries for security.
Anyone Can Access Deleted and Private Repository Data on GitHub
GitHub's architecture allows access to data from deleted and private repositories, posing security risks. The Cross Fork Object Reference vulnerability enables retrieval of sensitive information even after deletion, necessitating user vigilance.
The Wild West of Proof of Concept Exploit Code (PoC)
CVE-2024-6387 is a serious unauthenticated remote code execution vulnerability in OpenSSH, with complex exploitation requiring knowledge of system architecture. The exploit code contains malicious elements, emphasizing risks of untrusted code.
Git: The Stupid Password Store
Tyler Cipriani shares his experience with Git, emphasizing secure credential management. He recommends using tools like GerritLab and secure options like `osxkeychain` or `libsecret` for password storage.
Number of incidents affecting GitHub, Bitbucket, Gitlab and Jira is rising
Incidents on major development platforms like GitHub, Bitbucket, GitLab, and Jira are rising, with GitHub up 21% in 2023, highlighting security challenges and the need for better collaboration in DevSecOps.
7 commentsWhen I see things like those, they look so wrong to me. But sadly it's apparently uncommon nowadays: not only random bloggers, even my coworkers see nothing wrong with putting passwords or tokens into general config or source code files. "it's just for a quick test"1 they say and then they forget about it and the password is getting checked in, or shown at screenshare meeting.
Maybe that's why there are so many security problems in industry? /rant
(For those curious: for git specifically, use ssh with key auth. If for some reason you don't want this, you can set up git's credential helper to use your OS key store; or use plaintext git-crendetials, or even just good-old .netrc. For source code, something like "PASSWORD = open("/home/user/.config/mypass.txt").read().strip()" is barely longer than hardcoding it, but 100% eliminates chance of accidental secret checkin or upload)
> Pushing Malicious Changes to the Pipeline
mean that they already have full access to the repository in the first place? Normally I wouldn't expect an attacker to be able to push to master (or any branch for that matter). Without that, the exploit won't work. And with that access, there's so many other exploits one can do that it's really no longer about ci/cd vulns.
Related
Leaked admin access token to Python, PyPI, and PSF GitHub repos
The JFrog Security Research team discovered a leaked admin access token for Python repositories on GitHub. PyPI promptly revoked the token, preventing a supply chain attack. Emphasizes the importance of scanning binaries for security.
Anyone Can Access Deleted and Private Repository Data on GitHub
GitHub's architecture allows access to data from deleted and private repositories, posing security risks. The Cross Fork Object Reference vulnerability enables retrieval of sensitive information even after deletion, necessitating user vigilance.
The Wild West of Proof of Concept Exploit Code (PoC)
CVE-2024-6387 is a serious unauthenticated remote code execution vulnerability in OpenSSH, with complex exploitation requiring knowledge of system architecture. The exploit code contains malicious elements, emphasizing risks of untrusted code.
Git: The Stupid Password Store
Tyler Cipriani shares his experience with Git, emphasizing secure credential management. He recommends using tools like GerritLab and secure options like `osxkeychain` or `libsecret` for password storage.
Number of incidents affecting GitHub, Bitbucket, Gitlab and Jira is rising
Incidents on major development platforms like GitHub, Bitbucket, GitLab, and Jira are rising, with GitHub up 21% in 2023, highlighting security challenges and the need for better collaboration in DevSecOps.