Attacking Cloud Services with Source Code

Transcript

1. © 2012 Presented by: Attacking Cloud Services w/ Source Code

   Jonathan Claudius SpiderLabs Research

2. © 2012 Who, Me? •  Jonathan Claudius –  Trustwave SpiderLabs

   •  Senior Security Researcher •  Vulnerability Assessment Team –  Open Source Contributor •  Mostly Ruby, some other stuff

3. © 2012 Agenda •  Basic Terminology & Concepts •  OpenSource

   Development Woes •  Cloud Services to the Rescue •  Attacking Cloud Services •  Demo(s) •  Questions

4. © 2012 © 2012 Basic Terminology & Concepts

5. © 2012 Continuous Integration (CI) •  “A practice, in software

   engineering, of merging all developers workspaces into a shared mainline several times a day.” ~Wikipedia •  Popular Example: –  Jenkins CI –  Every time I commit new code… •  project is built & tested

6. © 2012 Unit-testing •  “In computer programming, unit testing is

   a method by which individual units of source code … are tested to determine if they are fit for use” ~ Wikipedia •  A Ruby Example

7. © 2012 Basic CI Infrastructure Setup Source: https://www.simple-talk.com

8. © 2012 © 2012 OpenSourcing Ain’t Easy

9. © 2012 OpenSource Dev as a Hobby •  I write

   code… –  after work –  on the weekend –  while “watching tv” •  I do it because… –  I enjoy solving problems –  I like to learn stuff –  I meet interesting people

10. © 2012 The “down-side” •  Limited Time & Resources • 

    Everyone can Contribute •  Worried about Code Quality •  No Fancy CI Infrastructure

11. © 2012 © 2012 Cloud Services to the Rescue!

12. © 2012 Hosted Cloud CI Providers •  Have been popping

    up over the past couple years •  Some Examples:

13. © 2012 Here’s how it works… Developer GitHub Travis-CI Heroku

    Engine Yard ?

14. © 2012 Easy Setup

15. © 2012 Easy Setup

16. © 2012 Building Project Against All Rubies!

17. © 2012 Full Build History

18. © 2012 Builds Pull Requests Too!

19. © 2012 Builds Pull Requests Too!

20. © 2012 © 2012 Side Track: Quick Story…

21. © 2012 “Hacking with Gems” by Ben Smith

22. © 2012 Ben’s Talk Got Me Thinking… •  Assumptions… – 

    Social Engineering –  Obfuscation •  What if I could... –  Guarantee Code Execution –  Hide Nothing –  Control When Things Happened

23. © 2012 © 2012 Attacking Cloud Services

24. © 2012 What’s happening on CI Servers? •  In Ruby…

    –  A CI server executes “rake spec” –  Translates to “run all my unit tests” •  Crazy thought… –  Ruby Unit-Tests (aka: specs) are just plain Ruby –  What if I added malicious code to my specs?

25. © 2012 How would that work? Developer GitHub Travis-CI Heroku

    Engine Yard ?

26. © 2012 I built my own CI Server… •  Why?

    –  To emulate these CI servers –  To avoid pissing people off –  To not feel guilty when I did bad things •  Used Jenkins-CI

27. © 2012 Here’s how my simple setup works… Developer GitHub

    Jenkins-CI

28. © 2012 Break Out of Build Root •  Basic Directory

    Traversal •  Limited Sandboxing –  Discover/Access other projects built on this server

29. © 2012 Break Out of Build Root

30. © 2012 Scanning the Local Segment •  Perform an NMAP

    scan of neighboring hosts •  We’re now behind the firewall •  Potential for pivoting?

31. © 2012 Scanning the Local Segment

32. © 2012 Authenticate Back to SCM •  Check to see

    if I can ssh key-auth back to GitHub •  R/RW SSH Key-auth •  Trojan project on SCM?

33. © 2012 Authenticate Back to SCM

34. © 2012 Reverse Shell •  Get a command shell on

    the CI server •  Source –  http://pentestmonkey.net/cheat-sheet/shells/reverse- shell-cheat-sheet

35. © 2012 © 2012 Demo(s)?

36. © 2012 Demo #1 •  Background –  I’m a malicious

    person –  I have commit access to your project –  I want to attack your CI •  Target –  Get a shell on the CI server

37. © 2012 Demo #2 •  Background –  I’m a really

    bad person –  Send Malicious Pull Request –  Get Code Exec on CI –  Leverage SSH key auth fail •  Target –  Use CI to perform unauthorized commit to project(s)

38. © 2012 © 2012 A Tool to Help

39. © 2012 rotten_apple •  I created a project on GitHub

    –  http://github.com/claudijd/rotten_apple •  Built on Unit-test Concept –  Pass/Fail Tests •  Two Name Spaces –  RottenApple::Attack –  RottenApple::Audit “Build me on your CI”

40. © 2012 Target Audiences for rotten_apple •  Developers •  Quality

    Assurance •  System Administrators •  CI Providers (Cloud and non-Cloud) •  Net/App Penetration Testers –  Metasploit payloads/module(s)?

41. © 2012 © 2012 Parting Thoughts…

42. © 2012 Parting Thoughts •  CI servers are open by

    design •  Trust Relationships Exist & Can Be Abused •  Demos –  #1 - CI’s can be used as an Attack Pivot –  #2 - Using GitHub integrated CI’s prevent key trust issues (be wary of user keys vs. deploy keys) •  We should test our CI services for weaknesses

43. © 2012 © 2012 Questions?

44. © 2012 © 2012 Thank You! Twitter: @claudijd