Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Attacking Cloud Services with Source Code

Jonathan Claudius
April 16, 2013
Technology
1
1.1k

Attacking Cloud Services with Source Code

This talk was presented at SOURCE Boston 2013 and THOTCON 0x4. I talk about some basic development processes, my perspectives as an opensource contributor, and how hosted (cloud-based) CI/CD services make my life so much easier. I also take a look at some different attack vectors to consider on CI/CD deployments in general and what the potential impacts could be if leveraged successfully. Lastly, I announce a soon to be released tool that I developed to help test CI/CD servers for security weaknesses.

Recorded Presentation - https://www.youtube.com/watch?v=i5REko2mYBk&feature=c4-overview&list=UUbIJ5eQhfXgdGwEqDs3F86A

Demo #1 - https://vimeo.com/65071592 (Pop a Reverse Shell using Continuous Integration)

Demo #2 - https://vimeo.com/65071593 (Make an Unauthorized Commit to Master using Continuous Integration)

RottenApple - https://github.com/claudijd/rotten_apple

Blog Post:
http://blog.spiderlabs.com/2013/05/securing-continuous-integration-services.html

Jonathan Claudius

April 16, 2013
Tweet

More Decks by Jonathan Claudius

See All by Jonathan Claudius
OWASP Maine October 2017 Financial Report
claudijd
0
41
OWASP Maine July 2017 Financial Report
claudijd
0
150
Lessons Learned from a Bug Bounty Operator
claudijd
0
54
Trojaned Gems: You can't tell you're using one
claudijd
0
11k
Crowdsourcing Your Cisco Firewall Administration... WAT
claudijd
1
1.9k
OWASP Chicago - Ruby on Rails Pitfalls
claudijd
1
330
Rails Security in the Wild - Chicago Ruby
claudijd
2
220
Stamp Out Hash Corruption! Crack All The Things!
claudijd
1
490
BNAT Hijacking - Repairing Broken Communication Channels
claudijd
1
380

Other Decks in Technology

See All in Technology
How we build Ads Platform in Rust
mapbox_jp
1
210
売上と開発環境を同時に改善するためにPerl Webアプリケーションをどのようにリプレイスするか
masashi_sutou
0
250
ジョブキューシステムFireworqのアーキテクチャ設計と運用時のベストプラクティス
tarao
1
790
Invitation to K8s-Docs ja
nasa9084
0
140
PHPの最高機能、配列を捨てよう!! / Throw away all PHP array now!!!
uzulla
5
3.3k
八王子からお届けするノベルティ - YAPC::Kyoto 2023
uzulla
0
360
ChatGPTをプロダクトに入れる開発が"毎日がAfter GPT"だった件/ChatGPT LT Link and Motivation
lmi
1
2.5k
SIGNATE開発失敗談
bonjiri_niwa
0
160
Race Conditions em Microsserviços: Desmistificando um Problema Comum em Arquiteturas Distribuídas
jordihofc
0
210
大規模レガシーテストを 倒すための CI基盤の作り方 / #CICD2023
udzura
4
1.4k
権威DNSサービスへのDDoSと
ハイパフォーマンスなベンチマーカ / DNS Pseudo random subdomain attack and High performance Benchmarker
kazeburo
3
910
Privacy Techによる新しいデータ活用の形
line_developers
PRO
1
210

Featured

See All Featured
Clear Off the Table
cherdarchuk
79
290k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
2
470
A better future with KSS
kneath
230
16k
Fontdeck: Realign not Redesign
paulrobertlloyd
74
4.4k
The Illustrated Children's Guide to Kubernetes
chrisshort
23
43k
A designer walks into a library…
pauljervisheath
199
16k
Why You Should Never Use an ORM
jnunemaker
PRO
49
8k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
31
20k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
14
1.2k
Building an army of robots
kneath
300
41k
Art Directing for the Web. Five minutes with CSS Template Areas
malarkey
197
11k
In The Pink: A Labor of Love
frogandcode
133
21k

Transcript

  1. © 2012
    Presented by:
    Attacking Cloud Services w/
    Source Code
    Jonathan Claudius
    SpiderLabs Research

    View Slide

  2. © 2012
    Who, Me?
    •  Jonathan Claudius
    –  Trustwave SpiderLabs
    •  Senior Security Researcher
    •  Vulnerability Assessment Team
    –  Open Source Contributor
    •  Mostly Ruby, some other stuff

    View Slide

  3. © 2012
    Agenda
    •  Basic Terminology & Concepts
    •  OpenSource Development Woes
    •  Cloud Services to the Rescue
    •  Attacking Cloud Services
    •  Demo(s)
    •  Questions

    View Slide

  4. © 2012
    © 2012
    Basic Terminology & Concepts

    View Slide

  5. © 2012
    Continuous Integration (CI)
    •  “A practice, in software engineering, of merging
    all developers workspaces into a shared mainline
    several times a day.” ~Wikipedia
    •  Popular Example:
    –  Jenkins CI
    –  Every time I commit new code…
    •  project is built & tested

    View Slide

  6. © 2012
    Unit-testing
    •  “In computer programming, unit testing is a
    method by which individual units of source
    code … are tested to determine if they are fit
    for use” ~ Wikipedia
    •  A Ruby Example

    View Slide

  7. © 2012
    Basic CI Infrastructure Setup
    Source: https://www.simple-talk.com

    View Slide

  8. © 2012
    © 2012
    OpenSourcing Ain’t Easy

    View Slide

  9. © 2012
    OpenSource Dev as a Hobby
    •  I write code…
    –  after work
    –  on the weekend
    –  while “watching tv”
    •  I do it because…
    –  I enjoy solving problems
    –  I like to learn stuff
    –  I meet interesting people

    View Slide

  10. © 2012
    The “down-side”
    •  Limited Time & Resources
    •  Everyone can Contribute
    •  Worried about Code Quality
    •  No Fancy CI Infrastructure

    View Slide

  11. © 2012
    © 2012
    Cloud Services to the Rescue!

    View Slide

  12. © 2012
    Hosted Cloud CI Providers
    •  Have been popping up over the past couple years
    •  Some Examples:

    View Slide

  13. © 2012
    Here’s how it works…
    Developer
    GitHub Travis-CI
    Heroku
    Engine Yard
    ?

    View Slide

  14. © 2012
    Easy Setup

    View Slide

  15. © 2012
    Easy Setup

    View Slide

  16. © 2012
    Building Project Against All Rubies!

    View Slide

  17. © 2012
    Full Build History

    View Slide

  18. © 2012
    Builds Pull Requests Too!

    View Slide

  19. © 2012
    Builds Pull Requests Too!

    View Slide

  20. © 2012
    © 2012
    Side Track: Quick Story…

    View Slide

  21. © 2012
    “Hacking with Gems” by Ben Smith

    View Slide

  22. © 2012
    Ben’s Talk Got Me Thinking…
    •  Assumptions…
    –  Social Engineering
    –  Obfuscation
    •  What if I could...
    –  Guarantee Code Execution
    –  Hide Nothing
    –  Control When Things Happened

    View Slide

  23. © 2012
    © 2012
    Attacking Cloud Services

    View Slide

  24. © 2012
    What’s happening on CI Servers?
    •  In Ruby…
    –  A CI server executes “rake spec”
    –  Translates to “run all my unit tests”
    •  Crazy thought…
    –  Ruby Unit-Tests (aka: specs) are just plain Ruby
    –  What if I added malicious code to my specs?

    View Slide

  25. © 2012
    How would that work?
    Developer
    GitHub Travis-CI
    Heroku
    Engine Yard
    ?

    View Slide

  26. © 2012
    I built my own CI Server…
    •  Why?
    –  To emulate these CI servers
    –  To avoid pissing people off
    –  To not feel guilty when I did bad things
    •  Used Jenkins-CI

    View Slide

  27. © 2012
    Here’s how my simple setup works…
    Developer
    GitHub
    Jenkins-CI

    View Slide

  28. © 2012
    Break Out of Build Root
    •  Basic Directory Traversal
    •  Limited Sandboxing
    –  Discover/Access other projects built on this server

    View Slide

  29. © 2012
    Break Out of Build Root

    View Slide

  30. © 2012
    Scanning the Local Segment
    •  Perform an NMAP scan of neighboring hosts
    •  We’re now behind the firewall
    •  Potential for pivoting?

    View Slide

  31. © 2012
    Scanning the Local Segment

    View Slide

  32. © 2012
    Authenticate Back to SCM
    •  Check to see if I can ssh key-auth back to GitHub
    •  R/RW SSH Key-auth
    •  Trojan project on SCM?

    View Slide

  33. © 2012
    Authenticate Back to SCM

    View Slide

  34. © 2012
    Reverse Shell
    •  Get a command shell on the CI server
    •  Source
    –  http://pentestmonkey.net/cheat-sheet/shells/reverse-
    shell-cheat-sheet

    View Slide

  35. © 2012
    © 2012
    Demo(s)?

    View Slide

  36. © 2012
    Demo #1
    •  Background
    –  I’m a malicious person
    –  I have commit access to your project
    –  I want to attack your CI
    •  Target
    –  Get a shell on the CI server

    View Slide

  37. © 2012
    Demo #2
    •  Background
    –  I’m a really bad person
    –  Send Malicious Pull Request
    –  Get Code Exec on CI
    –  Leverage SSH key auth fail
    •  Target
    –  Use CI to perform
    unauthorized commit to
    project(s)

    View Slide

  38. © 2012
    © 2012
    A Tool to Help

    View Slide

  39. © 2012
    rotten_apple
    •  I created a project on GitHub
    –  http://github.com/claudijd/rotten_apple
    •  Built on Unit-test Concept
    –  Pass/Fail Tests
    •  Two Name Spaces
    –  RottenApple::Attack
    –  RottenApple::Audit
    “Build me
    on your CI”

    View Slide

  40. © 2012
    Target Audiences for rotten_apple
    •  Developers
    •  Quality Assurance
    •  System Administrators
    •  CI Providers (Cloud and non-Cloud)
    •  Net/App Penetration Testers
    –  Metasploit payloads/module(s)?

    View Slide

  41. © 2012
    © 2012
    Parting Thoughts…

    View Slide

  42. © 2012
    Parting Thoughts
    •  CI servers are open by design
    •  Trust Relationships Exist & Can Be Abused
    •  Demos
    –  #1 - CI’s can be used as an Attack Pivot
    –  #2 - Using GitHub integrated CI’s prevent key trust
    issues (be wary of user keys vs. deploy keys)
    •  We should test our CI services for weaknesses

    View Slide

  43. © 2012
    © 2012
    Questions?

    View Slide

  44. © 2012
    © 2012
    Thank You!
    Twitter: @claudijd

    View Slide