Tweet
Tweet

Slide 1

Slide 1 text

© 2012 Presented by: Attacking Cloud Services w/ Source Code Jonathan Claudius SpiderLabs Research

Slide 2

Slide 2 text

© 2012 Who, Me? •  Jonathan Claudius –  Trustwave SpiderLabs •  Senior Security Researcher •  Vulnerability Assessment Team –  Open Source Contributor •  Mostly Ruby, some other stuff

Slide 3

Slide 3 text

© 2012 Agenda •  Basic Terminology & Concepts •  OpenSource Development Woes •  Cloud Services to the Rescue •  Attacking Cloud Services •  Demo(s) •  Questions

Slide 4

Slide 4 text

© 2012 © 2012 Basic Terminology & Concepts

Slide 5

Slide 5 text

© 2012 Continuous Integration (CI) •  “A practice, in software engineering, of merging all developers workspaces into a shared mainline several times a day.” ~Wikipedia •  Popular Example: –  Jenkins CI –  Every time I commit new code… •  project is built & tested

Slide 6

Slide 6 text

© 2012 Unit-testing •  “In computer programming, unit testing is a method by which individual units of source code … are tested to determine if they are fit for use” ~ Wikipedia •  A Ruby Example

Slide 7

Slide 7 text

© 2012 Basic CI Infrastructure Setup Source: https://www.simple-talk.com

Slide 8

Slide 8 text

© 2012 © 2012 OpenSourcing Ain’t Easy

Slide 9

Slide 9 text

© 2012 OpenSource Dev as a Hobby •  I write code… –  after work –  on the weekend –  while “watching tv” •  I do it because… –  I enjoy solving problems –  I like to learn stuff –  I meet interesting people

Slide 10

Slide 10 text

© 2012 The “down-side” •  Limited Time & Resources •  Everyone can Contribute •  Worried about Code Quality •  No Fancy CI Infrastructure

Slide 11

Slide 11 text

© 2012 © 2012 Cloud Services to the Rescue!

Slide 12

Slide 12 text

© 2012 Hosted Cloud CI Providers •  Have been popping up over the past couple years •  Some Examples:

Slide 13

Slide 13 text

© 2012 Here’s how it works… Developer GitHub Travis-CI Heroku Engine Yard ?

Slide 14

Slide 14 text

© 2012 Easy Setup

Slide 15

Slide 15 text

© 2012 Easy Setup

Slide 16

Slide 16 text

© 2012 Building Project Against All Rubies!

Slide 17

Slide 17 text

© 2012 Full Build History

Slide 18

Slide 18 text

© 2012 Builds Pull Requests Too!

Slide 19

Slide 19 text

© 2012 Builds Pull Requests Too!

Slide 20

Slide 20 text

© 2012 © 2012 Side Track: Quick Story…

Slide 21

Slide 21 text

© 2012 “Hacking with Gems” by Ben Smith

Slide 22

Slide 22 text

© 2012 Ben’s Talk Got Me Thinking… •  Assumptions… –  Social Engineering –  Obfuscation •  What if I could... –  Guarantee Code Execution –  Hide Nothing –  Control When Things Happened

Slide 23

Slide 23 text

© 2012 © 2012 Attacking Cloud Services

Slide 24

Slide 24 text

© 2012 What’s happening on CI Servers? •  In Ruby… –  A CI server executes “rake spec” –  Translates to “run all my unit tests” •  Crazy thought… –  Ruby Unit-Tests (aka: specs) are just plain Ruby –  What if I added malicious code to my specs?

Slide 25

Slide 25 text

© 2012 How would that work? Developer GitHub Travis-CI Heroku Engine Yard ?

Slide 26

Slide 26 text

© 2012 I built my own CI Server… •  Why? –  To emulate these CI servers –  To avoid pissing people off –  To not feel guilty when I did bad things •  Used Jenkins-CI

Slide 27

Slide 27 text

© 2012 Here’s how my simple setup works… Developer GitHub Jenkins-CI

Slide 28

Slide 28 text

© 2012 Break Out of Build Root •  Basic Directory Traversal •  Limited Sandboxing –  Discover/Access other projects built on this server

Slide 29

Slide 29 text

© 2012 Break Out of Build Root

Slide 30

Slide 30 text

© 2012 Scanning the Local Segment •  Perform an NMAP scan of neighboring hosts •  We’re now behind the firewall •  Potential for pivoting?

Slide 31

Slide 31 text

© 2012 Scanning the Local Segment

Slide 32

Slide 32 text

© 2012 Authenticate Back to SCM •  Check to see if I can ssh key-auth back to GitHub •  R/RW SSH Key-auth •  Trojan project on SCM?

Slide 33

Slide 33 text

© 2012 Authenticate Back to SCM

Slide 34

Slide 34 text

© 2012 Reverse Shell •  Get a command shell on the CI server •  Source –  http://pentestmonkey.net/cheat-sheet/shells/reverse- shell-cheat-sheet

Slide 35

Slide 35 text

© 2012 © 2012 Demo(s)?

Slide 36

Slide 36 text

© 2012 Demo #1 •  Background –  I’m a malicious person –  I have commit access to your project –  I want to attack your CI •  Target –  Get a shell on the CI server

Slide 37

Slide 37 text

© 2012 Demo #2 •  Background –  I’m a really bad person –  Send Malicious Pull Request –  Get Code Exec on CI –  Leverage SSH key auth fail •  Target –  Use CI to perform unauthorized commit to project(s)

Slide 38

Slide 38 text

© 2012 © 2012 A Tool to Help

Slide 39

Slide 39 text

© 2012 rotten_apple •  I created a project on GitHub –  http://github.com/claudijd/rotten_apple •  Built on Unit-test Concept –  Pass/Fail Tests •  Two Name Spaces –  RottenApple::Attack –  RottenApple::Audit “Build me on your CI”

Slide 40

Slide 40 text

© 2012 Target Audiences for rotten_apple •  Developers •  Quality Assurance •  System Administrators •  CI Providers (Cloud and non-Cloud) •  Net/App Penetration Testers –  Metasploit payloads/module(s)?

Slide 41

Slide 41 text

© 2012 © 2012 Parting Thoughts…

Slide 42

Slide 42 text

© 2012 Parting Thoughts •  CI servers are open by design •  Trust Relationships Exist & Can Be Abused •  Demos –  #1 - CI’s can be used as an Attack Pivot –  #2 - Using GitHub integrated CI’s prevent key trust issues (be wary of user keys vs. deploy keys) •  We should test our CI services for weaknesses

Slide 43

Slide 43 text

© 2012 © 2012 Questions?

Slide 44

Slide 44 text

© 2012 © 2012 Thank You! Twitter: @claudijd