Successfully reported this slideshow.

Continuous intrusion: Why CI tools are an attacker’s best friends

3

Share

1
2
3

YouTube videos are no longer supported on SlideShare

View original on YouTube

Loading in …3
×
1 of 66
1 of 66

Continuous intrusion: Why CI tools are an attacker’s best friends

3

Share

Download to read offline

Slides of the talk I gave at BlackHat Europe and DeepSec 2015. Continuous Integration (CI) tools provide an excellent attack surface due to the no/poor security controls, distributed build management capability, and level of access/privileges in an enterprise.

This talk looks at the CI tools from an attacker's perspective and to use them as portals for getting a foothold and lateral movement. We will see how to execute attacks like command and script execution, credentials stealing, privilege escalation to not only compromise the build process but the underlying operating system and even entire Windows domains. No memory corruption bugs will be exploited and only the features of the CI tools will be used.

Slides of the talk I gave at BlackHat Europe and DeepSec 2015. Continuous Integration (CI) tools provide an excellent attack surface due to the no/poor security controls, distributed build management capability, and level of access/privileges in an enterprise.

This talk looks at the CI tools from an attacker's perspective and to use them as portals for getting a foothold and lateral movement. We will see how to execute attacks like command and script execution, credentials stealing, privilege escalation to not only compromise the build process but the underlying operating system and even entire Windows domains. No memory corruption bugs will be exploited and only the features of the CI tools will be used.

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Continuous intrusion: Why CI tools are an attacker’s best friends

  1. 1. 1
  2. 2. 2
  3. 3. 3
  4. 4. 4
  5. 5. More about Continuous Integration: http://www.martinfowler.com/articles/continuousIntegration.html 5
  6. 6. 6
  7. 7. 7
  8. 8. * Hudson was not evaluated separately. Most of the things which apply on Jenkins should apply on Hudson as well. 8
  9. 9. 9
  10. 10. 10
  11. 11. 11
  12. 12. http://www.labofapenetrationtester.com/2014/08/script-execution-and-privilege- esc-jenkins.html 12
  13. 13. The rights of the user to add or change build configuration are managed using Matrix based security or Project-based Matrix Authorization Strategy. https://wiki.jenkins-ci.org/display/JENKINS/Matrix-based+security When running commands on a Windows machine we can leverage PowerShell to execute advanced scripts using this method. 13
  14. 14. The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the Jenkins service from a build step even on Windows (with SYSTEM privileges). The workaround is to have an interactive reverse shell on the host machine and restart Jenkins service. Jenkins documentation on Disabling Security https://wiki.jenkins-ci.org/display/JENKINS/Disable+security 14
  15. 15. https://imgflip.com/memegenerator/Surprised-Koala 15
  16. 16. Taken from http://thiébaud.fr/jenkins_credentials.html 16
  17. 17. We need credentials.xml from $JENKINS_HOME and master.key and hudson.util.secret from $JENKINS_HOME/secrets/ We are reading the keys master.key and hudson.util.secret in bytes and will convert them back to file on our own machine. On a Windows machine the conversion could be done by using TextToExe.ps1 from Nishang. https://github.com/samratashok/nishang/blob/master/Utility/TexttoExe.ps1 17
  18. 18. 18
  19. 19. 19
  20. 20. 20
  21. 21. 21
  22. 22. https://confluence.jetbrains.com/display/TCD9/Getting+Started 22
  23. 23. https://confluence.jetbrains.com/pages/viewpage.action?pageId=54334889#HowTo.. .-TeamCitySecurityNotes 23
  24. 24. 24
  25. 25. https://confluence.jetbrains.com/display/TCD9/Role+and+Permission Teamcity documentation recommends not to have build agent on master but looks like only few care about that. 25
  26. 26. A Build Step could be added with the Project Administrator or even lower privileges (if configured that way). PowerShell commands and scripts could be executed using the PowerShell runner. https://confluence.jetbrains.com/display/TCD9/PowerShell On *nix machines, shell commands and scripts could be executed. 26
  27. 27. https://confluence.jetbrains.com/display/TCD9/Super+User Fun Fact: You can lock out SuperUser for one minute by clicking Log in button five times without entering a Username and Password. This makes it easy to block it by repeating login requests indefinitely. 27
  28. 28. 28
  29. 29. 29
  30. 30. https://confluence.jetbrains.com/display/TCD9/SSH+Keys+Management Here is how it could be done: 1. To know the data directory of the master, look for “Data Directory” in the teamcity-server.log. Use a PowerShell runner. 2. Use “cat <TeamCity Data Directory>configprojects<project>pluginDatassh_keys *” to list contents of all the keys. 30
  31. 31. 31
  32. 32. Teamcity supports using the Password type Parameter for passwords but I have seen so many users using Text Parameter for passwords. See: https://confluence.jetbrains.com/display/TCD9/Typed+Parameters 32
  33. 33. 33
  34. 34. Couple of examples of credentials in Build Logs. In both the above screenshots, access to public instances and the Build Logs is with Guest privileges. 34
  35. 35. 35
  36. 36. http://www.go.cd/ http://www.thoughtworks.com/products/go-continuous-delivery 36
  37. 37. http://support.thoughtworks.com/entries/22299328-Go-Security-Questions 37
  38. 38. 38
  39. 39. http://support.thoughtworks.com/entries/22873043-go-s-custom-command http://www.go.cd/documentation/user/current/advanced_usage/command_reposito ry.html 39
  40. 40. We need Pipeline Group Administrator rights to be able to configure Jobs which can run custom commands. 40
  41. 41. 41
  42. 42. In above, the command cmd /c powershell -c del 'C:Program Files (x86)Go Serverconfigcruise-config.xml’ will remove the configuration file of Go. The command cmd /c powershell –c Restart-Service 'Go Server‘ will restart the Go Server service. After this, all security will be removed from the Go dashboard and anyone who knows the URL will have admin rights. Instead of removing the cruise-config.xml file, we can also remove only the <security></security> part of it and restart the Go Server service for same effect. Or we can add the current user to <admins> in the <security> part of cruise- config.xml 42
  43. 43. 43
  44. 44. Documentation on using password files: http://www.go.cd/documentation/user/current/configuration/dev_authentication.ht ml https://github.com/gocd/gocd/blob/master/manual- testing/ant_hg/password.properties Location of SSH keys is: C:/Program Files (x86)/Go Server/%HOMEDRIVE%%HOMEPATH%/.ssh /var/go/.ssh on Linux 44
  45. 45. 45
  46. 46. 46
  47. 47. 47
  48. 48. 48
  49. 49. Documentation for the exec builder: http://cruisecontrol.sourceforge.net/main/configxml.html#exec 49
  50. 50. 50
  51. 51. 51
  52. 52. 52
  53. 53. Also see: https://github.com/foxglovesec/JavaUnserializeExploits https://github.com/frohoff/ysoserial 53
  54. 54. I am using an encoded one line PowerShell reverse shell from Nishang as the payload in the above screenshot. (https://github.com/samratashok/nishang/blob/master/Shells/Invoke- PowerShellTcpOneLine.ps1) 54
  55. 55. 55
  56. 56. 56
  57. 57. 57
  58. 58. 58
  59. 59. 59
  60. 60. 60
  61. 61. 61
  62. 62. 62
  63. 63. 63
  64. 64. 64
  65. 65. 65

Editor's Notes

  • More about Continuous Integration: http://www.martinfowler.com/articles/continuousIntegration.html
  • * Hudson was not evaluated separately. Most of the things which apply on Jenkins should apply on Hudson as well.
  • http://www.labofapenetrationtester.com/2014/08/script-execution-and-privilege-esc-jenkins.html
  • The rights of the user to add or change build configuration are managed using Matrix based security or Project-based Matrix Authorization Strategy.
    https://wiki.jenkins-ci.org/display/JENKINS/Matrix-based+security

    When running commands on a Windows machine we can leverage PowerShell to execute advanced scripts using this method.
  • The Jenkins service must be restarted after that. During the tests, I was unable to successfully restart the Jenkins service from a build step even on Windows (with SYSTEM privileges). The workaround is to have an interactive reverse shell on the host machine and restart Jenkins service.

    Jenkins documentation on Disabling Security
    https://wiki.jenkins-ci.org/display/JENKINS/Disable+security
  • https://imgflip.com/memegenerator/Surprised-Koala
  • Taken from http://thiébaud.fr/jenkins_credentials.html
  • We need credentials.xml from $JENKINS_HOME and master.key and hudson.util.secret from $JENKINS_HOME/secrets/

    We are reading the keys master.key and hudson.util.secret in bytes and will convert them back to file on our own machine. On a Windows machine the conversion could be done by using TextToExe.ps1 from Nishang. https://github.com/samratashok/nishang/blob/master/Utility/TexttoExe.ps1
  • https://confluence.jetbrains.com/display/TCD9/Getting+Started
  • https://confluence.jetbrains.com/pages/viewpage.action?pageId=54334889#HowTo...-TeamCitySecurityNotes
  • https://confluence.jetbrains.com/display/TCD9/Role+and+Permission

    Teamcity documentation recommends not to have build agent on master but looks like only few care about that.
  • A Build Step could be added with the Project Administrator or even lower privileges (if configured that way). PowerShell commands and scripts could be executed using the PowerShell runner.
    https://confluence.jetbrains.com/display/TCD9/PowerShell

    On *nix machines, shell commands and scripts could be executed.
  • https://confluence.jetbrains.com/display/TCD9/Super+User
    Fun Fact: You can lock out SuperUser for one minute by clicking Log in button five times without entering a Username and Password. This makes it easy to block it by repeating login requests indefinitely.
  • https://confluence.jetbrains.com/display/TCD9/SSH+Keys+Management

    Here is how it could be done:
    To know the data directory of the master, look for “Data Directory” in the teamcity-server.log. Use a PowerShell runner.
    Use “cat <TeamCity Data Directory>\config\projects\<project>\pluginData\ssh_keys\ *” to list contents of all the keys.
  • Teamcity supports using the Password type Parameter for passwords but I have seen so many users using Text Parameter for passwords.
    See: https://confluence.jetbrains.com/display/TCD9/Typed+Parameters
  • Couple of examples of credentials in Build Logs. In both the above screenshots, access to public instances and the Build Logs is with Guest privileges.
  • http://www.go.cd/
    http://www.thoughtworks.com/products/go-continuous-delivery
  • http://support.thoughtworks.com/entries/22299328-Go-Security-Questions
  • http://support.thoughtworks.com/entries/22873043-go-s-custom-command
    http://www.go.cd/documentation/user/current/advanced_usage/command_repository.html
  • We need Pipeline Group Administrator rights to be able to configure Jobs which can run custom commands.
  • In above, the command cmd /c powershell -c del 'C:\Program Files (x86)\Go Server\config\cruise-config.xml’ will remove the configuration file of Go.
    The command cmd /c powershell –c Restart-Service 'Go Server‘ will restart the Go Server service.
    After this, all security will be removed from the Go dashboard and anyone who knows the URL will have admin rights.

    Instead of removing the cruise-config.xml file, we can also remove only the <security></security> part of it and restart the Go Server service for same effect.

    Or we can add the current user to <admins> in the <security> part of cruise-config.xml
  • Documentation on using password files:
    http://www.go.cd/documentation/user/current/configuration/dev_authentication.html
    https://github.com/gocd/gocd/blob/master/manual-testing/ant_hg/password.properties

    Location of SSH keys is:
    C:/Program Files (x86)/Go Server/%HOMEDRIVE%%HOMEPATH%/.ssh
    /var/go/.ssh on Linux
  • Documentation for the exec builder:
    http://cruisecontrol.sourceforge.net/main/configxml.html#exec
  • Also see: https://github.com/foxglovesec/JavaUnserializeExploits
    https://github.com/frohoff/ysoserial
  • I am using an encoded one line PowerShell reverse shell from Nishang as the payload in the above screenshot. (https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1)
  • ×