SlideShare a Scribd company logo

Build Time Hacking

Download as PPTX, PDF
Mohammed Tanveer
Mohammed Tanveer

Imagine we had the power to understand the code before its complied or embedding a backdoor or even stealing legitimate certificates of a well known vendor and using them to sign malware? Join me in the journey of exploring security issues that tend to happen during Build Time in typical enterprise environments.

Software
1 of 39
Build Time Hacking Mohammed Tanveer 21- March-2015
About me Security Engineer at Citrix R&D India Pvt. Ltd. Gamer by the night and hacker by the day ;-) Twitter: @threatpointer Disclaimer: Thoughts and views expressed are of my own and does not resemble any of my employers!
Hacking during building Software! Imagine we had the power to understand the code before its complied How about embedding a backdoor ? How about stealing legitimate certificates of a well known vendor and using them to sign malware? Or even reading error logs which threw out a ton of useful internal details about the application itself!
Today- What to expect! Explore frequently found Build Infrastructure design & implementation issues Understand the threat landscape from the “build” point of view! Gain better sight on assessing your existing Build infrastructure Proposed ways on securing your build environment using existing tools and hardening guidelines.
About- Software Build
What is Build From ToProcess of conversion Source code Artifacts run at the end-user workstation 6
Why do we need to build ? 7 Configuration Build RESULT OF  defined set of components having specific versions  components = functional units  components and their versions are chosen to meet specific objectives or tasks Main objectives Functionality Performance
• Conclusively:  To incorporate additional functionality (feature)  To reach defined level of performance (as an example of non- functional requirement) 8 Why do we need to build ?
Build tasks by priority •Compilation •Deployment • DB integration • Unit testing • Code coverage • Static analysis • Source code metrics • Dynamic analysis • Documentation generation • … 9
Build types • Classification by use: • Private [Developers build] • Integration [Centralized build] • Release [delivery to the end-user] 10
Build Tools GNU Auto tools • make • automake • autoconf • autoheader • libtool • gettext • gcc • pkg-config Auto tools alternatives • pymake • CMake • Cons • SCons • qmake • makepp • JAM • waf Continuous Integration Tools • AnthillPro • Bamboo • Apache Continuum • BuildIT • BuildBot • Hudson • Jenkins • Team Foundation Server • TeamCity • Travis CI
Build Tools GNU Auto tools • make • automake • autoconf • autoheader • libtool • gettext • gcc • pkg-config Auto tools alternatives • pymake • CMake • Cons • SCons • qmake • makepp • JAM • waf Continuous Integration Tools • AnthillPro • Bamboo • Apache Continuum • BuildIT • BuildBot • Hudson • Jenkins • Team Foundation Server • TeamCity • Travis CI
What is Continuous Integration Continuous Integration is a software development practice where members of a team integrate their work frequently, usually each person integrates at least daily - leading to multiple integrations per day. Each integration is verified by an automated build (including test) to detect integration errors as quickly as possible. --by Martin Fowler Ref: http://martinfowler.com/articles/continuousIntegration.html
Continuous Integration Overview Ref: http://www.javaworld.com/javaworld/jw-12-2008/images/CIOverview.jpg
Opportunities during Build Process • External facing Assets  GitHub/Subversion -SVN’s  Build Engineer’s Tools – ex: Jenkins • Internally facing Assets  Source Code Repositories- Perforce, GIT  CI Tools  Monitoring Tools  QA Testing Tools  Code Signing Tools/keys
External facing –Opportunities • Source code put up on Git/SVN is usually open to public, partially private or completely private • Where is the opportunity ? 1. Imagine a naïve developer contributes to an open source project with a new feature, checks in code, project lead- reviews the feature/functionality and merges it the master repository 2. Invested efforts perform code audits to find bugs, often using them as ZeroDays • This would imply to all projects that are completely open sourced or partially private ones.
What about completely Private ones ? • We all know we don’t have access to them directly, right ? The Indirect Way: (PenTester’s Way) • Check for all available build tools/assets that are being used by the target vendor Example: Jenkins
External facing –cont. Build triggering and monitoring Tool- Jenkins Jenkins an award winning CI tool and has the most active community in its category We even have plenty of dorks
Jenkins- Jenkins has had a very rich history of being PenTester friendly Links for reference: https://www.pentestgeek.com/2014/06/13/hacking-jenkins-servers-with-no-password/ http://www.labofapenetrationtester.com/2014/06/hacking-jenkins-servers.html http://xn--thibaud-dya.fr/jenkins_credentials.html http://dariusfreamon.wordpress.com/2014/01/07/jenkins-accountpasswordreset-account- name-enumeration/
Jenkins User Id’s • Exposed Jenkins interface reveals information about the developers participating in the software projects. It is possible to extract user id’s of the registered accounts with associated names. This is a substantial point of gaining information about the users of a specific organization.
Software Builds Information and Source Codes • Information about the changes in the software over a passage of time reveals information about the development flow of the components. Jenkins application does not ask for any explicit permission from the administrators to validate the user before accessing the ongoing software builds.
Server-side Information Disclosure in Environment Variables: • Access to environment variables provides plethora of information. Example shows the significant information about the configuration for MySQL (JDBC) database server. The attacker can easily glean username and password of the database (SONAR_JDBC_USERNAME & SONAR_JDBC_PASSWORD) including the internal IP address with port number on which JDBC service is running
Server-side Information Disclosure in Environment Variables: -Count
Exposure of Application Secret Data In this example, the curl command uses a secret key to connect to a specific domain for fetching JSON data through GET request. The underlined example shows how a secret key is extracted by accessing the console- output.
CRON Job Execution The example shown below presents the creation of database by a specific cron job in one of the vulnerable Jenkins configuration. It reveals how the table of OAUTH tokens is created and index is generated. The example shows the creation of database by a specific CRON job in one of the vulnerable Jenkins configuration. It reveals how the table of OAUTH tokens is created and index is generated.
Jenkins- Thick client issues Jenkins comes with a command line utility which allows us to remotely manage builds on different nodes The client jar file can be modified to execute code on the remote Jenkins server
CLI Architecture & Quick Demo! Makes a http request on Port 8080 Looks for a CLI port in response headers Returns the CLI port that has been configured to listen on CLIENT SERVER An http request is sent on the specific port ELSE Full Duplex http stream CLIENT SERVER
Jenkins – Groovy Script • Jenkins features a nice Groovy script console which allows to run arbitrary scripts on the Jenkins server or on slave nodes. This feature can be accessed from the "manage Jenkins" link, typically at your http://server/jenkins/scr ipt
MetaSploit Love • Use the Auxiliary mode to understand the Jenkins configurations • Using Jenkins Script-Console Java Execution • exploit/multi/http/jenkins_script_console
Jenkins- Plugins • SonarQube • SonarQube Plugin for Jenkins contains a flaw that is triggered when a direct request is sent for /jenkins/configure, which will cause the plugin to display password information via the 'sonar.sonarPassword ' parameter. This may allow a remote authenticated attacker to gain access to password information • Active Directory • Jenkins contains an unspecified flaw in the Active Directory plugin that may allow an attacker to gain unauthorized administrator access • Open ID • Jenkins Open ID Plugin contains an unspecified flaw in SSO mode that may allow an attacker to gain unauthorized administrative access
Plugins Hudson Tray Application • This plugin provides the Hudson User a tool that runs on their desktop, that monitors the status of the Hudson Server (multiple servers supported), and provides a simple tray icon on the Notification Panel/System Tray, showing them the worst case color of the Hudson Jobs they are monitoring The same plugin allows you to upload arbitrary python scripts to the server.
Lesson learnt!! We make use of the so call features of tools that are either misconfigured or mismanaged leading us to compromise the complete Build environment.
Problems known- Solutions ? Dual Jenkins -DMZ based deployment for public facing interfaces
Problems known- Solutions ? • Take special care of all tools interacting with the build environment. • Disable as many plugins as possible- reducing the overall attack surface • If a public facing Jenkins is strictly needed- Use the DMZ method explained in the previous slide. • Username used should not be same as corporate id’s, these are anyways going to be public  • Old school- Patch them regularly and check logs regularly
Speaking of Internally facing assets • Source Code Repositories- Perforce, GIT • CI Tools • Monitoring Tools • QA Testing Tools • Code Signing Tools/Private keys • Build Engineers Systems
Internally facing - Solutions
Internally facing - Solutions –cont. • Make sure all components interacting with the build environment is patched regularly and checked for any misconfigurations • Its best to have a separate domain to operate your Build environment & create groups specifically for Build engineers only • Should you have multiple teams/products, segregate them within the protected environment using dedicated VLAN’s • Define Firewall rules for only what is needed and block the rest.
Credits • Ahmed Gomaa • Nikhil SamratAshok Mittal • James Luther
Thank You!

Recommended

Part 2 improving your software development v1.0
Part 2 improving your software development v1.0Part 2 improving your software development v1.0
Part 2 improving your software development v1.0
Jasmine Conseil
 
Presentation 1 open source tools in continuous integration environment v1.0
Presentation 1 open source tools in continuous integration environment v1.0Presentation 1 open source tools in continuous integration environment v1.0
Presentation 1 open source tools in continuous integration environment v1.0
Jasmine Conseil
 
Resume
ResumeResume
Resume
Ramakrishna J
 
Venkatesh- Resume
Venkatesh- ResumeVenkatesh- Resume
Venkatesh- Resume
venkat u
 
Protecting your organization against attacks via the build system
Protecting your organization against attacks via the build systemProtecting your organization against attacks via the build system
Protecting your organization against attacks via the build system
Louis Jacomet
 
sahithi_Build_Release_Resume
sahithi_Build_Release_Resumesahithi_Build_Release_Resume
sahithi_Build_Release_Resume
deepthichowdary devineni
 
TMF2014 CI-CD Workshop Michael Palotas
TMF2014 CI-CD Workshop Michael PalotasTMF2014 CI-CD Workshop Michael Palotas
TMF2014 CI-CD Workshop Michael Palotas
KJR
 
Santhosh build and release (1)
Santhosh build and release (1)Santhosh build and release (1)
Santhosh build and release (1)
Santhosh Dodda
 

Recommended

Part 2 improving your software development v1.0
Part 2 improving your software development v1.0Part 2 improving your software development v1.0
Part 2 improving your software development v1.0
Jasmine Conseil
 
Presentation 1 open source tools in continuous integration environment v1.0
Presentation 1 open source tools in continuous integration environment v1.0Presentation 1 open source tools in continuous integration environment v1.0
Presentation 1 open source tools in continuous integration environment v1.0
Jasmine Conseil
 
Resume
ResumeResume
Resume
Ramakrishna J
 
Venkatesh- Resume
Venkatesh- ResumeVenkatesh- Resume
Venkatesh- Resume
venkat u
 
Protecting your organization against attacks via the build system
Protecting your organization against attacks via the build systemProtecting your organization against attacks via the build system
Protecting your organization against attacks via the build system
Louis Jacomet
 
sahithi_Build_Release_Resume
sahithi_Build_Release_Resumesahithi_Build_Release_Resume
sahithi_Build_Release_Resume
deepthichowdary devineni
 
TMF2014 CI-CD Workshop Michael Palotas
TMF2014 CI-CD Workshop Michael PalotasTMF2014 CI-CD Workshop Michael Palotas
TMF2014 CI-CD Workshop Michael Palotas
KJR
 
Santhosh build and release (1)
Santhosh build and release (1)Santhosh build and release (1)
Santhosh build and release (1)
Santhosh Dodda
 
Wsv406 Advanced Automation Using Windows Power Shell2.0
Wsv406 Advanced Automation Using Windows Power Shell2.0Wsv406 Advanced Automation Using Windows Power Shell2.0
Wsv406 Advanced Automation Using Windows Power Shell2.0
jsnover1
 
PHP Con09: SVN Advanced
PHP Con09: SVN AdvancedPHP Con09: SVN Advanced
PHP Con09: SVN Advanced
Emiliano Gabrielli
 
Wsv315 Windows Power Shell For Beginners
Wsv315 Windows Power Shell For BeginnersWsv315 Windows Power Shell For Beginners
Wsv315 Windows Power Shell For Beginners
jsnover1
 
Testing with Jenkins, Selenium and Continuous Deployment
Testing with Jenkins, Selenium and Continuous DeploymentTesting with Jenkins, Selenium and Continuous Deployment
Testing with Jenkins, Selenium and Continuous Deployment
Max Klymyshyn
 
Android session-1-sajib
Android session-1-sajibAndroid session-1-sajib
Android session-1-sajib
Hussain Behestee
 
Introduction to Android platform
Introduction to Android platformIntroduction to Android platform
Introduction to Android platform
maamir farooq
 
DevNation
DevNation DevNation
DevNation
jwi11iams
 
Top DevOps tools
Top DevOps toolsTop DevOps tools
Top DevOps tools
Metricoid Technology
 
Eclipse Che - A Revolutionary IDE for Distributed & Mainframe Development
Eclipse Che - A Revolutionary IDE for Distributed & Mainframe DevelopmentEclipse Che - A Revolutionary IDE for Distributed & Mainframe Development
Eclipse Che - A Revolutionary IDE for Distributed & Mainframe Development
DevOps.com
 
Automating development-operations-v1
Automating development-operations-v1Automating development-operations-v1
Automating development-operations-v1
Sumanth Vepa
 
Containers and Virtualisation for Continuous Testing
Containers and Virtualisation for Continuous Testing Containers and Virtualisation for Continuous Testing
Containers and Virtualisation for Continuous Testing
sbbabu
 
Dev ops and safety critical systems
Dev ops and safety critical systemsDev ops and safety critical systems
Dev ops and safety critical systems
Len Bass
 
Taking your code to production
Taking your code to productionTaking your code to production
Taking your code to production
muayyad alsadi
 
A better approach for testing microservices - introducing test kits in practice
A better approach for testing microservices - introducing test kits in practiceA better approach for testing microservices - introducing test kits in practice
A better approach for testing microservices - introducing test kits in practice
Maxim Novak
 
OpenTuesday: Die Selenium-Toolfamilie und ihr Einsatz im Web- und Mobile-Auto...
OpenTuesday: Die Selenium-Toolfamilie und ihr Einsatz im Web- und Mobile-Auto...OpenTuesday: Die Selenium-Toolfamilie und ihr Einsatz im Web- und Mobile-Auto...
OpenTuesday: Die Selenium-Toolfamilie und ihr Einsatz im Web- und Mobile-Auto...
Digicomp Academy AG
 
CLA Summit 2013: Connecting LabVIEW to Everything Else
CLA Summit 2013: Connecting LabVIEW to Everything ElseCLA Summit 2013: Connecting LabVIEW to Everything Else
CLA Summit 2013: Connecting LabVIEW to Everything Else
JKI
 
Continuous Integration With Jenkins
Continuous Integration With JenkinsContinuous Integration With Jenkins
Continuous Integration With Jenkins
Edureka!
 
IntelliJ IDEA Architecture and Performance
IntelliJ IDEA Architecture and PerformanceIntelliJ IDEA Architecture and Performance
IntelliJ IDEA Architecture and Performance
intelliyole
 
Continuous Integration & Package Management 101
Continuous Integration & Package Management 101Continuous Integration & Package Management 101
Continuous Integration & Package Management 101
Maor Hayun
 
Ordina Accelerator program 2019 - Jenkins blue ocean pipelines
Ordina Accelerator program 2019 - Jenkins blue ocean pipelinesOrdina Accelerator program 2019 - Jenkins blue ocean pipelines
Ordina Accelerator program 2019 - Jenkins blue ocean pipelines
Bert Koorengevel
 
Jenkins.pdf
Jenkins.pdfJenkins.pdf
Jenkins.pdf
326KUBAVATHARSHALBHA
 
Continous integration and delivery for single page applications
Continous integration and delivery for single page applicationsContinous integration and delivery for single page applications
Continous integration and delivery for single page applications
Sunil Dalal
 

More Related Content

What's hot

Eclipse Che - A Revolutionary IDE for Distributed & Mainframe Development
Eclipse Che - A Revolutionary IDE for Distributed & Mainframe DevelopmentEclipse Che - A Revolutionary IDE for Distributed & Mainframe Development
Eclipse Che - A Revolutionary IDE for Distributed & Mainframe Development
DevOps.com
 
Automating development-operations-v1
Automating development-operations-v1Automating development-operations-v1
Automating development-operations-v1
Sumanth Vepa
 
A better approach for testing microservices - introducing test kits in practice
A better approach for testing microservices - introducing test kits in practiceA better approach for testing microservices - introducing test kits in practice
A better approach for testing microservices - introducing test kits in practice
Maxim Novak
 
CLA Summit 2013: Connecting LabVIEW to Everything Else
CLA Summit 2013: Connecting LabVIEW to Everything ElseCLA Summit 2013: Connecting LabVIEW to Everything Else
CLA Summit 2013: Connecting LabVIEW to Everything Else
JKI
 

What's hot (20)

Wsv406 Advanced Automation Using Windows Power Shell2.0
Wsv406 Advanced Automation Using Windows Power Shell2.0Wsv406 Advanced Automation Using Windows Power Shell2.0
Wsv406 Advanced Automation Using Windows Power Shell2.0
 
PHP Con09: SVN Advanced
PHP Con09: SVN AdvancedPHP Con09: SVN Advanced
PHP Con09: SVN Advanced
 
Wsv315 Windows Power Shell For Beginners
Wsv315 Windows Power Shell For BeginnersWsv315 Windows Power Shell For Beginners
Wsv315 Windows Power Shell For Beginners
 
Testing with Jenkins, Selenium and Continuous Deployment
Testing with Jenkins, Selenium and Continuous DeploymentTesting with Jenkins, Selenium and Continuous Deployment
Testing with Jenkins, Selenium and Continuous Deployment
 
Android session-1-sajib
Android session-1-sajibAndroid session-1-sajib
Android session-1-sajib
 
Introduction to Android platform
Introduction to Android platformIntroduction to Android platform
Introduction to Android platform
 
DevNation
DevNation DevNation
DevNation
 
Top DevOps tools
Top DevOps toolsTop DevOps tools
Top DevOps tools
 
Eclipse Che - A Revolutionary IDE for Distributed & Mainframe Development
Eclipse Che - A Revolutionary IDE for Distributed & Mainframe DevelopmentEclipse Che - A Revolutionary IDE for Distributed & Mainframe Development
Eclipse Che - A Revolutionary IDE for Distributed & Mainframe Development
 
Automating development-operations-v1
Automating development-operations-v1Automating development-operations-v1
Automating development-operations-v1
 
Containers and Virtualisation for Continuous Testing
Containers and Virtualisation for Continuous Testing Containers and Virtualisation for Continuous Testing
Containers and Virtualisation for Continuous Testing
 
Dev ops and safety critical systems
Dev ops and safety critical systemsDev ops and safety critical systems
Dev ops and safety critical systems
 
Taking your code to production
Taking your code to productionTaking your code to production
Taking your code to production
 
A better approach for testing microservices - introducing test kits in practice
A better approach for testing microservices - introducing test kits in practiceA better approach for testing microservices - introducing test kits in practice
A better approach for testing microservices - introducing test kits in practice
 
OpenTuesday: Die Selenium-Toolfamilie und ihr Einsatz im Web- und Mobile-Auto...
OpenTuesday: Die Selenium-Toolfamilie und ihr Einsatz im Web- und Mobile-Auto...OpenTuesday: Die Selenium-Toolfamilie und ihr Einsatz im Web- und Mobile-Auto...
OpenTuesday: Die Selenium-Toolfamilie und ihr Einsatz im Web- und Mobile-Auto...
 
CLA Summit 2013: Connecting LabVIEW to Everything Else
CLA Summit 2013: Connecting LabVIEW to Everything ElseCLA Summit 2013: Connecting LabVIEW to Everything Else
CLA Summit 2013: Connecting LabVIEW to Everything Else
 
Continuous Integration With Jenkins
Continuous Integration With JenkinsContinuous Integration With Jenkins
Continuous Integration With Jenkins
 
IntelliJ IDEA Architecture and Performance
IntelliJ IDEA Architecture and PerformanceIntelliJ IDEA Architecture and Performance
IntelliJ IDEA Architecture and Performance
 
Continuous Integration & Package Management 101
Continuous Integration & Package Management 101Continuous Integration & Package Management 101
Continuous Integration & Package Management 101
 
Ordina Accelerator program 2019 - Jenkins blue ocean pipelines
Ordina Accelerator program 2019 - Jenkins blue ocean pipelinesOrdina Accelerator program 2019 - Jenkins blue ocean pipelines
Ordina Accelerator program 2019 - Jenkins blue ocean pipelines
 

Similar to Build Time Hacking

Continuous Integration and development environment approach
Continuous Integration and development environment approachContinuous Integration and development environment approach
Continuous Integration and development environment approach
Aleksandr Tsertkov
 
devops ppt for hjs jsdjhjd hsdbusinees.pptx
devops ppt for hjs jsdjhjd hsdbusinees.pptxdevops ppt for hjs jsdjhjd hsdbusinees.pptx
devops ppt for hjs jsdjhjd hsdbusinees.pptx
Deepakgupta273447
 
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
PranavPatil822557
 
Continuous Integration (Jenkins/Hudson)
Continuous Integration (Jenkins/Hudson)Continuous Integration (Jenkins/Hudson)
Continuous Integration (Jenkins/Hudson)
Dennys Hsieh
 
Build automation best practices
Build automation best practicesBuild automation best practices
Build automation best practices
Code Mastery
 
Containers: DevOp Enablers of Technical Solutions
Containers: DevOp Enablers of Technical SolutionsContainers: DevOp Enablers of Technical Solutions
Containers: DevOp Enablers of Technical Solutions
Jules Pierre-Louis
 

Similar to Build Time Hacking (20)

Jenkins.pdf
Jenkins.pdfJenkins.pdf
Jenkins.pdf
 
Continous integration and delivery for single page applications
Continous integration and delivery for single page applicationsContinous integration and delivery for single page applications
Continous integration and delivery for single page applications
 
Continuous Integration for OpenVMS with Jenkins
Continuous Integration for OpenVMS with JenkinsContinuous Integration for OpenVMS with Jenkins
Continuous Integration for OpenVMS with Jenkins
 
varun JENKINS.pptx
varun JENKINS.pptxvarun JENKINS.pptx
varun JENKINS.pptx
 
Continuous Integration and development environment approach
Continuous Integration and development environment approachContinuous Integration and development environment approach
Continuous Integration and development environment approach
 
Devops
DevopsDevops
Devops
 
devops ppt for hjs jsdjhjd hsdbusinees.pptx
devops ppt for hjs jsdjhjd hsdbusinees.pptxdevops ppt for hjs jsdjhjd hsdbusinees.pptx
devops ppt for hjs jsdjhjd hsdbusinees.pptx
 
Continuous Integration
Continuous IntegrationContinuous Integration
Continuous Integration
 
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
 
Perforce on Tour 2015 - Optimising the Developer Pipeline: Deliver Faster & ...
Perforce on Tour 2015 - Optimising the Developer Pipeline: Deliver Faster & ...Perforce on Tour 2015 - Optimising the Developer Pipeline: Deliver Faster & ...
Perforce on Tour 2015 - Optimising the Developer Pipeline: Deliver Faster & ...
 
Continuous Integration (Jenkins/Hudson)
Continuous Integration (Jenkins/Hudson)Continuous Integration (Jenkins/Hudson)
Continuous Integration (Jenkins/Hudson)
 
Dev ops using Jenkins
Dev ops using JenkinsDev ops using Jenkins
Dev ops using Jenkins
 
Build automation best practices
Build automation best practicesBuild automation best practices
Build automation best practices
 
Hudson
HudsonHudson
Hudson
 
Jenkins workflows and Best Practices
Jenkins workflows and Best PracticesJenkins workflows and Best Practices
Jenkins workflows and Best Practices
 
Application Lifecycle Management
Application Lifecycle ManagementApplication Lifecycle Management
Application Lifecycle Management
 
Containers: DevOp Enablers of Technical Solutions
Containers: DevOp Enablers of Technical SolutionsContainers: DevOp Enablers of Technical Solutions
Containers: DevOp Enablers of Technical Solutions
 
Devops architecture
Devops architectureDevops architecture
Devops architecture
 
Vijay_Teekinavar_Kallesh
Vijay_Teekinavar_KalleshVijay_Teekinavar_Kallesh
Vijay_Teekinavar_Kallesh
 
Jenkins pipeline as code
Jenkins pipeline as codeJenkins pipeline as code
Jenkins pipeline as code
 

Recently uploaded

Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
Papp Krisztián
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 

Recently uploaded (20)

WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security Program
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
 
WSO2CON 2024 - Software Engineering for Digital Businesses
WSO2CON 2024 - Software Engineering for Digital BusinessesWSO2CON 2024 - Software Engineering for Digital Businesses
WSO2CON 2024 - Software Engineering for Digital Businesses
 
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public AdministrationWSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
 
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...
 
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdfAzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf
AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf
 
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
WSO2Con2024 - GitOps in Action: Navigating Application Deployment in the Plat...
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
WSO2CON 2024 - Building a Digital Government in Uganda
WSO2CON 2024 - Building a Digital Government in UgandaWSO2CON 2024 - Building a Digital Government in Uganda
WSO2CON 2024 - Building a Digital Government in Uganda
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
WSO2Con2024 - Unleashing the Financial Potential of 13 Million People
WSO2Con2024 - Unleashing the Financial Potential of 13 Million PeopleWSO2Con2024 - Unleashing the Financial Potential of 13 Million People
WSO2Con2024 - Unleashing the Financial Potential of 13 Million People
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
 
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
WSO2Con2024 - Organization Management: The Revolution in B2B CIAM
WSO2Con2024 - Organization Management: The Revolution in B2B CIAMWSO2Con2024 - Organization Management: The Revolution in B2B CIAM
WSO2Con2024 - Organization Management: The Revolution in B2B CIAM
 
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...
 
WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...
WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...
WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...
 
WSO2Con2024 - Low-Code Integration Tooling
WSO2Con2024 - Low-Code Integration ToolingWSO2Con2024 - Low-Code Integration Tooling
WSO2Con2024 - Low-Code Integration Tooling
 

Build Time Hacking

  • 1. Build Time Hacking Mohammed Tanveer 21- March-2015
  • 2. About me Security Engineer at Citrix R&D India Pvt. Ltd. Gamer by the night and hacker by the day ;-) Twitter: @threatpointer Disclaimer: Thoughts and views expressed are of my own and does not resemble any of my employers!
  • 3. Hacking during building Software! Imagine we had the power to understand the code before its complied How about embedding a backdoor ? How about stealing legitimate certificates of a well known vendor and using them to sign malware? Or even reading error logs which threw out a ton of useful internal details about the application itself!
  • 4. Today- What to expect! Explore frequently found Build Infrastructure design & implementation issues Understand the threat landscape from the “build” point of view! Gain better sight on assessing your existing Build infrastructure Proposed ways on securing your build environment using existing tools and hardening guidelines.
  • 6. What is Build From ToProcess of conversion Source code Artifacts run at the end-user workstation 6
  • 7. Why do we need to build ? 7 Configuration Build RESULT OF  defined set of components having specific versions  components = functional units  components and their versions are chosen to meet specific objectives or tasks Main objectives Functionality Performance
  • 8. • Conclusively:  To incorporate additional functionality (feature)  To reach defined level of performance (as an example of non- functional requirement) 8 Why do we need to build ?
  • 9. Build tasks by priority •Compilation •Deployment • DB integration • Unit testing • Code coverage • Static analysis • Source code metrics • Dynamic analysis • Documentation generation • … 9
  • 10. Build types • Classification by use: • Private [Developers build] • Integration [Centralized build] • Release [delivery to the end-user] 10
  • 11. Build Tools GNU Auto tools • make • automake • autoconf • autoheader • libtool • gettext • gcc • pkg-config Auto tools alternatives • pymake • CMake • Cons • SCons • qmake • makepp • JAM • waf Continuous Integration Tools • AnthillPro • Bamboo • Apache Continuum • BuildIT • BuildBot • Hudson • Jenkins • Team Foundation Server • TeamCity • Travis CI
  • 12. Build Tools GNU Auto tools • make • automake • autoconf • autoheader • libtool • gettext • gcc • pkg-config Auto tools alternatives • pymake • CMake • Cons • SCons • qmake • makepp • JAM • waf Continuous Integration Tools • AnthillPro • Bamboo • Apache Continuum • BuildIT • BuildBot • Hudson • Jenkins • Team Foundation Server • TeamCity • Travis CI
  • 13. What is Continuous Integration Continuous Integration is a software development practice where members of a team integrate their work frequently, usually each person integrates at least daily - leading to multiple integrations per day. Each integration is verified by an automated build (including test) to detect integration errors as quickly as possible. --by Martin Fowler Ref: http://martinfowler.com/articles/continuousIntegration.html
  • 14. Continuous Integration Overview Ref: http://www.javaworld.com/javaworld/jw-12-2008/images/CIOverview.jpg
  • 15. Opportunities during Build Process • External facing Assets  GitHub/Subversion -SVN’s  Build Engineer’s Tools – ex: Jenkins • Internally facing Assets  Source Code Repositories- Perforce, GIT  CI Tools  Monitoring Tools  QA Testing Tools  Code Signing Tools/keys
  • 16. External facing –Opportunities • Source code put up on Git/SVN is usually open to public, partially private or completely private • Where is the opportunity ? 1. Imagine a naïve developer contributes to an open source project with a new feature, checks in code, project lead- reviews the feature/functionality and merges it the master repository 2. Invested efforts perform code audits to find bugs, often using them as ZeroDays • This would imply to all projects that are completely open sourced or partially private ones.
  • 17. What about completely Private ones ? • We all know we don’t have access to them directly, right ? The Indirect Way: (PenTester’s Way) • Check for all available build tools/assets that are being used by the target vendor Example: Jenkins
  • 18. External facing –cont. Build triggering and monitoring Tool- Jenkins Jenkins an award winning CI tool and has the most active community in its category We even have plenty of dorks
  • 19. Jenkins- Jenkins has had a very rich history of being PenTester friendly Links for reference: https://www.pentestgeek.com/2014/06/13/hacking-jenkins-servers-with-no-password/ http://www.labofapenetrationtester.com/2014/06/hacking-jenkins-servers.html http://xn--thibaud-dya.fr/jenkins_credentials.html http://dariusfreamon.wordpress.com/2014/01/07/jenkins-accountpasswordreset-account- name-enumeration/
  • 20. Jenkins User Id’s • Exposed Jenkins interface reveals information about the developers participating in the software projects. It is possible to extract user id’s of the registered accounts with associated names. This is a substantial point of gaining information about the users of a specific organization.
  • 21. Software Builds Information and Source Codes • Information about the changes in the software over a passage of time reveals information about the development flow of the components. Jenkins application does not ask for any explicit permission from the administrators to validate the user before accessing the ongoing software builds.
  • 22. Server-side Information Disclosure in Environment Variables: • Access to environment variables provides plethora of information. Example shows the significant information about the configuration for MySQL (JDBC) database server. The attacker can easily glean username and password of the database (SONAR_JDBC_USERNAME & SONAR_JDBC_PASSWORD) including the internal IP address with port number on which JDBC service is running
  • 23. Server-side Information Disclosure in Environment Variables: -Count
  • 24. Exposure of Application Secret Data In this example, the curl command uses a secret key to connect to a specific domain for fetching JSON data through GET request. The underlined example shows how a secret key is extracted by accessing the console- output.
  • 25. CRON Job Execution The example shown below presents the creation of database by a specific cron job in one of the vulnerable Jenkins configuration. It reveals how the table of OAUTH tokens is created and index is generated. The example shows the creation of database by a specific CRON job in one of the vulnerable Jenkins configuration. It reveals how the table of OAUTH tokens is created and index is generated.
  • 26. Jenkins- Thick client issues Jenkins comes with a command line utility which allows us to remotely manage builds on different nodes The client jar file can be modified to execute code on the remote Jenkins server
  • 27. CLI Architecture & Quick Demo! Makes a http request on Port 8080 Looks for a CLI port in response headers Returns the CLI port that has been configured to listen on CLIENT SERVER An http request is sent on the specific port ELSE Full Duplex http stream CLIENT SERVER
  • 28. Jenkins – Groovy Script • Jenkins features a nice Groovy script console which allows to run arbitrary scripts on the Jenkins server or on slave nodes. This feature can be accessed from the "manage Jenkins" link, typically at your http://server/jenkins/scr ipt
  • 29. MetaSploit Love • Use the Auxiliary mode to understand the Jenkins configurations • Using Jenkins Script-Console Java Execution • exploit/multi/http/jenkins_script_console
  • 30. Jenkins- Plugins • SonarQube • SonarQube Plugin for Jenkins contains a flaw that is triggered when a direct request is sent for /jenkins/configure, which will cause the plugin to display password information via the 'sonar.sonarPassword ' parameter. This may allow a remote authenticated attacker to gain access to password information • Active Directory • Jenkins contains an unspecified flaw in the Active Directory plugin that may allow an attacker to gain unauthorized administrator access • Open ID • Jenkins Open ID Plugin contains an unspecified flaw in SSO mode that may allow an attacker to gain unauthorized administrative access
  • 31. Plugins Hudson Tray Application • This plugin provides the Hudson User a tool that runs on their desktop, that monitors the status of the Hudson Server (multiple servers supported), and provides a simple tray icon on the Notification Panel/System Tray, showing them the worst case color of the Hudson Jobs they are monitoring The same plugin allows you to upload arbitrary python scripts to the server.
  • 32. Lesson learnt!! We make use of the so call features of tools that are either misconfigured or mismanaged leading us to compromise the complete Build environment.
  • 33. Problems known- Solutions ? Dual Jenkins -DMZ based deployment for public facing interfaces
  • 34. Problems known- Solutions ? • Take special care of all tools interacting with the build environment. • Disable as many plugins as possible- reducing the overall attack surface • If a public facing Jenkins is strictly needed- Use the DMZ method explained in the previous slide. • Username used should not be same as corporate id’s, these are anyways going to be public  • Old school- Patch them regularly and check logs regularly
  • 35. Speaking of Internally facing assets • Source Code Repositories- Perforce, GIT • CI Tools • Monitoring Tools • QA Testing Tools • Code Signing Tools/Private keys • Build Engineers Systems
  • 36. Internally facing - Solutions
  • 37. Internally facing - Solutions –cont. • Make sure all components interacting with the build environment is patched regularly and checked for any misconfigurations • Its best to have a separate domain to operate your Build environment & create groups specifically for Build engineers only • Should you have multiple teams/products, segregate them within the protected environment using dedicated VLAN’s • Define Firewall rules for only what is needed and block the rest.
  • 38. Credits • Ahmed Gomaa • Nikhil SamratAshok Mittal • James Luther