BSides London 2021 BSides London 2021

Saturday, November 13, 2021

GitOops! All paths lead to clouds

Can you take over a company by opening a pull request against an internal repository? Probably.

We'll explore lateral movement and privilege escalation in a GitHub organization by abusing CI/CD pipelines and GitHub access controls, and present a tool for querying attack paths via a graph database, Bloodhound-style.

We will start by covering how an attacker can leverage CI/CD pipelines to exfiltrate credentials or gain command execution in restricted contexts, giving concrete examples with CircleCI and GitHub Actions. We will then proceed to showcase another vector attackers can take advantage of to pivot into production contexts in many organizations: Terraform plans.

  At this point - if you weren't already familiar with the dangers of CI/CD systems - you'll never look at pull requests the same way again. After covering the basics we will introduce GitOops, a tool we developed to query these attack paths at scale in large GitHub organizations with multiple CI/CD systems. In addition to mapping relationships between GitHub users, teams and repositories, GitOops maps relationships between those and environment variables in CI/CD systems. This will allow us to query paths to secrets available in pull request contexts.

 We can now get answers to questions such as "What AWS credentials can my user directly and indirectly access?", "Who do I need to compromise to get access to Artifactory and GCP?" and "I see there's a GitHub token in this CI/CD pipeline, what new repositories and secrets can I gain access to by pivoting through that token?". This talk will hopefully add another dimension to your offensive and defensive toolkit.