RomHack 2024 - Adnan Khan - The dark side of github actions

Описание: Adnan Khan

The dark side of github actions

slides: https://romhack.io/wp-content/uploads...


GitHub is the most popular hosting platform for open-source projects. GitHub also offers a CI/CD platform called GitHub Actions, and many projects opt to use GitHub Actions for CI/CD because it is free for open-source projects.

However, there is a dark side to GitHub Actions. Simple misconfigurations can lead to devastating supply chain attacks, and even companies like Microsoft, Nvidia, Puppet Labs, and more cannot get a handle on these issues.
In this talk you’ll learn what these misconfigurations are and how to discover them at scale:

Pwn Request and Injection Vulnerabilities
Misconfigured Self-Hosted Runners
Broken Approval Checks via Time-of-Check-Time-of-Use Issues
You will also learn how an attacker can use an arsenal of pipeline post-exploitation and privilege escalation techniques to achieve their objectives:

Post-Compromise Enumeration
‘GITHUB_TOKEN’ Permissions Abuse
GitHub Actions Cache Poisoning
Bypassing Branch Protections by approving and merging an external pull request.
Finally, Adnan will walk through how he detected such a misconfiguration by a major company, gained control of a GitHub Classic Personal Access Token, and proved out impactful post-exploitation scenarios. To conclude, Adnan will cover defensive controls that you can deploy today that will prevent an attacker from achieving their final objective even if they obtain a privileged access token.


https://romhack.io/romhack-conference...