AWS CodeBuild - Kukwepa webhook ya PR isiyoaminika (CodeBreach-style)

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Njia hii ya kushambulia inaonekana wakati workflow ya PR inayokabiliwa hadharani imeunganishwa na mradi wa CodeBuild wenye mamlaka na udhibiti dhaifu wa webhook.

Iwapo mshambuliaji wa nje anaweza kufanya CodeBuild ifanye execute ya pull request yao, kwa kawaida wanaweza kupata utekelezaji wa msimbo wowote ndani ya build (build scripts, dependency hooks, test scripts, n.k.), kisha wakageuke kupata siri, kredenshali za IAM, au kredenshali za source-provider.

Kwanini hili ni hatari

CodeBuild webhook filters zinatathminiwa kwa kutumia pattern za regex (kwa filters zisizo za EVENT). Katika filter ya ACTOR_ACCOUNT_ID, hii inamaanisha pattern dhaifu inaweza kuendana na watumiaji wengi zaidi kuliko ilivyokusudiwa. Ikiwa PR zisizoaminika zinatengenezwa katika project ambayo ina ruhusa zenye mamlaka za AWS role au kredenshali za GitHub, hili linaweza kuwa kompromasi kamili ya supply-chain.

Wiz ilionyesha mnyororo wa vitendo ambapo:

  1. Orodha ya wachezaji wa webhook ilitumia regex isiyo na anchoring.
  2. Mshambuliaji alisajili ID ya GitHub iliyofanana kama superstring ya ID ya kuaminika.
  3. PR mbaya ilisababisha CodeBuild.
  4. Utekelezaji wa msimbo katika build ulitumiwa kuchoma memory na kupata kredenshali/vikomo vya source-provider.

Misconfigurations zinazoruhusu utekelezaji wa msimbo wa PR wa nje

Hizi ni makosa yenye hatari kubwa na jinsi mashambulizi yanavyoabusa kila moja:

  1. EVENT filters allow untrusted triggers
  • Matukio hatari ya kawaida: PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED, PULL_REQUEST_REOPENED.
  • Matukio mengine ambayo yanaweza kuwa hatari ikiwa yameunganishwa na builds zenye mamlaka: PUSH, PULL_REQUEST_CLOSED, PULL_REQUEST_MERGED, RELEASED, PRERELEASED, WORKFLOW_JOB_QUEUED.
  • Mbaya: EVENT="PUSH, PULL_REQUEST_CREATED, PULL_REQUEST_UPDATED" katika project yenye mamlaka.
  • Bora: tumia idhini kupitia comment ya PR na punguza matukio yanayoanzisha builds kwa miradi yenye mamlaka.
  • Abuse: mshambuliaji anafungua/anasasisha PR au anasukuma kwenye tawi wanadoliza, na msimbo wao unatekelezwa ndani ya CodeBuild.
  1. ACTOR_ACCOUNT_ID regex is weak
  • Mbaya: patterns zisizo na anchoring kama 123456|7890123.
  • Bora: anchoring kwa exact-match ^(123456|7890123)$.
  • Abuse: regex inayopitiliza inaruhusu GitHub IDs wasioidhinishwa kupita kwenye allowlists.
  1. Other regex filters are weak or missing
  • HEAD_REF
    • Mbaya: refs/heads/.*
    • Bora: ^refs/heads/main$ (au orodha ya wazi ya tawi zilizoaminika)
  • BASE_REF
    • Mbaya: .*
    • Bora: ^refs/heads/main$
  • FILE_PATH
    • Mbaya: hakuna vizuizi vya path
    • Bora: tomee faili hatari kama ^buildspec\\.yml$, ^\\.github/workflows/.*, (^|/)package(-lock)?\\.json$
  • COMMIT_MESSAGE
    • Mbaya: kuamini alama katika message ya commit kwa match mpana kama trusted
    • Bora: usitumie commit message kama mipaka ya kuaminika kwa utekelezaji wa PR
  • REPOSITORY_NAME / ORGANIZATION_NAME
    • Mbaya: .* katika webhooks za org/global
    • Bora: mechi za repo/org zilizoelezwa tu
  • WORKFLOW_NAME
    • Mbaya: .*
    • Bora: mechi za workflow name tu (au acha kutumia hili kama udhibiti wa uaminifu)
  • Abuse: mshambuliaji anafanya ref/path/message/repo context kukidhi regex mpole na kuanzisha builds.
  1. excludeMatchedPattern is misused
  • Kuweka flag hii kwa njia isiyo sahihi kunaweza kugeuza mantiki iliyokusudiwa.
  • Mbaya: FILE_PATH '^buildspec\\.yml$' na excludeMatchedPattern=false wakati nia ilikuwa kuzuia uhariri wa buildspec.
  • Bora: pattern ile ile na excludeMatchedPattern=true kukataa builds zinazogusa buildspec.yml.
  • Abuse: wataalamu wa ulinzi wanafikiri wanazuia matukio/paths/actors hatari, lakini kwa kweli wanayaruhusu.
  1. Multiple filterGroups create accidental bypasses
  • CodeBuild huthibitisha groups kama OR (kundi moja kupita inatosha).
  • Mbaya: kundi moja kali + kundi la fallback lenye upole (mfano, tu EVENT=PULL_REQUEST_UPDATED).
  • Bora: toa groups za fallback ambazo hazifuatilii vikwazo vya actor/ref/path.
  • Abuse: mshambuliaji anahitaji kukidhi kundi dhaifu tu.
  1. Comment approval gate disabled or too permissive
  • pullRequestBuildPolicy.requiresCommentApproval=DISABLED ni hatari kabisa.
  • Nafasi za waidhinishaji ambazo ni pana kupunguza udhibiti.
  • Mbaya: requiresCommentApproval=DISABLED.
  • Bora: ALL_PULL_REQUESTS au FORK_PULL_REQUESTS na majukumu madogo ya waidhinishaji.
  • Abuse: fork/drive-by PRs zinaendeshwa bila idhini ya maintainer aliyeaminika.
  1. No restrictive branch/path strategy for PR builds
  • Kutokuwepo kwa defense-in-depth kwa HEAD_REF + BASE_REF + FILE_PATH.
  • Mbaya: tu EVENT + ACTOR_ACCOUNT_ID, hakuna vikwazo vya ref/path.
  • Bora: changanya ACTOR_ACCOUNT_ID thabiti + BASE_REF + HEAD_REF + vizuizi vya FILE_PATH.
  • Abuse: mshambuliaji anabadilisha vyanzo vya build (buildspec/CI/dependencies) na kupata uchezaji wa amri yoyote.
  1. Public visibility + status URL exposure
  • URLs za build/checks za hadharani huongeza recon ya mshambuliaji na majaribio ya iterative.
  • Mbaya: projectVisibility=PUBLIC_READ pamoja na logs/config zenye siri katika builds hadharani.
  • Bora: iweka projects binafsi isipokuwa kama kuna sababu zenye nguvu za kibiashara, na sanitize logs/artifacts.
  • Abuse: mshambuliaji anagundua mifumo/myendo ya project, kisha anakalia payloads na majaribio ya kukwepa.

Token leakage from memory

Maandishi ya Wiz yanaelezea kwamba kredenshali za source-provider ziko katika muktadha wa runtime wa build na zinaweza kubauliwa baada ya kompromasi ya build (kwa mfano, kupitia memory dumping), kuruhusu takeover ya repository ikiwa scopes ni pana.

AWS ilitengeneza hardening baada ya uvumbuzi huo, lakini somo kuu linabaki: usimpe utekelezaji wa msimbo wa PR zisizoaminika katika muktadha wa build wenye mamlaka na assume msimbo unaodhibitiwa na mshambuliaji utajaribu wizi wa kredenshali.

Kwa mbinu zaidi za wizi wa kredenshali katika CodeBuild, angalia pia:

AWS Codebuild - Token Leakage

Kupata CodeBuild URLs katika PR za GitHub

Ikiwa CodeBuild inaripoti hali ya commit kurudi GitHub, URL ya build ya CodeBuild kawaida inaonekana katika:

  1. Ukurasa wa PR -> kichupo cha Checks (au mstari wa status katika Conversation/Commits).
  2. Ukurasa wa Commit -> sehemu ya status/checks -> kiungo cha Details.
  3. Orodha ya commits ya PR -> bonyeza context ya check iliyounganishwa na commit.

Kwa miradi ya umma, kiungo hiki kinaweza kufichua metadata/config ya build kwa watumiaji wasiojulikana.

Script: gundua CodeBuild URLs katika PR na jaribu kama zinaonekana kuwa za hadharani ```bash #!/usr/bin/env bash set -euo pipefail

Usage:

./check_pr_codebuild_urls.sh <pr_number>

Requirements: gh, jq, curl

OWNER=“${1:?owner}” REPO=“${2:?repo}” PR=“${3:?pr_number}”

for bin in gh jq curl timeout; do command -v “$bin” >/dev/null || { echo “[!] Missing dependency: $bin” >&2; exit 1; } done

tmp_commits=“$(mktemp)” tmp_urls=“$(mktemp)” trap ‘rm -f “$tmp_commits” “$tmp_urls”’ EXIT

gh_api() { timeout 20s gh api “$@” 2>/dev/null || true }

Get all commit SHAs in the PR (bounded call to avoid hangs)

gh_api “repos/${OWNER}/${REPO}/pulls/${PR}/commits” –paginate –jq ‘.[].sha’ > “$tmp_commits” if [ ! -s “$tmp_commits” ]; then echo “[!] No commits found (or API call timed out/failed).” >&2 exit 1 fi

echo “[*] PR commits:” cat “$tmp_commits” echo

echo “[*] Searching commit statuses/check-runs for CodeBuild URLs…”

while IFS= read -r sha; do [ -z “$sha” ] && continue

Classic commit statuses (target_url)

gh_api “repos/${OWNER}/${REPO}/commits/${sha}/status”
–jq ‘.statuses[]? | .target_url // empty’ 2>/dev/null || true

GitHub Checks API (details_url)

gh_api “repos/${OWNER}/${REPO}/commits/${sha}/check-runs”
–jq ‘.check_runs[]? | .details_url // empty’ 2>/dev/null || true done < “$tmp_commits” | sort -u > “$tmp_urls”

grep -Ei ‘codebuild|codebuild.aws.amazon.com|console.aws.amazon.com/.*/codebuild’ “$tmp_urls” || true

echo echo “[*] Public-access heuristic:” echo “ - If URL redirects to signin.aws.amazon.com -> likely not public“ echo “ - If URL is directly reachable (HTTP 200) without auth redirect -> potentially public“ echo

cb_urls=“$(grep -Ei ‘codebuild|codebuild.aws.amazon.com|console.aws.amazon.com/./codebuild’ “$tmp_urls” || true)“ if [ -z “$cb_urls” ]; then echo “[] No CodeBuild URLs found in PR statuses/check-runs.” exit 0 fi

while IFS= read -r url; do [ -z “$url” ] && continue final_url=“$(timeout 20s curl -4 -sS -L –connect-timeout 5 –max-time 20 -o /dev/null -w ‘%{url_effective}’ “$url” || true)“ code=“$(timeout 20s curl -4 -sS -L –connect-timeout 5 –max-time 20 -o /dev/null -w ‘%{http_code}’ “$url” || true)“

if echo “$final_url” | grep -qi ‘signin.aws.amazon.com’; then verdict=“NOT_PUBLIC_OR_AUTH_REQUIRED” elif [ “$code” = “200” ]; then verdict=“POTENTIALLY_PUBLIC” else verdict=“UNKNOWN_CHECK_MANUALLY” fi

printf ‘%s\t%s\t%s\n’ “$verdict” “$code” “$url” done <<< “$cb_urls”

Imethibitishwa inafanya kazi na:
```bash
bash /tmp/check_pr_codebuild_urls.sh carlospolop codebuild-codebreach-ctf-lab 1

Orodha ya ukaguzi wa haraka

# Enumerate projects
aws codebuild list-projects

# Inspect source/webhook configuration
aws codebuild batch-get-projects --names <project-name>

# Inspect global source credentials configured in account
aws codebuild list-source-credentials

Kagua kila mradi kwa:

  • webhook.filterGroups zinazo jumuisha matukio ya PR.
  • Patterni za ACTOR_ACCOUNT_ID ambazo hazijaweka anchor ^...$.
  • pullRequestBuildPolicy.requiresCommentApproval sawa na DISABLED.
  • Vizuizi vya tawi/na njia za faili vinavyokosekana.
  • serviceRole yenye vibali vya juu.
  • Wigo wa vyeti vya chanzo wenye hatari na utumiaji upya.

Mwongozo wa kuimarisha usalama

  1. Lazimisha idhini ya maoni kwa builds za PR (ALL_PULL_REQUESTS au FORK_PULL_REQUESTS).
  2. Ikiwa unatumia actor allowlists, weka anchors kwa regexes na zihakikishe ziwe sahihi kabisa.
  3. Ongeza vizuizi vya FILE_PATH ili kuepuka uhariri usioaminika wa buildspec.yml na skripti za CI.
  4. Tenganisha builds za release za kuaminika kutoka kwa builds za PR zisizoaminika katika miradi/majukumu tofauti.
  5. Tumia tokeni za source-provider zilizo na udhibiti wa kina na vibali vidogo (pendelea vitambulisho vilivyotengwa vyenye vibali vya chini).
  6. Endelea kukagua filters za webhook na matumizi ya vyeti vya chanzo.

Marejeo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks