AWS - CodeBuild Upatikanaji Bila Uthibitisho

Reading time: 3 minutes

CodeBuild

Kwa habari zaidi angalia ukurasa huu:

AWS - Codebuild Enum

buildspec.yml

Ikiwa utapata upatikanaji wa kuandika kwenye repository inayojumuisha faili iitwayo buildspec.yml, unaweza backdoor faili hii, ambayo inaelezea commands that are going to be executed ndani ya mradi wa CodeBuild na exfiltrate the secrets, compromise kile kinachofanywa na pia compromise the CodeBuild IAM role credentials.

Kumbuka kwamba hata kama hakuna faili buildspec.yml, lakini unajua Codebuild inatumiwa (au CI/CD tofauti), modifying some legit code ambayo itatekelezwa pia inaweza kukupatia reverse shell kwa mfano.

Kwa taarifa zinazohusiana unaweza angalia ukurasa kuhusu jinsi ya kushambulia Github Actions (sawa na hili):

Abusing Github Actions

Self-hosted GitHub Actions runners in AWS CodeBuild

Kama indicated in the docs, inawezekana kusanidi CodeBuild ili kuendesha self-hosted Github actions wakati workflow inapotekelezwa ndani ya Github repo iliyosanidiwa. Hii inaweza kutambuliwa kwa kukagua configuration ya mradi wa CodeBuild kwa sababu Event type inahitaji kuwa na: WORKFLOW_JOB_QUEUED na katika Github Workflow kwa sababu itachagua self-hosted runner kama ifuatavyo:

runs-on: codebuild-<project-name>-${{ github.run_id }}-${{ github.run_attempt }}

Uhusiano mpya huu kati ya Github Actions na AWS unaunda njia nyingine ya compromise AWS kutoka Github, kwani code katika Github itaendeshwa katika CodeBuild project yenye IAM role imeambatishwa.