CI/CD Attacks

CI/CD pipelines are often triggered by untrusted actions such a forked pull requests and new issue submissions for public git repositories. These systems often contain sensitive secrets or run in privileged environments. Attackers may gain an RCE into such systems by submitting crafted payloads that trigger the pipelines. Such vulnerabilities are also known as Poisoned Pipeline Execution (PPE).

Summary

• Tools
• CI/CD Products
  • GitHub Actions
  • Gitlab CI
  • Azure Pipelines (Azure DevOps)
  • Circle CI
  • Drone CI
  • BuildKite
• Hardcoded Secrets Enumeration
• Package Managers and Build Files
• References

Tools

• praetorian-inc/gato - GitHub Self-Hosted Runner Enumeration and Attack Tool
• AdnaneKhan/Gato-X - Fork of Gato - Gato (Github Attack TOolkit) - Extreme Edition
• messypoutine/gravy-overflow - A GitHub Actions Supply Chain CTF / Goat
• xforcered/SCMKit - Source Code Management Attack Toolkit
• synacktiv/octoscan - Octoscan is a static vulnerability scanner for GitHub action workflows.
• synacktiv/gh-hijack-runner - A python script to create a fake GitHub runner and hijack pipeline jobs to leak CI/CD secrets.
• synacktiv/nord-stream - List the secrets stored inside CI/CD environments and extract them by deploying malicious pipelines

References

• Poisoned Pipeline Execution
• DEF CON 25 - Exploiting Continuous Integration (CI) and Automated Build systems - spaceB0x - 2 nov. 2017
• Controlling the Source: Abusing Source Code Management Systems - Brett Hawkins - August 9, 2022
• Fixing Typos and Breaching Microsoft’s Perimeter - John Stawinski IV - April 15, 2024

Share this content