search

boostsecurityio / lotp

boostsecurityio/lotp
Apache License 2.0
102 stars 6 forks source link

[LOTP] Bash (wut ?!) #29

Open tr4l opened 7 months ago

tr4l commented 7 months ago

Bash, but with a twist

Bash in itself is used for executing stuff, so this is somehow a "normal" usage, but with a twist

Configuration files

.bashrc
.initrc

Env variable

BASH_ENV
BASH_FUNC
PROMPT_COMMAND (only interactive, doesn't work)

Documentation

https://www.gnu.org/software/bash/manual/bash.html#Bash-Variables

Github example

name: On issue with debug
on:
  issue_comment: 
    types: [created, edited]

jobs:
  command_dispatch:
    name: Debug
    runs-on: ubuntu-latest
    permissions:
      # keep this limited to read permissions for the content only!
      contents: write
    steps:
      - name: Debug
        run: |
          echo "Injectable wrokflow"

      - name: Debug 2
        run: |
          echo "----------------"
          echo "Nothing: safe workflow"
          echo "----------------"

In this example we can inject a bashrc, as bash is the default shell on runner. Some runner use the following default command for shell

/usr/bin/bash --noprofile --norc -e -o pipefail "/tmp/computed/step.sh"

This example will not run any bashrc or initrc because of the --noprofile and -norc.

However, this will execute the file defined in BASH_ENV, so file file write + env injection, the second step can be injected, without anything visible that step that indicate an injection.

Additional notes

This is the default on github action, so yeah a lot of potential target

tr4l commented 2 months ago

Exactly.

https://slides.com/tr4l/2024#/5/6

Le ven. 30 août 2024, 01:26, Adnan Khan @.***> a écrit :

Something like this? So it seems like any form of injection where we can pass newlines into the environment file -> RCE on default run steps.

on: pull_request:

jobs: test: runs-on: ubuntu-latest steps:

- uses: ***@***.***
- name: Foobar
  run: |
    echo "FOOBAR=$PR_BODY" >> $GITHUB_ENV
  env:
      PR_BODY: ${{ github.event.pull_request.body }}
- run: |
    echo "Hello"

— Reply to this email directly, view it on GitHub https://github.com/boostsecurityio/lotp/issues/29#issuecomment-2319417295, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACXXIZS2GJ3E2NJZ7BOV2F3ZT6UZVAVCNFSM6AAAAABGKXVDMWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMJZGQYTOMRZGU . You are receiving this because you authored the thread.Message ID: @.***>

fproulx-boostsecurity commented 2 months ago

Ref to this article too https://www.sstic.org/media/SSTIC2024/SSTIC-actes/action_man_vs_octocat_github_action_exploitation/SSTIC2024-Article-action_man_vs_octocat_github_action_exploitation-vincent.pdf

Original source https://0xn3va.gitbook.io/cheat-sheets/web-application/command-injection#bash_env https://tttang.com/archive/1450/#toc_0x06-bash_env

fproulx-boostsecurity commented 2 months ago

An actual vuln GHSA https://github.com/espressif/arduino-esp32/security/advisories/GHSA-h52q-xhg2-6jw8

AdnaneKhan commented 2 months ago

An actual vuln GHSA GHSA-h52q-xhg2-6jw8

Hey that’s pretty cool! GHSL has been doing some amazing work reporting issues to OSS projects.

fproulx-boostsecurity commented 1 week ago

More ideas from the TDF CTF https://github.com/boost-rnd/tdf-ctf-cicd?tab=readme-ov-file#chall-3