Adnan Khan
The dark side of github actions
slides: romhack.io/wp-...
GitHub is the most popular hosting platform for open-source projects. GitHub also offers a CI/CD platform called GitHub Actions, and many projects opt to use GitHub Actions for CI/CD because it is free for open-source projects.
However, there is a dark side to GitHub Actions. Simple misconfigurations can lead to devastating supply chain attacks, and even companies like Microsoft, Nvidia, Puppet Labs, and more cannot get a handle on these issues.
In this talk you’ll learn what these misconfigurations are and how to discover them at scale:
Pwn Request and Injection Vulnerabilities
Misconfigured Self-Hosted Runners
Broken Approval Checks via Time-of-Check-Time-of-Use Issues
You will also learn how an attacker can use an arsenal of pipeline post-exploitation and privilege escalation techniques to achieve their objectives:
Post-Compromise Enumeration
‘GITHUB_TOKEN’ Permissions Abuse
GitHub Actions Cache Poisoning
Bypassing Branch Protections by approving and merging an external pull request.
Finally, Adnan will walk through how he detected such a misconfiguration by a major company, gained control of a GitHub Classic Personal Access Token, and proved out impactful post-exploitation scenarios. To conclude, Adnan will cover defensive controls that you can deploy today that will prevent an attacker from achieving their final objective even if they obtain a privileged access token.
romhack.io/rom...